diff --git a/.apigentools-info b/.apigentools-info index e5fb1e5d4f1..ad502cd7e29 100644 --- a/.apigentools-info +++ b/.apigentools-info @@ -4,13 +4,13 @@ "spec_versions": { "v1": { "apigentools_version": "1.6.6", - "regenerated": "2025-05-16 13:56:33.962104", - "spec_repo_commit": "dac51bc6" + "regenerated": "2025-05-19 17:45:10.273296", + "spec_repo_commit": "77e5efb9" }, "v2": { "apigentools_version": "1.6.6", - "regenerated": "2025-05-16 13:56:34.055440", - "spec_repo_commit": "dac51bc6" + "regenerated": "2025-05-19 17:45:10.289104", + "spec_repo_commit": "77e5efb9" } } } \ No newline at end of file diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 094dc6eb79f..631fc6d1bb8 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -52943,7 +52943,11 @@ paths: x-terraform-resource: appsec_waf_exclusion_filter /api/v2/remote_config/products/cws/agent_rules: get: - description: Get the list of Cloud Security Management Threats Agent rules + description: 'Get the list of Workload Protection agent rules. + + + **Note**: This endpoint is not available for the Government (US1-FED) site. + Please reference the (US1-FED) specific resource below.' operationId: ListCSMThreatsAgentRules parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityQueryAgentPolicyID' @@ -52958,19 +52962,22 @@ paths: $ref: '#/components/responses/NotAuthorizedResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Get all CSM Threats Agent rules + summary: Get all Workload Protection agent rules tags: - CSM Threats post: - description: Create a new Cloud Security Management Threats Agent rule with - the given parameters + description: 'Create a new Workload Protection agent rule with the given parameters. + + + **Note**: This endpoint is not available for the Government (US1-FED) site. + Please reference the (US1-FED) specific resource below.' operationId: CreateCSMThreatsAgentRule requestBody: content: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateRequest' - description: The definition of the new Agent rule + description: The definition of the new agent rule required: true responses: '200': @@ -52987,13 +52994,17 @@ paths: $ref: '#/components/responses/ConflictResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Create a CSM Threats Agent rule + summary: Create a Workload Protection agent rule tags: - CSM Threats x-codegen-request-body-name: body /api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}: delete: - description: Delete a specific Cloud Security Management Threats Agent rule + description: 'Delete a specific Workload Protection agent rule. + + + **Note**: This endpoint is not available for the Government (US1-FED) site. + Please reference the (US1-FED) specific resource below.' operationId: DeleteCSMThreatsAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' @@ -53007,12 +53018,15 @@ paths: $ref: '#/components/responses/NotFoundResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Delete a CSM Threats Agent rule + summary: Delete a Workload Protection agent rule tags: - CSM Threats get: - description: Get the details of a specific Cloud Security Management Threats - Agent rule + description: 'Get the details of a specific Workload Protection agent rule. + + + **Note**: This endpoint is not available for the Government (US1-FED) site. + Please reference the (US1-FED) specific resource below.' operationId: GetCSMThreatsAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' @@ -53030,13 +53044,17 @@ paths: $ref: '#/components/responses/NotFoundResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Get a CSM Threats Agent rule + summary: Get a Workload Protection agent rule tags: - CSM Threats patch: - description: 'Update a specific Cloud Security Management Threats Agent rule. + description: 'Update a specific Workload Protection Agent rule. + + Returns the agent rule object when the request is successful. + - Returns the Agent rule object when the request is successful.' + **Note**: This endpoint is not available for the Government (US1-FED) site. + Please reference the (US1-FED) specific resource below.' operationId: UpdateCSMThreatsAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' @@ -53046,7 +53064,7 @@ paths: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateRequest' - description: New definition of the Agent rule + description: New definition of the agent rule required: true responses: '200': @@ -53065,13 +53083,17 @@ paths: $ref: '#/components/responses/ConcurrentModificationResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Update a CSM Threats Agent rule + summary: Update a Workload Protection agent rule tags: - CSM Threats x-codegen-request-body-name: body /api/v2/remote_config/products/cws/policy: get: - description: Get the list of Cloud Security Management Threats Agent policies + description: 'Get the list of Workload Protection policies. + + + **Note**: This endpoint is not available for the Government (US1-FED) site. + Please reference the (US1-FED) specific resource below.' operationId: ListCSMThreatsAgentPolicies responses: '200': @@ -53084,12 +53106,15 @@ paths: $ref: '#/components/responses/NotAuthorizedResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Get all CSM Threats Agent policies + summary: Get all Workload Protection policies tags: - CSM Threats post: - description: Create a new Cloud Security Management Threats Agent policy with - the given parameters + description: 'Create a new Workload Protection policy with the given parameters. + + + **Note**: This endpoint is not available for the Government (US1-FED) site. + Please reference the (US1-FED) specific resource below.' operationId: CreateCSMThreatsAgentPolicy requestBody: content: @@ -53113,19 +53138,23 @@ paths: $ref: '#/components/responses/ConflictResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Create a CSM Threats Agent policy + summary: Create a Workload Protection policy tags: - CSM Threats x-codegen-request-body-name: body /api/v2/remote_config/products/cws/policy/download: get: - description: 'The download endpoint generates a CSM Threats policy file from - your currently active + description: 'The download endpoint generates a Workload Protection policy file + from your currently active - CSM Threats rules, and downloads them as a `.policy` file. This file can then - be deployed to + Workload Protection agent rules, and downloads them as a `.policy` file. This + file can then be deployed to - your Agents to update the policy running in your environment.' + your agents to update the policy running in your environment. + + + **Note**: This endpoint is not available for the Government (US1-FED) site. + Please reference the (US1-FED) specific resource below.' operationId: DownloadCSMThreatsPolicy responses: '200': @@ -53139,12 +53168,16 @@ paths: $ref: '#/components/responses/NotAuthorizedResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Get the latest CSM Threats policy + summary: Download the Workload Protection policy tags: - CSM Threats /api/v2/remote_config/products/cws/policy/{policy_id}: delete: - description: Delete a specific Cloud Security Management Threats Agent policy + description: 'Delete a specific Workload Protection policy. + + + **Note**: This endpoint is not available for the Government (US1-FED) site. + Please reference the (US1-FED) specific resource below.' operationId: DeleteCSMThreatsAgentPolicy parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityPathAgentPolicyID' @@ -53159,12 +53192,15 @@ paths: $ref: '#/components/responses/NotFoundResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Delete a CSM Threats Agent policy + summary: Delete a Workload Protection policy tags: - CSM Threats get: - description: Get the details of a specific Cloud Security Management Threats - Agent policy + description: 'Get the details of a specific Workload Protection policy. + + + **Note**: This endpoint is not available for the Government (US1-FED) site. + Please reference the (US1-FED) specific resource below.' operationId: GetCSMThreatsAgentPolicy parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityPathAgentPolicyID' @@ -53181,13 +53217,17 @@ paths: $ref: '#/components/responses/NotFoundResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Get a CSM Threats Agent policy + summary: Get a Workload Protection policy tags: - CSM Threats patch: - description: 'Update a specific Cloud Security Management Threats Agent policy. + description: 'Update a specific Workload Protection policy. + + Returns the policy object when the request is successful. - Returns the Agent policy object when the request is successful.' + + **Note**: This endpoint is not available for the Government (US1-FED) site. + Please reference the (US1-FED) specific resource below.' operationId: UpdateCSMThreatsAgentPolicy parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityPathAgentPolicyID' @@ -53215,7 +53255,7 @@ paths: $ref: '#/components/responses/ConcurrentModificationResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Update a CSM Threats Agent policy + summary: Update a Workload Protection policy tags: - CSM Threats x-codegen-request-body-name: body @@ -55333,13 +55373,16 @@ paths: If you are interested in accessing this API, [fill out this form](https://forms.gle/kMYC1sDr6WDUBDsx9).' /api/v2/security/cloud_workload/policy/download: get: - description: 'The download endpoint generates a Cloud Workload Security policy - file from your currently active + description: 'The download endpoint generates a Workload Protection policy file + from your currently active - Cloud Workload Security rules, and downloads them as a .policy file. This + Workload Protection agent rules, and downloads them as a `.policy` file. This file can then be deployed to - your Agents to update the policy running in your environment.' + your agents to update the policy running in your environment. + + + **Note**: This endpoint should only be used for the Government (US1-FED) site.' operationId: DownloadCloudWorkloadPolicyFile responses: '200': @@ -55353,7 +55396,7 @@ paths: $ref: '#/components/responses/NotAuthorizedResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Get the latest Cloud Workload Security policy + summary: Download the Workload Protection policy (US1-FED) tags: - CSM Threats x-permission: @@ -56175,7 +56218,10 @@ paths: - security_monitoring_notification_profiles_write /api/v2/security_monitoring/cloud_workload_security/agent_rules: get: - description: Get the list of Agent rules + description: 'Get the list of agent rules. + + + **Note**: This endpoint should only be used for the Government (US1-FED) site.' operationId: ListCloudWorkloadSecurityAgentRules responses: '200': @@ -56188,7 +56234,7 @@ paths: $ref: '#/components/responses/NotAuthorizedResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Get all Cloud Workload Security Agent rules + summary: Get all Workload Protection agent rules (US1-FED) tags: - CSM Threats x-permission: @@ -56196,14 +56242,17 @@ paths: permissions: - security_monitoring_cws_agent_rules_read post: - description: Create a new Agent rule with the given parameters. + description: 'Create a new agent rule with the given parameters. + + + **Note**: This endpoint should only be used for the Government (US1-FED) site.' operationId: CreateCloudWorkloadSecurityAgentRule requestBody: content: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleCreateRequest' - description: The definition of the new Agent rule + description: The definition of the new agent rule required: true responses: '200': @@ -56220,7 +56269,7 @@ paths: $ref: '#/components/responses/ConflictResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Create a Cloud Workload Security Agent rule + summary: Create a Workload Protection agent rule (US1-FED) tags: - CSM Threats x-codegen-request-body-name: body @@ -56230,7 +56279,10 @@ paths: - security_monitoring_cws_agent_rules_write /api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}: delete: - description: Delete a specific Agent rule + description: 'Delete a specific agent rule. + + + **Note**: This endpoint should only be used for the Government (US1-FED) site.' operationId: DeleteCloudWorkloadSecurityAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' @@ -56243,7 +56295,7 @@ paths: $ref: '#/components/responses/NotFoundResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Delete a Cloud Workload Security Agent rule + summary: Delete a Workload Protection agent rule (US1-FED) tags: - CSM Threats x-permission: @@ -56251,7 +56303,10 @@ paths: permissions: - security_monitoring_cws_agent_rules_write get: - description: Get the details of a specific Agent rule + description: 'Get the details of a specific agent rule. + + + **Note**: This endpoint should only be used for the Government (US1-FED) site.' operationId: GetCloudWorkloadSecurityAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' @@ -56268,7 +56323,7 @@ paths: $ref: '#/components/responses/NotFoundResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Get a Cloud Workload Security Agent rule + summary: Get a Workload Protection agent rule (US1-FED) tags: - CSM Threats x-permission: @@ -56276,9 +56331,12 @@ paths: permissions: - security_monitoring_cws_agent_rules_read patch: - description: 'Update a specific Agent rule. + description: 'Update a specific agent rule. - Returns the Agent rule object when the request is successful.' + Returns the agent rule object when the request is successful. + + + **Note**: This endpoint should only be used for the Government (US1-FED) site.' operationId: UpdateCloudWorkloadSecurityAgentRule parameters: - $ref: '#/components/parameters/CloudWorkloadSecurityAgentRuleID' @@ -56287,7 +56345,7 @@ paths: application/json: schema: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleUpdateRequest' - description: New definition of the Agent rule + description: New definition of the agent rule required: true responses: '200': @@ -56306,7 +56364,7 @@ paths: $ref: '#/components/responses/ConcurrentModificationResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' - summary: Update a Cloud Workload Security Agent rule + summary: Update a Workload Protection agent rule (US1-FED) tags: - CSM Threats x-codegen-request-body-name: body @@ -61577,10 +61635,14 @@ tags: Go to https://docs.datadoghq.com/security/cloud_security_management to learn more.' name: CSM Coverage Analysis -- description: Cloud Security Management Threats (CSM Threats) monitors file, network, - and process activity across your environment to detect real-time threats to your - infrastructure. See [Cloud Security Management Threats](https://docs.datadoghq.com/security/threats/) - for more information on setting up CSM Threats. +- description: 'Workload Protection monitors file, network, and process activity across + your environment to detect real-time threats to your infrastructure. See [Workload + Protection](https://docs.datadoghq.com/security/workload_protection/) for more + information on setting up Workload Protection. + + + **Note**: These endpoints are split based on whether you are using the US1-FED + site or not. Please reference the specific resource for the site you are using.' name: CSM Threats - description: View and manage cases and projects within Case Management. See the [Case Management page](https://docs.datadoghq.com/service_management/case_management/) diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.java b/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.java index 589a9e8a5ba..fa46fe70fc7 100644 --- a/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.java +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.java @@ -1,4 +1,4 @@ -// Create a CSM Threats Agent policy returns "OK" response +// Create a Workload Protection policy returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentRule.java b/examples/v2/csm-threats/CreateCSMThreatsAgentRule.java index ffd615c8e75..0a7b304cc2d 100644 --- a/examples/v2/csm-threats/CreateCSMThreatsAgentRule.java +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentRule.java @@ -1,4 +1,4 @@ -// Create a CSM Threats Agent rule returns "OK" response +// Create a Workload Protection agent rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.java b/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.java index e4b576a87ba..4ad61b1a7ae 100644 --- a/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.java +++ b/examples/v2/csm-threats/CreateCloudWorkloadSecurityAgentRule.java @@ -1,4 +1,4 @@ -// Create a Cloud Workload Security Agent rule returns "OK" response +// Create a Workload Protection agent rule (US1-FED) returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.java b/examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.java index 208f9e23875..910afc17138 100644 --- a/examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.java +++ b/examples/v2/csm-threats/DeleteCSMThreatsAgentPolicy.java @@ -1,4 +1,4 @@ -// Delete a CSM Threats Agent policy returns "OK" response +// Delete a Workload Protection policy returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.java b/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.java index d071d87e064..f58f8749e01 100644 --- a/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.java +++ b/examples/v2/csm-threats/DeleteCSMThreatsAgentRule.java @@ -1,4 +1,4 @@ -// Delete a CSM Threats Agent rule returns "OK" response +// Delete a Workload Protection agent rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/DeleteCloudWorkloadSecurityAgentRule.java b/examples/v2/csm-threats/DeleteCloudWorkloadSecurityAgentRule.java index 40886e2980d..dcc1ebd9dea 100644 --- a/examples/v2/csm-threats/DeleteCloudWorkloadSecurityAgentRule.java +++ b/examples/v2/csm-threats/DeleteCloudWorkloadSecurityAgentRule.java @@ -1,4 +1,4 @@ -// Delete a Cloud Workload Security Agent rule returns "OK" response +// Delete a Workload Protection agent rule (US1-FED) returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/DownloadCSMThreatsPolicy.java b/examples/v2/csm-threats/DownloadCSMThreatsPolicy.java index ed8abb69e79..ab922af1932 100644 --- a/examples/v2/csm-threats/DownloadCSMThreatsPolicy.java +++ b/examples/v2/csm-threats/DownloadCSMThreatsPolicy.java @@ -1,4 +1,4 @@ -// Get the latest CSM Threats policy returns "OK" response +// Download the Workload Protection policy returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/DownloadCloudWorkloadPolicyFile.java b/examples/v2/csm-threats/DownloadCloudWorkloadPolicyFile.java index ccba22d6391..69089b10a77 100644 --- a/examples/v2/csm-threats/DownloadCloudWorkloadPolicyFile.java +++ b/examples/v2/csm-threats/DownloadCloudWorkloadPolicyFile.java @@ -1,4 +1,4 @@ -// Get the latest Cloud Workload Security policy returns "OK" response +// Download the Workload Protection policy (US1-FED) returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/GetCSMThreatsAgentPolicy.java b/examples/v2/csm-threats/GetCSMThreatsAgentPolicy.java index a39f596c311..00c11db74e8 100644 --- a/examples/v2/csm-threats/GetCSMThreatsAgentPolicy.java +++ b/examples/v2/csm-threats/GetCSMThreatsAgentPolicy.java @@ -1,4 +1,4 @@ -// Get a CSM Threats Agent policy returns "OK" response +// Get a Workload Protection policy returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/GetCSMThreatsAgentRule.java b/examples/v2/csm-threats/GetCSMThreatsAgentRule.java index 787ce177aeb..a7cf2c95b05 100644 --- a/examples/v2/csm-threats/GetCSMThreatsAgentRule.java +++ b/examples/v2/csm-threats/GetCSMThreatsAgentRule.java @@ -1,4 +1,4 @@ -// Get a CSM Threats Agent rule returns "OK" response +// Get a Workload Protection agent rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/GetCloudWorkloadSecurityAgentRule.java b/examples/v2/csm-threats/GetCloudWorkloadSecurityAgentRule.java index a937a878745..fff0bffa712 100644 --- a/examples/v2/csm-threats/GetCloudWorkloadSecurityAgentRule.java +++ b/examples/v2/csm-threats/GetCloudWorkloadSecurityAgentRule.java @@ -1,4 +1,4 @@ -// Get a Cloud Workload Security Agent rule returns "OK" response +// Get a Workload Protection agent rule (US1-FED) returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/ListCSMThreatsAgentPolicies.java b/examples/v2/csm-threats/ListCSMThreatsAgentPolicies.java index 92042f1bed5..20cdf29fa8c 100644 --- a/examples/v2/csm-threats/ListCSMThreatsAgentPolicies.java +++ b/examples/v2/csm-threats/ListCSMThreatsAgentPolicies.java @@ -1,4 +1,4 @@ -// Get all CSM Threats Agent policies returns "OK" response +// Get all Workload Protection policies returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/ListCSMThreatsAgentRules.java b/examples/v2/csm-threats/ListCSMThreatsAgentRules.java index 0d2dc914e91..2b95145a6be 100644 --- a/examples/v2/csm-threats/ListCSMThreatsAgentRules.java +++ b/examples/v2/csm-threats/ListCSMThreatsAgentRules.java @@ -1,4 +1,4 @@ -// Get all CSM Threats Agent rules returns "OK" response +// Get all Workload Protection agent rules returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/ListCloudWorkloadSecurityAgentRules.java b/examples/v2/csm-threats/ListCloudWorkloadSecurityAgentRules.java index 6c78759a26f..e4dc46d808f 100644 --- a/examples/v2/csm-threats/ListCloudWorkloadSecurityAgentRules.java +++ b/examples/v2/csm-threats/ListCloudWorkloadSecurityAgentRules.java @@ -1,4 +1,4 @@ -// Get all Cloud Workload Security Agent rules returns "OK" response +// Get all Workload Protection agent rules (US1-FED) returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.java b/examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.java index 9a35e786348..8f9267a8e67 100644 --- a/examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.java +++ b/examples/v2/csm-threats/UpdateCSMThreatsAgentPolicy.java @@ -1,4 +1,4 @@ -// Update a CSM Threats Agent policy returns "OK" response +// Update a Workload Protection policy returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.java b/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.java index 8ec292c4643..52ebdb95ed9 100644 --- a/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.java +++ b/examples/v2/csm-threats/UpdateCSMThreatsAgentRule.java @@ -1,4 +1,4 @@ -// Update a CSM Threats Agent rule returns "OK" response +// Update a Workload Protection agent rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.java b/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.java index 7e2d14c13e8..782c3a90f4c 100644 --- a/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.java +++ b/examples/v2/csm-threats/UpdateCloudWorkloadSecurityAgentRule.java @@ -1,4 +1,4 @@ -// Update a Cloud Workload Security Agent rule returns "OK" response +// Update a Workload Protection agent rule (US1-FED) returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; diff --git a/src/main/java/com/datadog/api/client/v2/api/CsmThreatsApi.java b/src/main/java/com/datadog/api/client/v2/api/CsmThreatsApi.java index e196f81b175..c7d225bcc70 100644 --- a/src/main/java/com/datadog/api/client/v2/api/CsmThreatsApi.java +++ b/src/main/java/com/datadog/api/client/v2/api/CsmThreatsApi.java @@ -53,11 +53,11 @@ public void setApiClient(ApiClient apiClient) { } /** - * Create a Cloud Workload Security Agent rule. + * Create a Workload Protection agent rule (US1-FED). * *

See {@link #createCloudWorkloadSecurityAgentRuleWithHttpInfo}. * - * @param body The definition of the new Agent rule (required) + * @param body The definition of the new agent rule (required) * @return CloudWorkloadSecurityAgentRuleResponse * @throws ApiException if fails to make API call */ @@ -67,11 +67,11 @@ public CloudWorkloadSecurityAgentRuleResponse createCloudWorkloadSecurityAgentRu } /** - * Create a Cloud Workload Security Agent rule. + * Create a Workload Protection agent rule (US1-FED). * *

See {@link #createCloudWorkloadSecurityAgentRuleWithHttpInfoAsync}. * - * @param body The definition of the new Agent rule (required) + * @param body The definition of the new agent rule (required) * @return CompletableFuture<CloudWorkloadSecurityAgentRuleResponse> */ public CompletableFuture @@ -84,9 +84,11 @@ public CloudWorkloadSecurityAgentRuleResponse createCloudWorkloadSecurityAgentRu } /** - * Create a new Agent rule with the given parameters. + * Create a new agent rule with the given parameters. * - * @param body The definition of the new Agent rule (required) + *

Note: This endpoint should only be used for the Government (US1-FED) site. + * + * @param body The definition of the new agent rule (required) * @return ApiResponse<CloudWorkloadSecurityAgentRuleResponse> * @throws ApiException if fails to make API call * @http.response.details @@ -138,11 +140,11 @@ public CloudWorkloadSecurityAgentRuleResponse createCloudWorkloadSecurityAgentRu } /** - * Create a Cloud Workload Security Agent rule. + * Create a Workload Protection agent rule (US1-FED). * *

See {@link #createCloudWorkloadSecurityAgentRuleWithHttpInfo}. * - * @param body The definition of the new Agent rule (required) + * @param body The definition of the new agent rule (required) * @return CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentRuleResponse>> */ public CompletableFuture> @@ -195,7 +197,7 @@ public CloudWorkloadSecurityAgentRuleResponse createCloudWorkloadSecurityAgentRu } /** - * Create a CSM Threats Agent policy. + * Create a Workload Protection policy. * *

See {@link #createCSMThreatsAgentPolicyWithHttpInfo}. * @@ -209,7 +211,7 @@ public CloudWorkloadSecurityAgentPolicyResponse createCSMThreatsAgentPolicy( } /** - * Create a CSM Threats Agent policy. + * Create a Workload Protection policy. * *

See {@link #createCSMThreatsAgentPolicyWithHttpInfoAsync}. * @@ -226,7 +228,10 @@ public CloudWorkloadSecurityAgentPolicyResponse createCSMThreatsAgentPolicy( } /** - * Create a new Cloud Security Management Threats Agent policy with the given parameters + * Create a new Workload Protection policy with the given parameters. + * + *

Note: This endpoint is not available for the Government (US1-FED) site. + * Please reference the (US1-FED) specific resource below. * * @param body The definition of the new Agent policy (required) * @return ApiResponse<CloudWorkloadSecurityAgentPolicyResponse> @@ -278,7 +283,7 @@ public CloudWorkloadSecurityAgentPolicyResponse createCSMThreatsAgentPolicy( } /** - * Create a CSM Threats Agent policy. + * Create a Workload Protection policy. * *

See {@link #createCSMThreatsAgentPolicyWithHttpInfo}. * @@ -334,11 +339,11 @@ public CloudWorkloadSecurityAgentPolicyResponse createCSMThreatsAgentPolicy( } /** - * Create a CSM Threats Agent rule. + * Create a Workload Protection agent rule. * *

See {@link #createCSMThreatsAgentRuleWithHttpInfo}. * - * @param body The definition of the new Agent rule (required) + * @param body The definition of the new agent rule (required) * @return CloudWorkloadSecurityAgentRuleResponse * @throws ApiException if fails to make API call */ @@ -348,11 +353,11 @@ public CloudWorkloadSecurityAgentRuleResponse createCSMThreatsAgentRule( } /** - * Create a CSM Threats Agent rule. + * Create a Workload Protection agent rule. * *

See {@link #createCSMThreatsAgentRuleWithHttpInfoAsync}. * - * @param body The definition of the new Agent rule (required) + * @param body The definition of the new agent rule (required) * @return CompletableFuture<CloudWorkloadSecurityAgentRuleResponse> */ public CompletableFuture createCSMThreatsAgentRuleAsync( @@ -365,9 +370,12 @@ public CompletableFuture createCSMThreat } /** - * Create a new Cloud Security Management Threats Agent rule with the given parameters + * Create a new Workload Protection agent rule with the given parameters. + * + *

Note: This endpoint is not available for the Government (US1-FED) site. + * Please reference the (US1-FED) specific resource below. * - * @param body The definition of the new Agent rule (required) + * @param body The definition of the new agent rule (required) * @return ApiResponse<CloudWorkloadSecurityAgentRuleResponse> * @throws ApiException if fails to make API call * @http.response.details @@ -416,11 +424,11 @@ public ApiResponse createCSMThreatsAgent } /** - * Create a CSM Threats Agent rule. + * Create a Workload Protection agent rule. * *

See {@link #createCSMThreatsAgentRuleWithHttpInfo}. * - * @param body The definition of the new Agent rule (required) + * @param body The definition of the new agent rule (required) * @return CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentRuleResponse>> */ public CompletableFuture> @@ -470,7 +478,7 @@ public ApiResponse createCSMThreatsAgent } /** - * Delete a Cloud Workload Security Agent rule. + * Delete a Workload Protection agent rule (US1-FED). * *

See {@link #deleteCloudWorkloadSecurityAgentRuleWithHttpInfo}. * @@ -482,7 +490,7 @@ public void deleteCloudWorkloadSecurityAgentRule(String agentRuleId) throws ApiE } /** - * Delete a Cloud Workload Security Agent rule. + * Delete a Workload Protection agent rule (US1-FED). * *

See {@link #deleteCloudWorkloadSecurityAgentRuleWithHttpInfoAsync}. * @@ -498,7 +506,9 @@ public CompletableFuture deleteCloudWorkloadSecurityAgentRuleAsync(String } /** - * Delete a specific Agent rule + * Delete a specific agent rule. + * + *

Note: This endpoint should only be used for the Government (US1-FED) site. * * @param agentRuleId The ID of the Agent rule (required) * @return ApiResponse<Void> @@ -553,7 +563,7 @@ public ApiResponse deleteCloudWorkloadSecurityAgentRuleWithHttpInfo(String } /** - * Delete a Cloud Workload Security Agent rule. + * Delete a Workload Protection agent rule (US1-FED). * *

See {@link #deleteCloudWorkloadSecurityAgentRuleWithHttpInfo}. * @@ -610,7 +620,7 @@ public CompletableFuture> deleteCloudWorkloadSecurityAgentRule } /** - * Delete a CSM Threats Agent policy. + * Delete a Workload Protection policy. * *

See {@link #deleteCSMThreatsAgentPolicyWithHttpInfo}. * @@ -622,7 +632,7 @@ public void deleteCSMThreatsAgentPolicy(String policyId) throws ApiException { } /** - * Delete a CSM Threats Agent policy. + * Delete a Workload Protection policy. * *

See {@link #deleteCSMThreatsAgentPolicyWithHttpInfoAsync}. * @@ -638,7 +648,10 @@ public CompletableFuture deleteCSMThreatsAgentPolicyAsync(String policyId) } /** - * Delete a specific Cloud Security Management Threats Agent policy + * Delete a specific Workload Protection policy. + * + *

Note: This endpoint is not available for the Government (US1-FED) site. + * Please reference the (US1-FED) specific resource below. * * @param policyId The ID of the Agent policy (required) * @return ApiResponse<Void> @@ -692,7 +705,7 @@ public ApiResponse deleteCSMThreatsAgentPolicyWithHttpInfo(String policyId } /** - * Delete a CSM Threats Agent policy. + * Delete a Workload Protection policy. * *

See {@link #deleteCSMThreatsAgentPolicyWithHttpInfo}. * @@ -764,7 +777,7 @@ public DeleteCSMThreatsAgentRuleOptionalParameters policyId(String policyId) { } /** - * Delete a CSM Threats Agent rule. + * Delete a Workload Protection agent rule. * *

See {@link #deleteCSMThreatsAgentRuleWithHttpInfo}. * @@ -777,7 +790,7 @@ public void deleteCSMThreatsAgentRule(String agentRuleId) throws ApiException { } /** - * Delete a CSM Threats Agent rule. + * Delete a Workload Protection agent rule. * *

See {@link #deleteCSMThreatsAgentRuleWithHttpInfoAsync}. * @@ -794,7 +807,7 @@ agentRuleId, new DeleteCSMThreatsAgentRuleOptionalParameters()) } /** - * Delete a CSM Threats Agent rule. + * Delete a Workload Protection agent rule. * *

See {@link #deleteCSMThreatsAgentRuleWithHttpInfo}. * @@ -809,7 +822,7 @@ public void deleteCSMThreatsAgentRule( } /** - * Delete a CSM Threats Agent rule. + * Delete a Workload Protection agent rule. * *

See {@link #deleteCSMThreatsAgentRuleWithHttpInfoAsync}. * @@ -827,7 +840,10 @@ public CompletableFuture deleteCSMThreatsAgentRuleAsync( } /** - * Delete a specific Cloud Security Management Threats Agent rule + * Delete a specific Workload Protection agent rule. + * + *

Note: This endpoint is not available for the Government (US1-FED) site. + * Please reference the (US1-FED) specific resource below. * * @param agentRuleId The ID of the Agent rule (required) * @param parameters Optional parameters for the request. @@ -887,7 +903,7 @@ public ApiResponse deleteCSMThreatsAgentRuleWithHttpInfo( } /** - * Delete a CSM Threats Agent rule. + * Delete a Workload Protection agent rule. * *

See {@link #deleteCSMThreatsAgentRuleWithHttpInfo}. * @@ -949,7 +965,7 @@ public CompletableFuture> deleteCSMThreatsAgentRuleWithHttpInf } /** - * Get the latest Cloud Workload Security policy. + * Download the Workload Protection policy (US1-FED). * *

See {@link #downloadCloudWorkloadPolicyFileWithHttpInfo}. * @@ -961,7 +977,7 @@ public File downloadCloudWorkloadPolicyFile() throws ApiException { } /** - * Get the latest Cloud Workload Security policy. + * Download the Workload Protection policy (US1-FED). * *

See {@link #downloadCloudWorkloadPolicyFileWithHttpInfoAsync}. * @@ -976,9 +992,11 @@ public CompletableFuture downloadCloudWorkloadPolicyFileAsync() { } /** - * The download endpoint generates a Cloud Workload Security policy file from your currently - * active Cloud Workload Security rules, and downloads them as a .policy file. This file can then - * be deployed to your Agents to update the policy running in your environment. + * The download endpoint generates a Workload Protection policy file from your currently active + * Workload Protection agent rules, and downloads them as a .policy file. This file + * can then be deployed to your agents to update the policy running in your environment. + * + *

Note: This endpoint should only be used for the Government (US1-FED) site. * * @return ApiResponse<File> * @throws ApiException if fails to make API call @@ -1019,7 +1037,7 @@ public ApiResponse downloadCloudWorkloadPolicyFileWithHttpInfo() throws Ap } /** - * Get the latest Cloud Workload Security policy. + * Download the Workload Protection policy (US1-FED). * *

See {@link #downloadCloudWorkloadPolicyFileWithHttpInfo}. * @@ -1060,7 +1078,7 @@ public CompletableFuture> downloadCloudWorkloadPolicyFileWithH } /** - * Get the latest CSM Threats policy. + * Download the Workload Protection policy. * *

See {@link #downloadCSMThreatsPolicyWithHttpInfo}. * @@ -1072,7 +1090,7 @@ public File downloadCSMThreatsPolicy() throws ApiException { } /** - * Get the latest CSM Threats policy. + * Download the Workload Protection policy. * *

See {@link #downloadCSMThreatsPolicyWithHttpInfoAsync}. * @@ -1087,9 +1105,12 @@ public CompletableFuture downloadCSMThreatsPolicyAsync() { } /** - * The download endpoint generates a CSM Threats policy file from your currently active CSM - * Threats rules, and downloads them as a .policy file. This file can then be - * deployed to your Agents to update the policy running in your environment. + * The download endpoint generates a Workload Protection policy file from your currently active + * Workload Protection agent rules, and downloads them as a .policy file. This file + * can then be deployed to your agents to update the policy running in your environment. + * + *

Note: This endpoint is not available for the Government (US1-FED) site. + * Please reference the (US1-FED) specific resource below. * * @return ApiResponse<File> * @throws ApiException if fails to make API call @@ -1130,7 +1151,7 @@ public ApiResponse downloadCSMThreatsPolicyWithHttpInfo() throws ApiExcept } /** - * Get the latest CSM Threats policy. + * Download the Workload Protection policy. * *

See {@link #downloadCSMThreatsPolicyWithHttpInfo}. * @@ -1171,7 +1192,7 @@ public CompletableFuture> downloadCSMThreatsPolicyWithHttpInfo } /** - * Get a Cloud Workload Security Agent rule. + * Get a Workload Protection agent rule (US1-FED). * *

See {@link #getCloudWorkloadSecurityAgentRuleWithHttpInfo}. * @@ -1185,7 +1206,7 @@ public CloudWorkloadSecurityAgentRuleResponse getCloudWorkloadSecurityAgentRule( } /** - * Get a Cloud Workload Security Agent rule. + * Get a Workload Protection agent rule (US1-FED). * *

See {@link #getCloudWorkloadSecurityAgentRuleWithHttpInfoAsync}. * @@ -1202,7 +1223,9 @@ public CloudWorkloadSecurityAgentRuleResponse getCloudWorkloadSecurityAgentRule( } /** - * Get the details of a specific Agent rule + * Get the details of a specific agent rule. + * + *

Note: This endpoint should only be used for the Government (US1-FED) site. * * @param agentRuleId The ID of the Agent rule (required) * @return ApiResponse<CloudWorkloadSecurityAgentRuleResponse> @@ -1257,7 +1280,7 @@ public CloudWorkloadSecurityAgentRuleResponse getCloudWorkloadSecurityAgentRule( } /** - * Get a Cloud Workload Security Agent rule. + * Get a Workload Protection agent rule (US1-FED). * *

See {@link #getCloudWorkloadSecurityAgentRuleWithHttpInfo}. * @@ -1316,7 +1339,7 @@ public CloudWorkloadSecurityAgentRuleResponse getCloudWorkloadSecurityAgentRule( } /** - * Get a CSM Threats Agent policy. + * Get a Workload Protection policy. * *

See {@link #getCSMThreatsAgentPolicyWithHttpInfo}. * @@ -1330,7 +1353,7 @@ public CloudWorkloadSecurityAgentPolicyResponse getCSMThreatsAgentPolicy(String } /** - * Get a CSM Threats Agent policy. + * Get a Workload Protection policy. * *

See {@link #getCSMThreatsAgentPolicyWithHttpInfoAsync}. * @@ -1347,7 +1370,10 @@ public CompletableFuture getCSMThreats } /** - * Get the details of a specific Cloud Security Management Threats Agent policy + * Get the details of a specific Workload Protection policy. + * + *

Note: This endpoint is not available for the Government (US1-FED) site. + * Please reference the (US1-FED) specific resource below. * * @param policyId The ID of the Agent policy (required) * @return ApiResponse<CloudWorkloadSecurityAgentPolicyResponse> @@ -1399,7 +1425,7 @@ public ApiResponse getCSMThreatsAgentP } /** - * Get a CSM Threats Agent policy. + * Get a Workload Protection policy. * *

See {@link #getCSMThreatsAgentPolicyWithHttpInfo}. * @@ -1472,7 +1498,7 @@ public GetCSMThreatsAgentRuleOptionalParameters policyId(String policyId) { } /** - * Get a CSM Threats Agent rule. + * Get a Workload Protection agent rule. * *

See {@link #getCSMThreatsAgentRuleWithHttpInfo}. * @@ -1488,7 +1514,7 @@ agentRuleId, new GetCSMThreatsAgentRuleOptionalParameters()) } /** - * Get a CSM Threats Agent rule. + * Get a Workload Protection agent rule. * *

See {@link #getCSMThreatsAgentRuleWithHttpInfoAsync}. * @@ -1506,7 +1532,7 @@ agentRuleId, new GetCSMThreatsAgentRuleOptionalParameters()) } /** - * Get a CSM Threats Agent rule. + * Get a Workload Protection agent rule. * *

See {@link #getCSMThreatsAgentRuleWithHttpInfo}. * @@ -1521,7 +1547,7 @@ public CloudWorkloadSecurityAgentRuleResponse getCSMThreatsAgentRule( } /** - * Get a CSM Threats Agent rule. + * Get a Workload Protection agent rule. * *

See {@link #getCSMThreatsAgentRuleWithHttpInfoAsync}. * @@ -1539,7 +1565,10 @@ public CompletableFuture getCSMThreatsAg } /** - * Get the details of a specific Cloud Security Management Threats Agent rule + * Get the details of a specific Workload Protection agent rule. + * + *

Note: This endpoint is not available for the Government (US1-FED) site. + * Please reference the (US1-FED) specific resource below. * * @param agentRuleId The ID of the Agent rule (required) * @param parameters Optional parameters for the request. @@ -1597,7 +1626,7 @@ public ApiResponse getCSMThreatsAgentRul } /** - * Get a CSM Threats Agent rule. + * Get a Workload Protection agent rule. * *

See {@link #getCSMThreatsAgentRuleWithHttpInfo}. * @@ -1661,7 +1690,7 @@ public ApiResponse getCSMThreatsAgentRul } /** - * Get all Cloud Workload Security Agent rules. + * Get all Workload Protection agent rules (US1-FED). * *

See {@link #listCloudWorkloadSecurityAgentRulesWithHttpInfo}. * @@ -1674,7 +1703,7 @@ public CloudWorkloadSecurityAgentRulesListResponse listCloudWorkloadSecurityAgen } /** - * Get all Cloud Workload Security Agent rules. + * Get all Workload Protection agent rules (US1-FED). * *

See {@link #listCloudWorkloadSecurityAgentRulesWithHttpInfoAsync}. * @@ -1690,7 +1719,9 @@ public CloudWorkloadSecurityAgentRulesListResponse listCloudWorkloadSecurityAgen } /** - * Get the list of Agent rules + * Get the list of agent rules. + * + *

Note: This endpoint should only be used for the Government (US1-FED) site. * * @return ApiResponse<CloudWorkloadSecurityAgentRulesListResponse> * @throws ApiException if fails to make API call @@ -1732,7 +1763,7 @@ public CloudWorkloadSecurityAgentRulesListResponse listCloudWorkloadSecurityAgen } /** - * Get all Cloud Workload Security Agent rules. + * Get all Workload Protection agent rules (US1-FED). * *

See {@link #listCloudWorkloadSecurityAgentRulesWithHttpInfo}. * @@ -1775,7 +1806,7 @@ public CloudWorkloadSecurityAgentRulesListResponse listCloudWorkloadSecurityAgen } /** - * Get all CSM Threats Agent policies. + * Get all Workload Protection policies. * *

See {@link #listCSMThreatsAgentPoliciesWithHttpInfo}. * @@ -1788,7 +1819,7 @@ public CloudWorkloadSecurityAgentPoliciesListResponse listCSMThreatsAgentPolicie } /** - * Get all CSM Threats Agent policies. + * Get all Workload Protection policies. * *

See {@link #listCSMThreatsAgentPoliciesWithHttpInfoAsync}. * @@ -1804,7 +1835,10 @@ public CloudWorkloadSecurityAgentPoliciesListResponse listCSMThreatsAgentPolicie } /** - * Get the list of Cloud Security Management Threats Agent policies + * Get the list of Workload Protection policies. + * + *

Note: This endpoint is not available for the Government (US1-FED) site. + * Please reference the (US1-FED) specific resource below. * * @return ApiResponse<CloudWorkloadSecurityAgentPoliciesListResponse> * @throws ApiException if fails to make API call @@ -1846,7 +1880,7 @@ public CloudWorkloadSecurityAgentPoliciesListResponse listCSMThreatsAgentPolicie } /** - * Get all CSM Threats Agent policies. + * Get all Workload Protection policies. * *

See {@link #listCSMThreatsAgentPoliciesWithHttpInfo}. * @@ -1906,7 +1940,7 @@ public ListCSMThreatsAgentRulesOptionalParameters policyId(String policyId) { } /** - * Get all CSM Threats Agent rules. + * Get all Workload Protection agent rules. * *

See {@link #listCSMThreatsAgentRulesWithHttpInfo}. * @@ -1920,7 +1954,7 @@ public CloudWorkloadSecurityAgentRulesListResponse listCSMThreatsAgentRules() } /** - * Get all CSM Threats Agent rules. + * Get all Workload Protection agent rules. * *

See {@link #listCSMThreatsAgentRulesWithHttpInfoAsync}. * @@ -1937,7 +1971,7 @@ public CloudWorkloadSecurityAgentRulesListResponse listCSMThreatsAgentRules() } /** - * Get all CSM Threats Agent rules. + * Get all Workload Protection agent rules. * *

See {@link #listCSMThreatsAgentRulesWithHttpInfo}. * @@ -1951,7 +1985,7 @@ public CloudWorkloadSecurityAgentRulesListResponse listCSMThreatsAgentRules( } /** - * Get all CSM Threats Agent rules. + * Get all Workload Protection agent rules. * *

See {@link #listCSMThreatsAgentRulesWithHttpInfoAsync}. * @@ -1968,7 +2002,10 @@ public CloudWorkloadSecurityAgentRulesListResponse listCSMThreatsAgentRules( } /** - * Get the list of Cloud Security Management Threats Agent rules + * Get the list of Workload Protection agent rules. + * + *

Note: This endpoint is not available for the Government (US1-FED) site. + * Please reference the (US1-FED) specific resource below. * * @param parameters Optional parameters for the request. * @return ApiResponse<CloudWorkloadSecurityAgentRulesListResponse> @@ -2016,7 +2053,7 @@ public CloudWorkloadSecurityAgentRulesListResponse listCSMThreatsAgentRules( } /** - * Get all CSM Threats Agent rules. + * Get all Workload Protection agent rules. * *

See {@link #listCSMThreatsAgentRulesWithHttpInfo}. * @@ -2065,12 +2102,12 @@ public CloudWorkloadSecurityAgentRulesListResponse listCSMThreatsAgentRules( } /** - * Update a Cloud Workload Security Agent rule. + * Update a Workload Protection agent rule (US1-FED). * *

See {@link #updateCloudWorkloadSecurityAgentRuleWithHttpInfo}. * * @param agentRuleId The ID of the Agent rule (required) - * @param body New definition of the Agent rule (required) + * @param body New definition of the agent rule (required) * @return CloudWorkloadSecurityAgentRuleResponse * @throws ApiException if fails to make API call */ @@ -2080,12 +2117,12 @@ public CloudWorkloadSecurityAgentRuleResponse updateCloudWorkloadSecurityAgentRu } /** - * Update a Cloud Workload Security Agent rule. + * Update a Workload Protection agent rule (US1-FED). * *

See {@link #updateCloudWorkloadSecurityAgentRuleWithHttpInfoAsync}. * * @param agentRuleId The ID of the Agent rule (required) - * @param body New definition of the Agent rule (required) + * @param body New definition of the agent rule (required) * @return CompletableFuture<CloudWorkloadSecurityAgentRuleResponse> */ public CompletableFuture @@ -2099,10 +2136,12 @@ public CloudWorkloadSecurityAgentRuleResponse updateCloudWorkloadSecurityAgentRu } /** - * Update a specific Agent rule. Returns the Agent rule object when the request is successful. + * Update a specific agent rule. Returns the agent rule object when the request is successful. + * + *

Note: This endpoint should only be used for the Government (US1-FED) site. * * @param agentRuleId The ID of the Agent rule (required) - * @param body New definition of the Agent rule (required) + * @param body New definition of the agent rule (required) * @return ApiResponse<CloudWorkloadSecurityAgentRuleResponse> * @throws ApiException if fails to make API call * @http.response.details @@ -2167,12 +2206,12 @@ public CloudWorkloadSecurityAgentRuleResponse updateCloudWorkloadSecurityAgentRu } /** - * Update a Cloud Workload Security Agent rule. + * Update a Workload Protection agent rule (US1-FED). * *

See {@link #updateCloudWorkloadSecurityAgentRuleWithHttpInfo}. * * @param agentRuleId The ID of the Agent rule (required) - * @param body New definition of the Agent rule (required) + * @param body New definition of the agent rule (required) * @return CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentRuleResponse>> */ public CompletableFuture> @@ -2240,7 +2279,7 @@ public CloudWorkloadSecurityAgentRuleResponse updateCloudWorkloadSecurityAgentRu } /** - * Update a CSM Threats Agent policy. + * Update a Workload Protection policy. * *

See {@link #updateCSMThreatsAgentPolicyWithHttpInfo}. * @@ -2255,7 +2294,7 @@ public CloudWorkloadSecurityAgentPolicyResponse updateCSMThreatsAgentPolicy( } /** - * Update a CSM Threats Agent policy. + * Update a Workload Protection policy. * *

See {@link #updateCSMThreatsAgentPolicyWithHttpInfoAsync}. * @@ -2274,8 +2313,11 @@ public CloudWorkloadSecurityAgentPolicyResponse updateCSMThreatsAgentPolicy( } /** - * Update a specific Cloud Security Management Threats Agent policy. Returns the Agent policy - * object when the request is successful. + * Update a specific Workload Protection policy. Returns the policy object when the request is + * successful. + * + *

Note: This endpoint is not available for the Government (US1-FED) site. + * Please reference the (US1-FED) specific resource below. * * @param policyId The ID of the Agent policy (required) * @param body New definition of the Agent policy (required) @@ -2338,7 +2380,7 @@ public CloudWorkloadSecurityAgentPolicyResponse updateCSMThreatsAgentPolicy( } /** - * Update a CSM Threats Agent policy. + * Update a Workload Protection policy. * *

See {@link #updateCSMThreatsAgentPolicyWithHttpInfo}. * @@ -2425,12 +2467,12 @@ public UpdateCSMThreatsAgentRuleOptionalParameters policyId(String policyId) { } /** - * Update a CSM Threats Agent rule. + * Update a Workload Protection agent rule. * *

See {@link #updateCSMThreatsAgentRuleWithHttpInfo}. * * @param agentRuleId The ID of the Agent rule (required) - * @param body New definition of the Agent rule (required) + * @param body New definition of the agent rule (required) * @return CloudWorkloadSecurityAgentRuleResponse * @throws ApiException if fails to make API call */ @@ -2442,12 +2484,12 @@ agentRuleId, body, new UpdateCSMThreatsAgentRuleOptionalParameters()) } /** - * Update a CSM Threats Agent rule. + * Update a Workload Protection agent rule. * *

See {@link #updateCSMThreatsAgentRuleWithHttpInfoAsync}. * * @param agentRuleId The ID of the Agent rule (required) - * @param body New definition of the Agent rule (required) + * @param body New definition of the agent rule (required) * @return CompletableFuture<CloudWorkloadSecurityAgentRuleResponse> */ public CompletableFuture updateCSMThreatsAgentRuleAsync( @@ -2461,12 +2503,12 @@ agentRuleId, body, new UpdateCSMThreatsAgentRuleOptionalParameters()) } /** - * Update a CSM Threats Agent rule. + * Update a Workload Protection agent rule. * *

See {@link #updateCSMThreatsAgentRuleWithHttpInfo}. * * @param agentRuleId The ID of the Agent rule (required) - * @param body New definition of the Agent rule (required) + * @param body New definition of the agent rule (required) * @param parameters Optional parameters for the request. * @return CloudWorkloadSecurityAgentRuleResponse * @throws ApiException if fails to make API call @@ -2480,12 +2522,12 @@ public CloudWorkloadSecurityAgentRuleResponse updateCSMThreatsAgentRule( } /** - * Update a CSM Threats Agent rule. + * Update a Workload Protection agent rule. * *

See {@link #updateCSMThreatsAgentRuleWithHttpInfoAsync}. * * @param agentRuleId The ID of the Agent rule (required) - * @param body New definition of the Agent rule (required) + * @param body New definition of the agent rule (required) * @param parameters Optional parameters for the request. * @return CompletableFuture<CloudWorkloadSecurityAgentRuleResponse> */ @@ -2501,11 +2543,14 @@ public CompletableFuture updateCSMThreat } /** - * Update a specific Cloud Security Management Threats Agent rule. Returns the Agent rule object - * when the request is successful. + * Update a specific Workload Protection Agent rule. Returns the agent rule object when the + * request is successful. + * + *

Note: This endpoint is not available for the Government (US1-FED) site. + * Please reference the (US1-FED) specific resource below. * * @param agentRuleId The ID of the Agent rule (required) - * @param body New definition of the Agent rule (required) + * @param body New definition of the agent rule (required) * @param parameters Optional parameters for the request. * @return ApiResponse<CloudWorkloadSecurityAgentRuleResponse> * @throws ApiException if fails to make API call @@ -2573,12 +2618,12 @@ public ApiResponse updateCSMThreatsAgent } /** - * Update a CSM Threats Agent rule. + * Update a Workload Protection agent rule. * *

See {@link #updateCSMThreatsAgentRuleWithHttpInfo}. * * @param agentRuleId The ID of the Agent rule (required) - * @param body New definition of the Agent rule (required) + * @param body New definition of the agent rule (required) * @param parameters Optional parameters for the request. * @return CompletableFuture<ApiResponse<CloudWorkloadSecurityAgentRuleResponse>> */ diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.freeze deleted file mode 100644 index c290cdbad60..00000000000 --- a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-15T09:10:06.353Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_OK_response.freeze deleted file mode 100644 index 3eef66a9c7a..00000000000 --- a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-15T09:10:06.769Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze deleted file mode 100644 index f989accc05d..00000000000 --- a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:45.280Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index d00c1e7e923..00000000000 --- a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:46.809Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze deleted file mode 100644 index 569f1f18978..00000000000 --- a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-18T09:10:11.610Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index 8ad981fd20f..00000000000 --- a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:49.909Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_US1_FED_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_US1_FED_returns_Bad_Request_response.freeze new file mode 100644 index 00000000000..b9cc1be2676 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_US1_FED_returns_Bad_Request_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:13.434Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.json b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_US1_FED_returns_Bad_Request_response.json similarity index 77% rename from src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.json rename to src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_US1_FED_returns_Bad_Request_response.json index fbdbd06fece..41feeaab270 100644 --- a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.json +++ b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_US1_FED_returns_Bad_Request_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967411\"},\"type\":\"policy\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateaworkloadprotectionagentruleus1fedreturnsbadrequestresponse1747319653\"},\"type\":\"policy\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"byc-7rh-p5l\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967411\",\"policyVersion\":\"1\",\"priority\":1000000002,\"ruleCount\":226,\"updateDate\":1744967411964,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"g5s-mcw-glz\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateaworkloadprotectionagentruleus1fedreturnsbadrequestresponse1747319653\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319653551,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,7 +27,7 @@ "timeToLive": { "unlimited": true }, - "id": "3ae8b90b-9d2e-3042-3def-b6d96385b207" + "id": "8d0bf069-9367-7227-ec66-8f08a1bc36e1" }, { "httpRequest": { @@ -63,7 +63,7 @@ "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/byc-7rh-p5l", + "path": "/api/v2/remote_config/products/cws/policy/g5s-mcw-glz", "keepAlive": false, "secure": true }, @@ -82,6 +82,6 @@ "timeToLive": { "unlimited": true }, - "id": "078ed09b-2e4a-5af6-20a6-254dc85646c3" + "id": "c3b26b14-81d5-9489-ff48-b9b30aee0a79" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.freeze new file mode 100644 index 00000000000..250382047ab --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:15.063Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.json similarity index 58% rename from src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json rename to src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.json index ea5263ded0d..61bf8ecb421 100644 --- a/src/test/resources/cassettes/features/v2/Create_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\"},\"type\":\"policy\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateaworkloadprotectionagentruleus1fedreturnsokresponse1747319655\"},\"type\":\"policy\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"4o4-2ha-t4b\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517849954,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"b9a-gus-q1b\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateaworkloadprotectionagentruleus1fedreturnsokresponse1747319655\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319655148,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,13 +27,13 @@ "timeToLive": { "unlimited": true }, - "id": "7c285ff6-b1ea-26ec-704d-9b5f0246d02d" + "id": "77caae5d-ebb4-31e1-4635-d36fa8f0547d" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateaworkloadprotectionagentruleus1fedreturnsokresponse1747319655\"},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -42,7 +42,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"amk-lsa-s1q\",\"attributes\":{\"version\":1,\"name\":\"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1743517850483,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1743517850483,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", + "body": "{\"data\":{\"id\":\"wjj-lvq-owq\",\"attributes\":{\"version\":1,\"name\":\"testcreateaworkloadprotectionagentruleus1fedreturnsokresponse1747319655\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1747319655964,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1747319655964,\"filters\":[],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n", "headers": { "Content-Type": [ "application/json" @@ -57,13 +57,13 @@ "timeToLive": { "unlimited": true }, - "id": "f29574c7-79d9-5925-2699-b0bbd20ea20d" + "id": "5ea06048-f1ff-99f2-9447-4c53dba37955" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/amk-lsa-s1q", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/wjj-lvq-owq", "keepAlive": false, "secure": true }, @@ -78,13 +78,13 @@ "timeToLive": { "unlimited": true }, - "id": "213da503-7db2-f282-57f9-696487873321" + "id": "7a5a5a17-9f0a-df90-2b92-6a09a67edd07" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/4o4-2ha-t4b", + "path": "/api/v2/remote_config/products/cws/policy/b9a-gus-q1b", "keepAlive": false, "secure": true }, @@ -103,6 +103,6 @@ "timeToLive": { "unlimited": true }, - "id": "139ce589-a272-ef27-1fbf-867fa4c6b67d" + "id": "8bcbf672-88c9-c3bb-0c5f-2023f45f4dc2" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_returns_Bad_Request_response.freeze new file mode 100644 index 00000000000..62c7b3ab997 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_returns_Bad_Request_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:16.685Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.json b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_returns_Bad_Request_response.json similarity index 66% rename from src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.json rename to src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_returns_Bad_Request_response.json index afcbe95cd77..4abaf5b66b3 100644 --- a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.json +++ b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_returns_Bad_Request_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacsmthreatsagentrulereturnsbadrequestresponse1743517845\"},\"type\":\"policy\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateaworkloadprotectionagentrulereturnsbadrequestresponse1747319656\"},\"type\":\"policy\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"mrs-qdn-jq8\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacsmthreatsagentrulereturnsbadrequestresponse1743517845\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517845323,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"osv-oeh-is6\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateaworkloadprotectionagentrulereturnsbadrequestresponse1747319656\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319656764,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,13 +27,13 @@ "timeToLive": { "unlimited": true }, - "id": "2c22f6b8-0057-2221-bb82-a94431d3f6f7" + "id": "a747325a-8045-7ab9-5b4a-853ffa2f5692" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\",\"filters\":[],\"name\":\"my_agent_rule\",\"policy_id\":\"mrs-qdn-jq8\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\",\"filters\":[],\"name\":\"my_agent_rule\",\"policy_id\":\"osv-oeh-is6\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -42,7 +42,7 @@ "secure": true }, "httpResponse": { - "body": "{\"errors\":[\"input_validation_error(Field 'name' is invalid: rule `my_agent_rule` error: multiple definition with the same ID)\"]}", + "body": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `my_agent_rule` error: rule syntax error: bool expected: 1:1: exec.file.name\\n^)\"]}", "headers": { "Content-Type": [ "application/json" @@ -57,13 +57,13 @@ "timeToLive": { "unlimited": true }, - "id": "3362265e-367b-0482-ae52-3fc0311cf28b" + "id": "4217365b-9cf9-9542-faee-1a7dec40646e" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/mrs-qdn-jq8", + "path": "/api/v2/remote_config/products/cws/policy/osv-oeh-is6", "keepAlive": false, "secure": true }, @@ -82,6 +82,6 @@ "timeToLive": { "unlimited": true }, - "id": "a246d260-6a96-d40b-a485-5db945980300" + "id": "a81a9dd6-8dad-f10a-6bc5-d56da369881a" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_returns_OK_response.freeze new file mode 100644 index 00000000000..a314ca8b049 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:18.040Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_returns_OK_response.json similarity index 61% rename from src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_OK_response.json rename to src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_returns_OK_response.json index bed8318d216..9943291a792 100644 --- a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_rule_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_agent_rule_returns_OK_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\"},\"type\":\"policy\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testcreateaworkloadprotectionagentrulereturnsokresponse1747319658\"},\"type\":\"policy\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"eeq-02h-jhh\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517846856,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"7rg-8sh-bnx\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testcreateaworkloadprotectionagentrulereturnsokresponse1747319658\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319658110,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,13 +27,13 @@ "timeToLive": { "unlimited": true }, - "id": "24980952-e327-2773-d13a-7a2db6d72809" + "id": "63b0d2d9-a2be-3730-123e-4bf1f2147632" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\",\"policy_id\":\"eeq-02h-jhh\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[],\"name\":\"testcreateaworkloadprotectionagentrulereturnsokresponse1747319658\",\"policy_id\":\"7rg-8sh-bnx\",\"product_tags\":[]},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -42,7 +42,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"ree-4gw-dk6\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517847344,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testcreateacsmthreatsagentrulereturnsokresponse1743517846\",\"updateDate\":1743517847344,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"kkx-har-lqe\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1747319658762,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"7rg-8sh-bnx\"],\"name\":\"testcreateaworkloadprotectionagentrulereturnsokresponse1747319658\",\"product_tags\":[],\"updateDate\":1747319658762,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -57,13 +57,13 @@ "timeToLive": { "unlimited": true }, - "id": "2fb8bdf9-13e6-e45f-a56d-91cb471a44fa" + "id": "41a82f51-b02c-ad5b-1471-122783896825" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/agent_rules/ree-4gw-dk6", + "path": "/api/v2/remote_config/products/cws/agent_rules/kkx-har-lqe", "keepAlive": false, "secure": true }, @@ -82,13 +82,13 @@ "timeToLive": { "unlimited": true }, - "id": "2c9c987d-5731-42d2-3375-605a60a90870" + "id": "5ea313b4-cce4-0ce3-ae6c-23262d587c8c" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/eeq-02h-jhh", + "path": "/api/v2/remote_config/products/cws/policy/7rg-8sh-bnx", "keepAlive": false, "secure": true }, @@ -107,6 +107,6 @@ "timeToLive": { "unlimited": true }, - "id": "e08a3d6a-e327-4f22-3453-dc1acfbc3c36" + "id": "248fe95f-176c-24e6-afde-5e4574764e38" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_policy_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_policy_returns_Bad_Request_response.freeze new file mode 100644 index 00000000000..a49e8201644 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_policy_returns_Bad_Request_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:21.087Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.json b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_policy_returns_Bad_Request_response.json similarity index 84% rename from src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.json rename to src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_policy_returns_Bad_Request_response.json index a1ad99ee09b..58ba88d8c36 100644 --- a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.json +++ b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_policy_returns_Bad_Request_response.json @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"errors\":[{\"title\":\"failed to create policy\"}]}\n", + "body": "{\"errors\":[\"input_validation_error(Field 'tags' is invalid: cannot have both the new and the legacy field populated)\"]}", "headers": { "Content-Type": [ "application/json" diff --git a/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_policy_returns_OK_response.freeze new file mode 100644 index 00000000000..cc767179ee0 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_policy_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:21.256Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_policy_returns_OK_response.json similarity index 79% rename from src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_OK_response.json rename to src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_policy_returns_OK_response.json index 9026c83803a..a2cc5ebdb2a 100644 --- a/src/test/resources/cassettes/features/v2/Create_a_CSM_Threats_Agent_policy_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Create_a_Workload_Protection_policy_returns_OK_response.json @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"4op-0bb-yom\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":225,\"name\":\"my_agent_policy\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708206895,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"krx-hib-ibo\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":225,\"name\":\"my_agent_policy\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319661338,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -33,7 +33,7 @@ "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/4op-0bb-yom", + "path": "/api/v2/remote_config/products/cws/policy/krx-hib-ibo", "keepAlive": false, "secure": true }, @@ -52,6 +52,6 @@ "timeToLive": { "unlimited": true }, - "id": "217dfe64-1f33-003d-ee9d-203ae51dfa29" + "id": "29ea4218-e471-86ec-931f-fb3e680db070" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze deleted file mode 100644 index 2907715a1f0..00000000000 --- a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:50.953Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_OK_response.freeze deleted file mode 100644 index b90ca64b48f..00000000000 --- a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:51.116Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze deleted file mode 100644 index 9c683d57fe5..00000000000 --- a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:52.038Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index 369e24ad10b..00000000000 --- a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:52.133Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze deleted file mode 100644 index c943cdfcd91..00000000000 --- a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:54.389Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index 5d92123426a..00000000000 --- a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-18T09:10:13.237Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..f13edf5114d --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:22.259Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.json similarity index 100% rename from src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json rename to src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.json diff --git a/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.freeze new file mode 100644 index 00000000000..bf9b8f24ca7 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:22.399Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.json similarity index 58% rename from src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json rename to src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.json index 634cf10048e..a325e25d96d 100644 --- a/src/test/resources/cassettes/features/v2/Delete_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1744967413\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteaworkloadprotectionagentruleus1fedreturnsokresponse1747319662\"},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"ghk-tsf-neq\",\"attributes\":{\"version\":1,\"name\":\"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1744967413\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967413434,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967413434,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", + "body": "{\"data\":{\"id\":\"car-hil-x1c\",\"attributes\":{\"version\":1,\"name\":\"testdeleteaworkloadprotectionagentruleus1fedreturnsokresponse1747319662\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1747319662646,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1747319662646,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n", "headers": { "Content-Type": [ "application/json" @@ -27,13 +27,13 @@ "timeToLive": { "unlimited": true }, - "id": "86ecfc4f-12da-3c05-da2b-f597071d54fe" + "id": "738d67db-5f58-55ff-4266-e349c5ded694" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/ghk-tsf-neq", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/car-hil-x1c", "keepAlive": false, "secure": true }, @@ -48,18 +48,18 @@ "timeToLive": { "unlimited": true }, - "id": "2f47c18e-235c-f53d-4f7f-57599b1dcec6" + "id": "1d7cdd3a-c9eb-a471-1524-ff806c7b2a72" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/ghk-tsf-neq", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/car-hil-x1c", "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=ghk-tsf-neq)\"]}\n", + "body": "{\"errors\":[\"not_found(Agent rule not found: agentRuleId=car-hil-x1c)\"]}\n", "headers": { "Content-Type": [ "application/json" @@ -74,6 +74,6 @@ "timeToLive": { "unlimited": true }, - "id": "2f47c18e-235c-f53d-4f7f-57599b1dcec7" + "id": "1d7cdd3a-c9eb-a471-1524-ff806c7b2a73" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..7a9c4ab30cd --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:22.985Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_returns_Not_Found_response.json similarity index 100% rename from src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json rename to src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_returns_Not_Found_response.json diff --git a/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_returns_OK_response.freeze new file mode 100644 index 00000000000..3933aefa338 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:23.358Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_returns_OK_response.json similarity index 62% rename from src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_OK_response.json rename to src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_returns_OK_response.json index d39a9b19f43..ceaf21dc3ec 100644 --- a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_rule_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_agent_rule_returns_OK_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\"},\"type\":\"policy\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteaworkloadprotectionagentrulereturnsokresponse1747319663\"},\"type\":\"policy\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"kqm-fhb-eay\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517852178,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"hea-hly-nmh\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testdeleteaworkloadprotectionagentrulereturnsokresponse1747319663\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319663455,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,13 +27,13 @@ "timeToLive": { "unlimited": true }, - "id": "4f76bbc7-21ec-50b0-bee4-961e511310a1" + "id": "ef5a9fd2-631c-923e-6351-a05f670e17b7" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\",\"policy_id\":\"kqm-fhb-eay\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testdeleteaworkloadprotectionagentrulereturnsokresponse1747319663\",\"policy_id\":\"hea-hly-nmh\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -42,7 +42,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"pjy-nkm-0wb\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517852458,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testdeleteacsmthreatsagentrulereturnsokresponse1743517852\",\"updateDate\":1743517852458,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"e3n-gsi-qxc\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1747319663941,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"hea-hly-nmh\"],\"name\":\"testdeleteaworkloadprotectionagentrulereturnsokresponse1747319663\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1747319663941,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -57,16 +57,16 @@ "timeToLive": { "unlimited": true }, - "id": "1c8f6f2e-7e2a-a819-ee4e-c6a17d759a59" + "id": "7769dcaf-5203-8d7f-3f6f-4d6e2cd9ffe6" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/agent_rules/pjy-nkm-0wb", + "path": "/api/v2/remote_config/products/cws/agent_rules/e3n-gsi-qxc", "queryStringParameters": { "policy_id": [ - "kqm-fhb-eay" + "hea-hly-nmh" ] }, "keepAlive": false, @@ -87,13 +87,13 @@ "timeToLive": { "unlimited": true }, - "id": "051dd302-ae69-4fc9-b7e1-b2374822608d" + "id": "213cd7e6-e1c6-59f0-78a6-443244e89722" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/agent_rules/pjy-nkm-0wb", + "path": "/api/v2/remote_config/products/cws/agent_rules/e3n-gsi-qxc", "keepAlive": false, "secure": true }, @@ -113,13 +113,13 @@ "timeToLive": { "unlimited": true }, - "id": "553271fe-77cf-080d-8c01-e84523cfab6b" + "id": "50434397-bb16-e2ab-f344-137dfb4e3c9b" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/kqm-fhb-eay", + "path": "/api/v2/remote_config/products/cws/policy/hea-hly-nmh", "keepAlive": false, "secure": true }, @@ -138,6 +138,6 @@ "timeToLive": { "unlimited": true }, - "id": "10b0a06a-54fa-48ac-a1f6-9cf4e9e9ef1c" + "id": "1bd3726b-fd71-7b41-ada4-1f46d4755f5c" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_policy_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_policy_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..43f54834f36 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_policy_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:26.783Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_policy_returns_Not_Found_response.json similarity index 100% rename from src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json rename to src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_policy_returns_Not_Found_response.json diff --git a/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_policy_returns_OK_response.freeze new file mode 100644 index 00000000000..cc5ff23fd01 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_policy_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:27.017Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_policy_returns_OK_response.json similarity index 70% rename from src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_OK_response.json rename to src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_policy_returns_OK_response.json index 385f324943d..a8960414130 100644 --- a/src/test/resources/cassettes/features/v2/Delete_a_CSM_Threats_Agent_policy_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Delete_a_Workload_Protection_policy_returns_OK_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteacsmthreatsagentpolicyreturnsokresponse1743517851\"},\"type\":\"policy\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testdeleteaworkloadprotectionpolicyreturnsokresponse1747319667\"},\"type\":\"policy\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"794-4tf-osj\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testdeleteacsmthreatsagentpolicyreturnsokresponse1743517851\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517851168,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"koo-gxa-p0y\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testdeleteaworkloadprotectionpolicyreturnsokresponse1747319667\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319667081,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,13 +27,13 @@ "timeToLive": { "unlimited": true }, - "id": "0025e118-5d2c-a766-6988-d11ece091208" + "id": "337c85f1-5210-7d2f-5a70-18203c9938cd" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/794-4tf-osj", + "path": "/api/v2/remote_config/products/cws/policy/koo-gxa-p0y", "keepAlive": false, "secure": true }, @@ -52,13 +52,13 @@ "timeToLive": { "unlimited": true }, - "id": "c0c40bab-ba1a-b8ef-53de-f44216d37c4b" + "id": "d3c3bc67-29ac-6074-e942-2eafddbc6424" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/794-4tf-osj", + "path": "/api/v2/remote_config/products/cws/policy/koo-gxa-p0y", "keepAlive": false, "secure": true }, @@ -78,6 +78,6 @@ "timeToLive": { "unlimited": true }, - "id": "c0c40bab-ba1a-b8ef-53de-f44216d37c4c" + "id": "d3c3bc67-29ac-6074-e942-2eafddbc6425" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Download_the_Workload_Protection_policy_US1_FED_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Download_the_Workload_Protection_policy_US1_FED_returns_OK_response.freeze new file mode 100644 index 00000000000..e026afc4ac0 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Download_the_Workload_Protection_policy_US1_FED_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:28.255Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Download_the_Workload_Protection_policy_US1_FED_returns_OK_response.json similarity index 99% rename from src/test/resources/cassettes/features/v2/Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.json rename to src/test/resources/cassettes/features/v2/Download_the_Workload_Protection_policy_US1_FED_returns_OK_response.json index aeb024e3f6e..349beec9482 100644 --- a/src/test/resources/cassettes/features/v2/Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Download_the_Workload_Protection_policy_US1_FED_returns_OK_response.json @@ -8,7 +8,7 @@ "secure": true }, "httpResponse": { - "body": "# IMPORTANT: Edits to this file will not be reflected in the Datadog App and will be overwritten with new policy file downloads. Please modify rules in the Datadog App for full functionality.\nversion: '1743517859524'\nrules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An AppArmor profile was modified in an interactive session\n expression: exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n !=\"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditctl_usage\n version: fdc2412d\n description: The auditctl command was used to modify auditd\n expression: exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditd_config_modified\n version: c7f52a7a\n description: The auditd configuration file was modified without using auditctl\n expression: open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\n > 0 && process.file.name != \"auditctl\"\n agent_version: ''\n filters: []\n- id: auditd_rule_file_modified\n version: c533115d\n description: The auditd rules file was modified without using auditctl\n expression: open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name !=\n \"auditctl\"\n agent_version: ''\n filters: []\n- id: aws_eks_service_account_token_accessed\n version: d6a7a4a0\n description: The AWS EKS service account token was accessed\n expression: open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\n && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: aws_imds\n version: 6d47fcfe\n description: An AWS IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\",\n \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]\n agent_version: ''\n filters: []\n- id: aws_metadata_service\n version: 4601e52e\n description: EC2 Instance Metadata Service Accessed via Network Utility\n expression: exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] && exec.args in\n [~\"*169.254.169.254*\"]\n agent_version: ''\n filters: []\n- id: azure_imds\n version: 784f9a83\n description: An Azure IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]\n agent_version: ''\n filters: []\n- id: chatroom_request\n version: 91aa2a0f\n description: A DNS request was made for a chatroom domain\n expression: dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: common_net_intrusion_util\n version: c7198131\n description: A network utility (nmap) commonly used in intrusion attacks was executed\n expression: exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\",\n \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]\n agent_version: ''\n filters: []\n- id: compile_after_delivery\n version: f41c1e36\n description: A compiler wrote a suspicious file in a container\n expression: |-\n open.flags & O_CREAT > 0\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n )\n && (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n && process.file.name not in [\"pip\", ~\"python*\"]\n && container.id != \"\"\n agent_version: ''\n filters: []\n- id: compiler_in_container\n version: 441a7e85\n description: Compiler Executed in Container\n expression: (exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path\n != \"/usr/bin/cilium-agent\"\n agent_version: ''\n filters: []\n- id: credential_modified_chmod\n version: 7e14d921\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: credential_modified_chown\n version: 3731e0d5\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: credential_modified_link\n version: 7594ec54\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_open_v2\n version: 5aec9afe\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_rename\n version: 8bb8242b\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_unlink\n version: 5af577d\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_utimes\n version: 1c101338\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chmod\n version: 13512ebc\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && chmod.file.destination.mode != chmod.file.mode\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chown\n version: ee7b306c\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_link\n version: b83e03f6\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_open\n version: 561ad06\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_rename\n version: 59b739d8\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_unlink\n version: 82b6d187\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_utimes\n version: d460ba68\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cryptominer_args\n version: fc017137\n description: A process launched with arguments associated with cryptominers\n expression: exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args\n in [~\"*stratum+tcp*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cryptominer_envs\n version: 654a00aa\n description: Process environment variables match cryptocurrency miner\n expression: exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: curl_docker_socket\n version: f736b6e6\n description: The Docker socket was referenced in a cURL command\n expression: exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args\n in [\"*docker.sock*\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: database_shell_execution\n version: 3508c713\n description: A database application spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n process.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n !(process.parent.file.name == \"initdb\" &&\n exec.args == \"-c locale -a\") &&\n !(process.parent.file.name == \"postgres\" &&\n exec.args == ~\"*pg_wal*\")\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: deploy_priv_container\n version: 356d5ee7\n description: A privileged container was created\n expression: exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted\n & CAP_SYS_ADMIN > 0\n agent_version: ''\n filters: []\n- id: dirty_pipe_attempt\n version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n expression: (splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag\n & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dirty_pipe_exploitation\n version: 9bcacfe3\n description: Potential Dirty pipe exploitation\n expression: (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid\n != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dummy_rule\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_AszwF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_BAiZP\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_CpDMZ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_DBtCK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_HfYXr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_JAnCe\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KJInv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KSDPb\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_LPRxi\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_PkauG\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_RMoJm\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_Tjzvu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VfQSV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VxNSK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_XcxFr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bKkuv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bVlLJ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_cdxqn\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_fWORB\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_iNwDw\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_ipyRF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_ivMAv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_jcvqK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_lszUX\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_mABue\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_qDgvU\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_sUVnW\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_tSfwV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_xkrhu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_unlink\n version: 1924611e\n description: A process unlinked a dynamic linker config file\n expression: unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"]\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_write\n version: 764fc516\n description: A process wrote to a dynamic linker config file\n expression: open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: example_agent_rule\n version: 28ba1078\n description: An example agent rule generated in terraform\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exec_lsmod\n version: 1a14c811\n description: Kernel modules were listed using the lsmod command\n expression: exec.comm == \"lsmod\"\n agent_version: ''\n filters: []\n- id: exec_whoami\n version: 90ea91b6\n description: The whoami command was executed\n expression: exec.comm == \"whoami\"\n agent_version: ''\n filters: []\n- id: gcp_imds\n version: 3035dbbf\n description: An GCP IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\",\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version: 60fd84a9\n description: A hidden file was executed in a suspicious folder\n expression: exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\",\n ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n agent_version: ''\n filters: []\n- id: interactive_shell_in_container\n version: 757f83d3\n description: An interactive shell was started inside of a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: ip_check_domain\n version: 2d5285c0\n description: A DNS lookup was done for a IP check service\n expression: dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: java_shell_execution\n version: 24c2eb7c\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.ancestors.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: java_shell_execution_parent\n version: 1bcff0aa\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.parent.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: jupyter_shell_execution\n version: d2d9243c\n description: A Jupyter notebook executed a shell\n expression: (exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"]\n || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"])\n && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: k8s_pod_service_account_token_accessed\n version: 88c0ee3a\n description: The Kubernetes pod service account token was accessed\n expression: open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\",\n ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\"\n && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\",\n \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\",\n \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\",\n \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path not in [\"/usr/bin/cilium-agent\",\n \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\",\n \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\",\n \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\",\n \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\",\n \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\",\n \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\",\n \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\",\n \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\",\n \"/usr/local/bin/cluster-autoscaler\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n version: 82c61c82\n description: A new kernel module was added\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: kernel_module_chown\n version: ca2cf124\n description: A new kernel module was added\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: kernel_module_link\n version: a18ca197\n description: A new kernel module was added\n expression: |-\n (\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_load\n version: 904592b4\n description: A kernel module was loaded\n expression: load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\",\n \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"]\n && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\",\n \"xtables-legacy-multi\", \"ssm-agent-worker\"]\n agent_version: ''\n filters: []\n- id: kernel_module_load_container\n version: 139b666a\n description: A container loaded a new kernel module\n expression: load_module.name != \"\" && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_load_from_memory\n version: 78122acd\n description: A kernel module was loaded from memory\n expression: load_module.loaded_from_memory == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n version: a277c753\n description: A kernel module was loaded from memory inside a container\n expression: load_module.loaded_from_memory == true && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_open\n version: 55f9569\n description: A new kernel module was added\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_rename\n version: 9d8cb7d8\n description: A new kernel module was added\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_unlink\n version: 652391be\n description: A new kernel module was added\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_utimes\n version: 405d45e7\n description: A new kernel module was added\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kmod_list\n version: c353a548\n description: Kernel modules were listed using the kmod command\n expression: exec.comm == \"kmod\" && exec.args in [~\"*list*\"]\n agent_version: ''\n filters: []\n- id: ld_preload_unusual_library_path\n version: cc6fd0c4\n description: The LD_PRELOAD variable is populated by a link to a suspicious file\n directory\n expression: exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]\n agent_version: ''\n filters: []\n- id: memfd_create\n version: 5908512a\n description: memfd object created\n expression: exec.file.name =~ \"memfd*\" && exec.file.path == \"\"\n agent_version: ''\n filters: []\n- id: mount_host_fs\n version: accb4f\n description: The host file system was mounted in a container\n expression: mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n agent_version: ''\n filters: []\n- id: mount_proc_hide\n version: fd887e01\n description: Process hidden using mount\n expression: mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\",\n ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_file_download\n version: 75b930ad\n description: A suspicious file was written by a network utility\n expression: |-\n open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n )\n agent_version: ''\n filters: []\n- id: net_unusual_request\n version: 3df2d9ef\n description: Network utility executed with suspicious URI\n expression: 'exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\",\n ~\"*.jpg*\"] '\n agent_version: ''\n filters: []\n- id: net_util\n version: fc362090\n description: A network utility was executed\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_exfiltration\n version: 5f7c8871\n description: Exfiltration attempt via network utility\n expression: \"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options\\\n \\ in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\"\\\n , ~\\\"F=file*\\\"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_util_in_container\n version: 69e03ac1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_in_container_v2\n version: 26d8eba1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: network_sniffing_tool\n version: 4ae409bf\n description: Local account groups were enumerated after container start up\n expression: exec.file.name in [\"tcpdump\", \"tshark\"]\n agent_version: ''\n filters: []\n- id: new_binary_execution_in_container\n version: 9dc42e1d\n description: A container executed a new binary not found in the container image\n expression: container.id != \"\" && process.file.in_upper_layer && process.file.modification_time\n < 30s && exec.file.name != \"\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_us1_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chmod\n version: d301aedf\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chown\n version: '69383592'\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_link\n version: e0565b29\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open\n version: b5602c6f\n description: Nsswitch Configuration Modified\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open_v2\n version: abef53c9\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_rename\n version: aad34176\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_unlink\n version: 8a3e2fbb\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: ntds_in_commandline\n version: 5cdd4bba\n description: NTDS file referenced in commandline\n expression: exec.cmdline =~ \"*ntds.dit*\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: offensive_k8s_tool\n version: b83fba22\n description: A known kubernetes pentesting tool has been executed\n expression: (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv ||\n \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]\n agent_version: ''\n filters: []\n- id: package_management_in_container\n version: c152fcaf\n description: Package management was detected in a container\n expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: pam_modification_chmod\n version: 974a676e\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pam_modification_chown\n version: ca22d0ab\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pam_modification_link\n version: 3d5d6b31\n description: PAM Configuration Files Modification\n expression: |-\n (\n (link.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_open\n version: 9440f452\n description: PAM Configuration Files Modification\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_rename\n version: bd1d257a\n description: PAM Configuration Files Modification\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_unlink\n version: c3dc53e1\n description: PAM Configuration Files Modification\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_utimes\n version: d377b599\n description: PAM may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: passwd_execution\n version: e1d41f5e\n description: The passwd or chpasswd utility was used to modify an account password\n expression: exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags\n not in [\"S\", \"status\"]\n agent_version: ''\n filters: []\n- id: paste_site\n version: b528c8d4\n description: A DNS lookup was done for a pastebin-like site\n expression: dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\",\n \"klgrth.io\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chmod\n version: 1945831d\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chown\n version: 21da2189\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_link\n version: a7ac587c\n description: Critical system binaries may have been modified\n expression: |-\n (\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open\n version: f583ba7c\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open_v2\n version: 45abd074\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_rename\n version: e0bc0857\n description: Critical system binaries may have been modified\n expression: |-\n (\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_unlink\n version: 3bb086ca\n description: Critical system binaries may have been modified\n expression: |-\n (\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_utimes\n version: 6d979630\n description: Critical system binaries may have been modified\n expression: |-\n (\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: potential_cryptominer\n version: 4241c309\n description: A process resolved a DNS name associated with cryptomining activity\n expression: dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\",\n ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\",\n ~\"*rplant.xyz\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: potential_web_shell_parent\n version: b67ffbcd\n description: A web application spawned a shell or shell utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")\n agent_version: ''\n filters: []\n- id: ps_discovery\n version: a0a32c4b\n description: Processes were listed using the ps command\n expression: exec.comm == \"ps\" && exec.argv not in [\"-p\", \"--pid\"] && process.ancestors.file.name\n not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] && process.parent.file.name\n not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\",\n \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\",\n \"check_procs\", \"newrelic-daemon\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ptrace_antidebug\n version: a6289ff7\n description: A process uses an anti-debugging technique to block debuggers\n expression: ptrace.request == PTRACE_TRACEME && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: ptrace_injection\n version: 6d290a43\n description: A process attempted to inject code into another process\n expression: ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA\n || ptrace.request == PTRACE_POKEUSR\n agent_version: ''\n filters: []\n- id: pwnkit_privilege_escalation\n version: c83bbabc\n description: A process was spawned with indicators of exploitation of CVE-2021-4034\n expression: (exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"]\n && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)\n agent_version: ''\n filters: []\n- id: python_cli_code\n version: '989474'\n description: Python code was provided on the command line\n expression: exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args\n in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"]\n && exec.args !~ \"*setuptools*\"\n agent_version: ''\n filters: []\n- id: ransomware_note\n version: ee40f85a\n description: Possible ransomware note created under common user directories\n expression: |-\n open.flags & O_CREAT > 0\n && open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n && open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] && open.file.name not in [r\".*\\.lock$\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: rc_scripts_modified\n version: af295b08\n description: RC scripts modified\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path\n in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: read_kubeconfig\n version: '80926379'\n description: The kubeconfig file was accessed\n expression: open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]\n agent_version: ''\n filters: []\n- id: read_release_info\n version: d0cc9710\n description: OS information was read from the /etc/lsb-release file\n expression: open.file.path == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0\n agent_version: ''\n filters: []\n- id: redis_save_module\n version: b1cb9110\n description: Redis module has been created\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path\n =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name\n in [\"redis-check-rdb\", \"redis-server\"]\n agent_version: ''\n filters: []\n- id: registry_runkey_modified\n version: 3df7b8e9\n description: A Registry runkey has been modified\n expression: set.registry.key_path in [~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\n NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: runc_modification\n version: c7144439\n description: The runc binary was modified in a non-standard way\n expression: |-\n open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: safeboot_modification\n version: 75fb1a6f\n description: Safeboot registry modified\n expression: set.registry.key_path =~ \"*\\\\HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: scheduled_task_creation\n version: 9c3f2289\n description: A scheduled task was created\n expression: exec.file.name in [\"at.exe\",\"schtasks.exe\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: selinux_disable_enforcement\n version: afa9a8ba\n description: SELinux enforcement status was disabled\n expression: selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args\n != ~\"*BECOME-SUCCESS*\"\n agent_version: ''\n filters: []\n- id: service_stop\n version: 8e434232\n description: systemctl used to stop a service\n expression: exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]\n agent_version: ''\n filters: []\n- id: shell_history_deleted\n version: ff763e6\n description: Shell History was Deleted\n expression: (unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") && process.comm\n not in [\"dockerd\", \"containerd\"]\n agent_version: ''\n filters: []\n- id: shell_history_symlink\n version: 31982e4d\n description: A symbolic link for shell history was created targeting /dev/null\n expression: exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]\n agent_version: ''\n filters: []\n- id: shell_history_truncated\n version: 38ec83e8\n description: Shell History was Deleted\n expression: open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name\n =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path in [~\"/root/*\", ~\"/home/**\"]\n && process.file.name == \"truncate\"\n agent_version: ''\n filters: []\n- id: shell_profile_modification\n version: d1cecdac\n description: Shell profile was modified\n expression: open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags\n & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chmod\n version: e4096f79\n description: SSH modified keys may have been modified\n expression: |-\n (\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chown\n version: 9639bf6\n description: SSH modified keys may have been modified\n expression: |-\n (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_link\n version: 81382bdd\n description: SSH Authorized Keys Modified\n expression: |-\n (\n link.file.name == \"authorized_keys\" && (link.file.path in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open\n version: 1ae8f7d6\n description: SSH Authorized Keys Modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name == \"authorized_keys\" && (open.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open_v2\n version: 513f8108\n description: SSH modified keys may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_rename\n version: fd3bdabf\n description: SSH Authorized Keys Modified\n expression: |-\n (\n rename.file.name == \"authorized_keys\" && (rename.file.path in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_unlink\n version: 54cf4a88\n description: SSH Authorized Keys Modified\n expression: |-\n (\n unlink.file.name == \"authorized_keys\" && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_utimes\n version: 59377e61\n description: SSH Authorized Keys Modified\n expression: |-\n (\n utimes.file.name == \"authorized_keys\" && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_it_tool_config_write\n version: 86ae3762\n description: The configuration directory for an ssh worm\n expression: open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\",\n ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) >\n 0\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_chmod\n version: d8ac6517\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.mode != chmod.file.destination.mode\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_chown\n version: 3d04895f\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_link\n version: eb594616\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n )\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open\n version: c34bcf3a\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open_v2\n version: a90058eb\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_rename\n version: e42eefb4\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_unlink\n version: 37c40311\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_utimes\n version: 29db81c1\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chmod\n version: ae70daab\n description: Sudoers policy file may have been modified without authorization\n expression: \"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode\\\n \\ != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\"\\\n , \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\"\\\n , ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"\\\n ]\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chown\n version: 898b1aa0\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (chown.file.path == \"/etc/sudoers\")\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_link\n version: 1f1b8962\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_open\n version: af2610b6\n description: Sudoers policy file may have been modified without authorization\n expression: |2-\n\n (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path == \"/etc/sudoers\")) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_rename\n version: 531fc9ae\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_unlink\n version: 5568da57\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (unlink.file.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_utimes\n version: d99c2466\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (utimes.file.path == \"/etc/sudoers\")\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: suid_file_execution\n version: 1b4f4075\n description: a SUID file was executed\n expression: (setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID\n > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"\n agent_version: ''\n filters: []\n- id: suspicious_container_client\n version: 8b9461f4\n description: A container management utility was executed in a container\n expression: exec.file.name in [\"docker\", \"kubectl\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: suspicious_suid_execution\n version: 216c8207\n description: Recently written or modified suid file has been executed\n expression: ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_chmod\n version: b0643139\n description: A service may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: systemd_modification_chown\n version: a0497885\n description: A service may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: systemd_modification_link\n version: 11a77f5b\n description: A service may have been modified without authorization\n expression: |-\n (\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_open\n version: b6dce303\n description: A service may have been modified without authorization\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_rename\n version: 9759ce6\n description: A service may have been modified without authorization\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_unlink\n version: 8400ece8\n description: A service may have been modified without authorization\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_utimes\n version: 82acf2d\n description: A service may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: tar_execution\n version: e63af392\n description: Tar archive created\n expression: exec.file.path == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tty_shell_in_container\n version: 3d9489bb\n description: A shell with a TTY was executed in a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"\n agent_version: ''\n filters: []\n- id: tunnel_traffic\n version: 816201a5\n description: Tunneling or port forwarding tool used\n expression: ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags\n in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in\n [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"]\n ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"])\n || (exec.comm == \"socat\" && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) ||\n (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\",\n \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: user_created_tty\n version: 5b5f4a52\n description: A user was created via an interactive session\n expression: exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name\n !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags not in\n [\"D\"]\n agent_version: ''\n filters: []\n- id: user_deleted_tty\n version: ad8edbe\n description: A user was deleted via an interactive session\n expression: exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path\n not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: windows_cryptominer_process\n version: e26f81ab\n description: A cryptominer was potentially executed\n expression: exec.cmdline in [~\"*xmrig*\", ~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\",\n ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\",\n ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n", + "body": "# IMPORTANT: Edits to this file will not be reflected in the Datadog App and will be overwritten with new policy file downloads. Please modify rules in the Datadog App for full functionality.\nversion: '1747319668469'\nrules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An AppArmor profile was modified in an interactive session\n expression: exec.file.name in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n !=\"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditctl_usage\n version: fdc2412d\n description: The auditctl command was used to modify auditd\n expression: exec.file.name == \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: auditd_config_modified\n version: c7f52a7a\n description: The auditd configuration file was modified without using auditctl\n expression: open.file.path == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\n > 0 && process.file.name != \"auditctl\"\n agent_version: ''\n filters: []\n- id: auditd_rule_file_modified\n version: c533115d\n description: The auditd rules file was modified without using auditctl\n expression: open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name !=\n \"auditctl\"\n agent_version: ''\n filters: []\n- id: aws_eks_service_account_token_accessed\n version: d6a7a4a0\n description: The AWS EKS service account token was accessed\n expression: open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\n && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: aws_imds\n version: 6d47fcfe\n description: An AWS IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\",\n \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]\n agent_version: ''\n filters: []\n- id: aws_metadata_service\n version: 4601e52e\n description: EC2 Instance Metadata Service Accessed via Network Utility\n expression: exec.file.path in [\"/usr/bin/wget\", \"/usr/bin/curl\"] && exec.args in\n [~\"*169.254.169.254*\"]\n agent_version: ''\n filters: []\n- id: azure_imds\n version: 784f9a83\n description: An Azure IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]\n agent_version: ''\n filters: []\n- id: chatroom_request\n version: 91aa2a0f\n description: A DNS request was made for a chatroom domain\n expression: dns.question.name in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: common_net_intrusion_util\n version: c7198131\n description: A network utility (nmap) commonly used in intrusion attacks was executed\n expression: exec.file.name in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\",\n \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]\n agent_version: ''\n filters: []\n- id: compile_after_delivery\n version: f41c1e36\n description: A compiler wrote a suspicious file in a container\n expression: |-\n open.flags & O_CREAT > 0\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n )\n && (process.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\",\"bcc\"])\n && process.file.name not in [\"pip\", ~\"python*\"]\n && container.id != \"\"\n agent_version: ''\n filters: []\n- id: compiler_in_container\n version: 441a7e85\n description: Compiler Executed in Container\n expression: (exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path\n != \"/usr/bin/cilium-agent\"\n agent_version: ''\n filters: []\n- id: credential_modified_chmod\n version: 7e14d921\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chmod.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: credential_modified_chown\n version: 3731e0d5\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (chown.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: credential_modified_link\n version: 7594ec54\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_open_v2\n version: 5aec9afe\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: credential_modified_rename\n version: 8bb8242b\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (rename.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_unlink\n version: 5af577d\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_utimes\n version: 1c101338\n description: Sensitive credential files were modified using a non-standard tool\n expression: |-\n (\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chmod\n version: 13512ebc\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && chmod.file.destination.mode != chmod.file.mode\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chown\n version: ee7b306c\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_link\n version: b83e03f6\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_open\n version: 561ad06\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_rename\n version: 59b739d8\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_unlink\n version: 82b6d187\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_utimes\n version: d460ba68\n description: An unauthorized job was added to cron scheduling\n expression: |-\n (\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cryptominer_args\n version: fc017137\n description: A process launched with arguments associated with cryptominers\n expression: exec.args_options in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args\n in [~\"*stratum+tcp*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cryptominer_envs\n version: 654a00aa\n description: Process environment variables match cryptocurrency miner\n expression: exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: curl_docker_socket\n version: f736b6e6\n description: The Docker socket was referenced in a cURL command\n expression: exec.file.name == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args\n in [\"*docker.sock*\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: database_shell_execution\n version: 3508c713\n description: A database application spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n process.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n !(process.parent.file.name == \"initdb\" &&\n exec.args == \"-c locale -a\") &&\n !(process.parent.file.name == \"postgres\" &&\n exec.args == ~\"*pg_wal*\")\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: deploy_priv_container\n version: 356d5ee7\n description: A privileged container was created\n expression: exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted\n & CAP_SYS_ADMIN > 0\n agent_version: ''\n filters: []\n- id: dirty_pipe_attempt\n version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n expression: (splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 && (splice.pipe_exit_flag\n & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dirty_pipe_exploitation\n version: 9bcacfe3\n description: Potential Dirty pipe exploitation\n expression: (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid\n != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id: dummy_rule\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_AszwF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_BAiZP\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_CpDMZ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_DBtCK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_HfYXr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_JAnCe\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KJInv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_KSDPb\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_LPRxi\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_PkauG\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_RMoJm\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_Tjzvu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VfQSV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VxNSK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_XcxFr\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bKkuv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bVlLJ\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_cdxqn\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_fWORB\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_iNwDw\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_ipyRF\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_ivMAv\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_jcvqK\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_lszUX\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_mABue\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_qDgvU\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_sUVnW\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_tSfwV\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_xkrhu\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_unlink\n version: 1924611e\n description: A process unlinked a dynamic linker config file\n expression: unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"]\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_write\n version: 764fc516\n description: A process wrote to a dynamic linker config file\n expression: open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters: []\n- id: example_agent_rule\n version: 28ba1078\n description: An example agent rule generated in terraform\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exec_lsmod\n version: 1a14c811\n description: Kernel modules were listed using the lsmod command\n expression: exec.comm == \"lsmod\"\n agent_version: ''\n filters: []\n- id: exec_whoami\n version: 90ea91b6\n description: The whoami command was executed\n expression: exec.comm == \"whoami\"\n agent_version: ''\n filters: []\n- id: gcp_imds\n version: 3035dbbf\n description: An GCP IMDS was called via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\",\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version: 60fd84a9\n description: A hidden file was executed in a suspicious folder\n expression: exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\",\n ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n agent_version: ''\n filters: []\n- id: interactive_shell_in_container\n version: 757f83d3\n description: An interactive shell was started inside of a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in [\"i\"] && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: ip_check_domain\n version: 2d5285c0\n description: A DNS lookup was done for a IP check service\n expression: dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\", \"whatismyip.akamai.com\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: java_shell_execution\n version: 24c2eb7c\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.ancestors.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: java_shell_execution_parent\n version: 1bcff0aa\n description: A java process spawned a shell, shell utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.parent.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: jupyter_shell_execution\n version: d2d9243c\n description: A Jupyter notebook executed a shell\n expression: (exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"]\n || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"])\n && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: k8s_pod_service_account_token_accessed\n version: 88c0ee3a\n description: The Kubernetes pod service account token was accessed\n expression: open.file.path in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\",\n ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] && open.file.name == \"token\"\n && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\",\n \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\",\n \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\",\n \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path not in [\"/usr/bin/cilium-agent\",\n \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\",\n \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\",\n \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\",\n \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\",\n \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\",\n \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\",\n \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\",\n \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\",\n \"/usr/local/bin/cluster-autoscaler\"] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n version: 82c61c82\n description: A new kernel module was added\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: kernel_module_chown\n version: ca2cf124\n description: A new kernel module was added\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: kernel_module_link\n version: a18ca197\n description: A new kernel module was added\n expression: |-\n (\n (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_load\n version: 904592b4\n description: A kernel module was loaded\n expression: load_module.name not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\",\n \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"]\n && process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\",\n \"xtables-legacy-multi\", \"ssm-agent-worker\"]\n agent_version: ''\n filters: []\n- id: kernel_module_load_container\n version: 139b666a\n description: A container loaded a new kernel module\n expression: load_module.name != \"\" && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_load_from_memory\n version: 78122acd\n description: A kernel module was loaded from memory\n expression: load_module.loaded_from_memory == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n version: a277c753\n description: A kernel module was loaded from memory inside a container\n expression: load_module.loaded_from_memory == true && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_open\n version: 55f9569\n description: A new kernel module was added\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_rename\n version: 9d8cb7d8\n description: A new kernel module was added\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_unlink\n version: 652391be\n description: A new kernel module was added\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kernel_module_utimes\n version: 405d45e7\n description: A new kernel module was added\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters: []\n- id: kmod_list\n version: c353a548\n description: Kernel modules were listed using the kmod command\n expression: exec.comm == \"kmod\" && exec.args in [~\"*list*\"]\n agent_version: ''\n filters: []\n- id: ld_preload_unusual_library_path\n version: cc6fd0c4\n description: The LD_PRELOAD variable is populated by a link to a suspicious file\n directory\n expression: exec.envs in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]\n agent_version: ''\n filters: []\n- id: memfd_create\n version: 5908512a\n description: memfd object created\n expression: exec.file.name =~ \"memfd*\" && exec.file.path == \"\"\n agent_version: ''\n filters: []\n- id: mount_host_fs\n version: accb4f\n description: The host file system was mounted in a container\n expression: mount.source.path == \"/\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n agent_version: ''\n filters: []\n- id: mount_proc_hide\n version: fd887e01\n description: Process hidden using mount\n expression: mount.mountpoint.path in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\",\n ~\"/proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_file_download\n version: 75b930ad\n description: A suspicious file was written by a network utility\n expression: |-\n open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n )\n agent_version: ''\n filters: []\n- id: net_unusual_request\n version: 3df2d9ef\n description: Network utility executed with suspicious URI\n expression: 'exec.comm in [\"wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\",\n ~\"*.jpg*\"] '\n agent_version: ''\n filters: []\n- id: net_util\n version: fc362090\n description: A network utility was executed\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_exfiltration\n version: 5f7c8871\n description: Exfiltration attempt via network utility\n expression: \"exec.comm in [\\\"wget\\\", \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options\\\n \\ in [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\", ~\\\"upload-file=*\\\"\\\n , ~\\\"F=file*\\\"] &&\\nexec.args not in [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_util_in_container\n version: 69e03ac1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n- id: net_util_in_container_v2\n version: 26d8eba1\n description: A network utility was executed in a container\n expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: network_sniffing_tool\n version: 4ae409bf\n description: Local account groups were enumerated after container start up\n expression: exec.file.name in [\"tcpdump\", \"tshark\"]\n agent_version: ''\n filters: []\n- id: new_binary_execution_in_container\n version: 9dc42e1d\n description: A container executed a new binary not found in the container image\n expression: container.id != \"\" && process.file.in_upper_layer && process.file.modification_time\n < 30s && exec.file.name != \"\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_us1_prod\n version: 28ba1078\n description: Execution of a java process\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chmod\n version: d301aedf\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chown\n version: '69383592'\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_link\n version: e0565b29\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (link.file.path in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open\n version: b5602c6f\n description: Nsswitch Configuration Modified\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_open_v2\n version: abef53c9\n description: nsswitch may have been modified without authorization\n expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_rename\n version: aad34176\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_unlink\n version: 8a3e2fbb\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (unlink.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_utimes\n version: 902597c0\n description: Nsswitch Configuration Modified\n expression: |-\n (\n (utimes.file.path in [ \"/etc/nsswitch.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: ntds_in_commandline\n version: 5cdd4bba\n description: NTDS file referenced in commandline\n expression: exec.cmdline =~ \"*ntds.dit*\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: offensive_k8s_tool\n version: b83fba22\n description: A known kubernetes pentesting tool has been executed\n expression: (exec.file.name in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv ||\n \"kubestriker\" in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]\n agent_version: ''\n filters: []\n- id: package_management_in_container\n version: c152fcaf\n description: Package management was detected in a container\n expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: pam_modification_chmod\n version: 974a676e\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pam_modification_chown\n version: ca22d0ab\n description: PAM may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pam_modification_link\n version: 3d5d6b31\n description: PAM Configuration Files Modification\n expression: |-\n (\n (link.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || link.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_open\n version: 9440f452\n description: PAM Configuration Files Modification\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_rename\n version: bd1d257a\n description: PAM Configuration Files Modification\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || rename.file.destination.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_unlink\n version: c3dc53e1\n description: PAM Configuration Files Modification\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters: []\n- id: pam_modification_utimes\n version: d377b599\n description: PAM may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: passwd_execution\n version: e1d41f5e\n description: The passwd or chpasswd utility was used to modify an account password\n expression: exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags\n not in [\"S\", \"status\"]\n agent_version: ''\n filters: []\n- id: paste_site\n version: b528c8d4\n description: A DNS lookup was done for a pastebin-like site\n expression: dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\",\n \"klgrth.io\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chmod\n version: 1945831d\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chown\n version: 21da2189\n description: Critical system binaries may have been modified\n expression: |-\n (\n (chown.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_link\n version: a7ac587c\n description: Critical system binaries may have been modified\n expression: |-\n (\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open\n version: f583ba7c\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open_v2\n version: 45abd074\n description: Critical system binaries may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_rename\n version: e0bc0857\n description: Critical system binaries may have been modified\n expression: |-\n (\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_unlink\n version: 3bb086ca\n description: Critical system binaries may have been modified\n expression: |-\n (\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_utimes\n version: 6d979630\n description: Critical system binaries may have been modified\n expression: |-\n (\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: potential_cryptominer\n version: 4241c309\n description: A process resolved a DNS name associated with cryptomining activity\n expression: dns.question.name in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\",\n ~\"*c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\",\n ~\"*rplant.xyz\"] && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: potential_web_shell_parent\n version: b67ffbcd\n description: A web application spawned a shell or shell utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) &&\n (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\")\n agent_version: ''\n filters: []\n- id: ps_discovery\n version: a0a32c4b\n description: Processes were listed using the ps command\n expression: exec.comm == \"ps\" && exec.argv not in [\"-p\", \"--pid\"] && process.ancestors.file.name\n not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] && process.parent.file.name\n not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\",\n \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\",\n \"check_procs\", \"newrelic-daemon\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ptrace_antidebug\n version: a6289ff7\n description: A process uses an anti-debugging technique to block debuggers\n expression: ptrace.request == PTRACE_TRACEME && process.file.name != \"\"\n agent_version: ''\n filters: []\n- id: ptrace_injection\n version: 6d290a43\n description: A process attempted to inject code into another process\n expression: ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA\n || ptrace.request == PTRACE_POKEUSR\n agent_version: ''\n filters: []\n- id: pwnkit_privilege_escalation\n version: c83bbabc\n description: A process was spawned with indicators of exploitation of CVE-2021-4034\n expression: (exec.file.path == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"]\n && exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)\n agent_version: ''\n filters: []\n- id: python_cli_code\n version: '989474'\n description: Python code was provided on the command line\n expression: exec.file.name == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args\n in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"]\n && exec.args !~ \"*setuptools*\"\n agent_version: ''\n filters: []\n- id: ransomware_note\n version: ee40f85a\n description: Possible ransomware note created under common user directories\n expression: |-\n open.flags & O_CREAT > 0\n && open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n && open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] && open.file.name not in [r\".*\\.lock$\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: rc_scripts_modified\n version: af295b08\n description: RC scripts modified\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && (open.file.path\n in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: read_kubeconfig\n version: '80926379'\n description: The kubeconfig file was accessed\n expression: open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]\n agent_version: ''\n filters: []\n- id: read_release_info\n version: d0cc9710\n description: OS information was read from the /etc/lsb-release file\n expression: open.file.path == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0\n agent_version: ''\n filters: []\n- id: redis_save_module\n version: b1cb9110\n description: Redis module has been created\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path\n =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name\n in [\"redis-check-rdb\", \"redis-server\"]\n agent_version: ''\n filters: []\n- id: registry_runkey_modified\n version: 3df7b8e9\n description: A Registry runkey has been modified\n expression: set.registry.key_path in [~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\n NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: runc_modification\n version: c7144439\n description: The runc binary was modified in a non-standard way\n expression: |-\n open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: safeboot_modification\n version: 75fb1a6f\n description: Safeboot registry modified\n expression: set.registry.key_path =~ \"*\\\\HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\"\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: scheduled_task_creation\n version: 9c3f2289\n description: A scheduled task was created\n expression: exec.file.name in [\"at.exe\",\"schtasks.exe\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: selinux_disable_enforcement\n version: afa9a8ba\n description: SELinux enforcement status was disabled\n expression: selinux.enforce.status in [\"permissive\", \"disabled\"] && process.ancestors.args\n != ~\"*BECOME-SUCCESS*\"\n agent_version: ''\n filters: []\n- id: service_stop\n version: 8e434232\n description: systemctl used to stop a service\n expression: exec.file.name == \"systemctl\" && exec.args in [~\"*stop*\"]\n agent_version: ''\n filters: []\n- id: shell_history_deleted\n version: ff763e6\n description: Shell History was Deleted\n expression: (unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") && process.comm\n not in [\"dockerd\", \"containerd\"]\n agent_version: ''\n filters: []\n- id: shell_history_symlink\n version: 31982e4d\n description: A symbolic link for shell history was created targeting /dev/null\n expression: exec.comm == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]\n agent_version: ''\n filters: []\n- id: shell_history_truncated\n version: 38ec83e8\n description: Shell History was Deleted\n expression: open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.name\n =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path in [~\"/root/*\", ~\"/home/**\"]\n && process.file.name == \"truncate\"\n agent_version: ''\n filters: []\n- id: shell_profile_modification\n version: d1cecdac\n description: Shell profile was modified\n expression: open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags\n & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chmod\n version: e4096f79\n description: SSH modified keys may have been modified\n expression: |-\n (\n chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chown\n version: 9639bf6\n description: SSH modified keys may have been modified\n expression: |-\n (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_link\n version: 81382bdd\n description: SSH Authorized Keys Modified\n expression: |-\n (\n link.file.name == \"authorized_keys\" && (link.file.path in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open\n version: 1ae8f7d6\n description: SSH Authorized Keys Modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name == \"authorized_keys\" && (open.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open_v2\n version: 513f8108\n description: SSH modified keys may have been modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n ) && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_rename\n version: fd3bdabf\n description: SSH Authorized Keys Modified\n expression: |-\n (\n rename.file.name == \"authorized_keys\" && (rename.file.path in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_unlink\n version: 54cf4a88\n description: SSH Authorized Keys Modified\n expression: |-\n (\n unlink.file.name == \"authorized_keys\" && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_utimes\n version: 59377e61\n description: SSH Authorized Keys Modified\n expression: |-\n (\n utimes.file.name == \"authorized_keys\" && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_it_tool_config_write\n version: 86ae3762\n description: The configuration directory for an ssh worm\n expression: open.file.path in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\",\n ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) >\n 0\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_chmod\n version: d8ac6517\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.mode != chmod.file.destination.mode\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_chown\n version: 3d04895f\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_link\n version: eb594616\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (link.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n )\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open\n version: c34bcf3a\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_open_v2\n version: a90058eb\n description: SSL certificates may have been tampered with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n && container.created_at > 180s\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_rename\n version: e42eefb4\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_unlink\n version: 37c40311\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_utimes\n version: 29db81c1\n description: SSL certificates may have been tampered with\n expression: |-\n (\n (utimes.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chmod\n version: ae70daab\n description: Sudoers policy file may have been modified without authorization\n expression: \"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode\\\n \\ != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\"\\\n , \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\", \\\"/usr/bin/npm\\\"\\\n , ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"\\\n ]\"\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_chown\n version: 898b1aa0\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (chown.file.path == \"/etc/sudoers\")\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_link\n version: 1f1b8962\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (link.file.path == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_open\n version: af2610b6\n description: Sudoers policy file may have been modified without authorization\n expression: |2-\n\n (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path == \"/etc/sudoers\")) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_rename\n version: 531fc9ae\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (rename.file.path == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_unlink\n version: 5568da57\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (unlink.file.path == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_utimes\n version: d99c2466\n description: Sudoers policy file may have been modified without authorization\n expression: |-\n (\n (utimes.file.path == \"/etc/sudoers\")\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: suid_file_execution\n version: 1b4f4075\n description: a SUID file was executed\n expression: (setuid.euid == 0 || setuid.uid == 0) && process.file.mode & S_ISUID\n > 0 && process.file.uid == 0 && process.uid != 0 && process.file.path != \"/usr/bin/sudo\"\n agent_version: ''\n filters: []\n- id: suspicious_container_client\n version: 8b9461f4\n description: A container management utility was executed in a container\n expression: exec.file.name in [\"docker\", \"kubectl\"] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: suspicious_suid_execution\n version: 216c8207\n description: Recently written or modified suid file has been executed\n expression: ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_chmod\n version: b0643139\n description: A service may have been modified without authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n agent_version: ''\n filters: []\n- id: systemd_modification_chown\n version: a0497885\n description: A service may have been modified without authorization\n expression: |-\n (\n (chown.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n filters: []\n- id: systemd_modification_link\n version: 11a77f5b\n description: A service may have been modified without authorization\n expression: |-\n (\n (link.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_open\n version: b6dce303\n description: A service may have been modified without authorization\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_rename\n version: 9759ce6\n description: A service may have been modified without authorization\n expression: |-\n (\n (rename.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_unlink\n version: 8400ece8\n description: A service may have been modified without authorization\n expression: |-\n (\n (unlink.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: systemd_modification_utimes\n version: 82acf2d\n description: A service may have been modified without authorization\n expression: |-\n (\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id: tar_execution\n version: e63af392\n description: Tar archive created\n expression: exec.file.path == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887\n version: f43786f8\n description: Test Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493\n version: f43786f8\n description: My Agent rule\n expression: exec.file.name == \"sh\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992\n version: 28ba1078\n description: an agent rule\n expression: exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\n version: 2dd188de\n description: an agent rule\n expression: exec.file.name == \"go\"\n agent_version: ''\n filters: []\n- id: tty_shell_in_container\n version: 3d9489bb\n description: A shell with a TTY was executed in a container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name != \"\" && process.container.id != \"\"\n agent_version: ''\n filters: []\n- id: tunnel_traffic\n version: 816201a5\n description: Tunneling or port forwarding tool used\n expression: ((exec.comm == \"pivotnacci\" || exec.comm == \"gost\") && process.args_flags\n in [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in\n [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"]\n ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", \"l\", \"listen\"])\n || (exec.comm == \"socat\" && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) ||\n (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\", \"ash\", \"sh\",\n \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: user_created_tty\n version: 5b5f4a52\n description: A user was created via an interactive session\n expression: exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name\n !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && exec.args_flags not in\n [\"D\"]\n agent_version: ''\n filters: []\n- id: user_deleted_tty\n version: ad8edbe\n description: A user was deleted via an interactive session\n expression: exec.file.name in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path\n not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: windows_cryptominer_process\n version: e26f81ab\n description: A cryptominer was potentially executed\n expression: exec.cmdline in [~\"*xmrig*\", ~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\",\n ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\",\n ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]\n agent_version: ''\n filters:\n - os == \"windows\"\n", "headers": { "Content-Type": [ "application/yaml" diff --git a/src/test/resources/cassettes/features/v2/Download_the_Workload_Protection_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Download_the_Workload_Protection_policy_returns_OK_response.freeze new file mode 100644 index 00000000000..7b0be83930b --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Download_the_Workload_Protection_policy_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:28.720Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Download_the_Workload_Protection_policy_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Download_the_Workload_Protection_policy_returns_OK_response.json new file mode 100644 index 00000000000..5da8f080f11 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Download_the_Workload_Protection_policy_returns_OK_response.json @@ -0,0 +1,28 @@ +[ + { + "httpRequest": { + "headers": {}, + "method": "GET", + "path": "/api/v2/remote_config/products/cws/policy/download", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsvXl32ziyOPr/fAoM35z52b6hNi9Z3s3Mc9vuad92Eh/L6b592nk8EAmJiEiADYCS1ePJZ/8dLFxFSpTkeEmUPm0RYGEhagFQKFT9P+D83eWHq+vj99dvwJmHBQeCAuFjDoY4QGCKgwAQKsAAAYaGAXIF8gAmQPgInEIBPToCx1EEIPE08AABOkFsyrAQiIApFj4gaAoiGmB3pmv16JQEFHq8BS4DBDkCIfXwcAZYHCBeVf2QMjCMgwAMY+IKTAkMsJi1/jJBjGNK3oBu62C/1bGZ+6rzF1XLm78AYAPsvQEwiiALKXNUIxh5jhCzvwAAgIe4y3AkVA3HRLZ0LCFBxKj+fMhBUkp2CxKAiUAMugJPEOCIy9ZVXUMcCMRUs/KfDSgHb98CK8AkvrVULrqNmC7xBqBb5LZkGy0CQyTr/t2C0PYwh4MAWS+ATLk0jAKIiUnC2MPC+gT+/nddXIiZo0r/9a2lWzDFvTdgCAOOVF7EqBe7whFwlOudkJ/gvrk+7nQ6h7aHhohwZKMJTD9IQSHXJ/iPGL257h4e9WwcRhCzBJyncBq5b4TPEBS2hwRSSMpQIHvuisCJORyh+bG/9lEKA1wahoqcIAcxR56kSEMfCsa7h/GWkEmDVjqgkI24MwzgiCuaV0jhcvAD69PTH1/PcSkZ4lFK5wvG2QMaNmZQvgHz1C4Zl8YCxByTUYqcdYaeRojooY+g8BVkGwm3rerUf72W7I5ChIZWOPg72PngnFydHV/ffXCurz6+P7n74BxfXp69P7374Fyd/np198H59erD+4vfdsE/QEcWjxh1Eec5VP81j+rngEUpvhzZ/2aI1DLzARGo2CKHQdWBlqdTLZWSPFPGsXnz6XtH8pQ7boAXScLjX/vg5OIcxALLWU6hVcqnWKB7k31Tvskw9Wzdn7oBOjrs2m5AY8+GXogJ5kLLGdvI9vJoDRAXdqSmVRetNJRozB2O2AS7yIGuS2MiHEHHiMgU4ryOeeQYn/3cB6YsMGWBKqtGvFB+xREvi7wvwGpPIGuzmLQ5chkSvI3GvAVD+CclcMpbLg3bpi+mK+29vZxALGBPddKa4wTVVjpxtWkk2p5eQ9lwhIhoo3CAPA957QEmbZWlGHUJIJ9xgUI7YnSAGsEjN2ZYzOzGLZivaF5AMOiiheDpF1Z/ZxtGYRuTz8iV0klQRz87LCaugo05U3V4nu1TLmxMuIBBUPnOpURATBCrg6oGqO50kuMGMReIpR/5pVgggu4YjhCXVDL30rSCmHy7ycrlyHYZ8hARGAa2ZohqgXjYs2OiEI+8XJnVxCIOPT7PrXJd/msfnL877Su+dOWXeWCCIYCAIDGlbJyIynV4VUlHKZc020xHSFGLGzOFpmAa2cl+Jbf2lktFVeCLtdc9et3qHR60zG87gAJx0Q6RgLZESRvDMOOK3Oi0Ne6yCl52Wr2/Hf/ad04+vL8+Pn9/diWnxtOz99fnxxd95+rs4vj6/Jcz5+PVeUXJ9l47V/k/sff2iWF/TTH/Z8zQAuKQr58TeUi60GShxknM2hTGwu+1lVj/J4ywbba13wb+BpCjowPHQy71alY8GqRy56eLAUyGlIVQ3M92W0LqNis3fwrT3kZj32wh2T3o2B6ig2HMXSiQTeWCUn6vLfvKZbr84U1G3EVMSJKvW2SemPeFlaVS/DBIeIgFoCwZeAgiKjQ9BDMQwgC7mMZ6w7EQE1NMPJosM5fgIulwC90ihZGdHc13oRdggtQCai9mgQtdH+1lOCu851GAxZ61C+7uKt7qz9mzdtdHarebrF9t+b+c1RkNqhHbObQxGclvtgWlga1GdohYcxz6UDBKQ4ehP2LERYXsA6fv+8C81ns/6CGlKoNpceDREOK1eMYjvKXqxpTktFQe5i5lcsceKr1UhFsCBWjEYNiibKSEo0daBgxGkYLcgJdWGPbDlz25ThXUlUMeE4ICTEbNx5yGISUOQcLBRLBYjoMj6bJq8EtzC9jhsesDyAEJYbRr6gpmWpBhpTjUNQIoBHTH/L73dQo7snGJghBy7kKlORxGmCi0/DlicJA+9OQTi7lI4CKinj4tVIf9IiHN9LQJUjsvbUUhE8RmlajsHBzZZohtszGqKNEAoxEOkAOHAjHHQwFOi5fQaSAZmDIqpNjjMY9ysk6pf0G6kl8HX3e2ASyoP4z2A/wDdMxrKf/MIwA7VXtJEUY120Oz5miNqVogtvasT7tpXXd3VbqcL3pvaupUmwlGqUgSe2pbYl7ITU1AXRi0AzzIdhcA7Ob6nmxKs1XTZziBal/lBlDT4shV6YHrWp9kv5IykLiIC8rWK11ihuYFs2ZXqiL31fNdSHkmwpEavWgmfEqyMfv73zN6amFPKbHqtTJQUXaO2HzI/Tfg3/9pyHALViQ5qAM7YniCAzRCNuIuDGCtkqfTe2mnSxdv8YqlKKQPbB9/hu440yLZw4BOV+Vq5mDiFDmylqnzCx1MOPYQoMNNGXqntDlYTm9VInt5qZ2KJdOIWpW7jUGMA89wLoslte3uVlCaVVAflchfiQZJjakSw8UBjkOjjNhA6jdbFq9CWRttTVwG3XEII0cOo1OYiwuU9DOhUwLoUHYdTxCQS7q0sMJBs4l88Zo4Wa8aTCb1y3cGoW6I5BI5l4pmD7NH7HT2bcrzwF4cRistrtKi2UGs64e0Yrj7cpjVCWtWSE3CHEwRQ9kZhznbAIQSmwtIPMg8hZx1uDmdnrPJF4Ad1cXSjGkON7gPPTq1krOOkUmD3Iw7PzUUlLTAanPJXhMc6XokvxVzTGrEyu9zOYpDE/720mw9Ude8VLpG6o6rC5TfqDZHjMYR9Eq5MUesMjOkFZkeKmpHRxHkfFrsluvDESoWdf0KOJMFPlUPd5VQSwb+S1YLjMRecVSi8aiQwaKwkI4JFAIRD3l2HI0Y9FDhNVHguRYiHM0tn3L5GeAsDjOcw2icIQYP2pzAyNN/s1WXkuwZhXpyt0aUgGyFcvf+17f512GqgHkaskLZN2CJpyVSgk7JU5cSdFpeV2+lxFZKPB0pkSfRvJiI9cYj91bm3N2BGvjRHPwIexso1R5NqgSYjJ+2UJE9XFGm5Irf3YGsgjwGG1e2FVBbAfUwAuoZig8aIeJMek9aghTNrHJ2VgWzqsTuajexr8rLoAp94VZsbMXG0xAb1RrUYq7LEBTIc6AA/wCvO/wZihqGCAwrjnGfkKTZ0X1cUVIUVyv5Krbrla3gecKC5xkKkZg8/Q2P7uOKQmTL9Vuu33J9HdcLHKIKu8knxfWqj1uu33L9luvX4XossAsDh6ER5oLNHHQbUVZhL8jQCHlYpJa1Gi6tACQVAB9P7se0U5k3MDRSZp0vgGV6oJKf5ow4zbG3Pw5Cc8Dtj9HMUch0Quj6mCQn3/pKSpKA6ZOxsX8+R+IGd2ZA1a0/vuDaH8ywZYrMX/xbD3NThkW691K3qXL2YTenKutm78aUv9EI2O/dbHjBpKE9yP6RHUL+RyzFYFO2oMSBwvlMB45SAWBK6swNjgmICYyFTxn+E3ngMx3oG2CepzlFVga46yMvTu1J72XqqzQuMPZ4PKI0aMumU7M8OQXKjNbeXJZQlp3FDHU5aKWZMhXYojhbmAbApufOS3rwNaeM+5i8V596NuGNZZcsO4f7tiFK5NkC8rFNmf2ZDhrIH7Ae+1Sewz8m+1Scuj8X9nmAA9ktuz1ndqvW1zwet1XpZu6Z2XLNNTi+Xrvx1baPjbl6y3PPnudohJ7SDFfnJ6PSLUaeV6uObddmlwecGLcs9OxZqO608tGYqOZs8p7ZoTh1LT/LXLv57eS15bxqzqs74ns8zqs+0Fub9LcT0ZYdVmCHmrOvR2SHypOuLTts2eG+2WEWCRrKIXEgG1XxQIJHEMCYyG5oT62QjeIQEcEB5Jy6GIrkTa5Ovg5HZB4FqOpDcmHVjWI7YpjqcxuJCY8SKJAdoAkK9nLXZnPuCGQ7DBKPhrd2dzSwIzhC3CpAJsdJyvVcHP6XcA2i0xzOg2JOdx6oOw/Vm4fq5aAIdpEPuW+SM8QjOkVsETFteLP7oKOcEbqiks4OXh/ZDHEaMxeZa9erHVFlpITIpIKULg0hITLBjBJJPWACGZafyUEIhZsQjxszhog7A6q6tYlIdkMfLV5++HDhfOyfXUke14mri/T58rjfl4nTD++Pr8+ci7Nfzi42YemvO85xxB0ewSlBnsN9FFT4HOnL7JRxDTAYMhqCiGEilDPDDQZ2iPPuNAsXxCPIEBE5CFnXkNIQCuzaDEebXArv2pjgZaet3dcdG91GAcXCjuJBgF17CF1MRjaMogC7K3pIilng6AnC4fKn4rz82kfgVIEADaJWCQwNkaRi4xAauB+vLkDereVmI6+8IcWs2imxIvqY4Ftbd6jG4Zj+rpaE2dMg80bSG6BrmeeWo+5+zuMhJF7GF6s7cPGggAPIkeYJpzinlqa0BBbkKCJlEwhUDS/0T+K15wWgDPx0fX25iYu4bLGXITNvyKQWI5D71gsDB/KrlPILmVmVJRSr1dRSUWBQ1+LciyTT1m1UFvqzprK6Rtya/HFNvqgqEOBBW4oGBsOh9qPFdWdjPhvQ2/mPqMhPGhjiiq8ec//1/lwuK3cyyayADapgw7rMRSPsch+yaK5YRGtGjLnzNFKHjVkVyv/k/mFlZtJLINdeyXu0kh/EUrkiS+iWXLnpMI/+SH55klBWbUmCTkmaSGE8KFD6nAJ7w/QJs+QRuT5NnoO0qoAnT+E4BxyOSdZ2OBYoTJsMJ8lTNE1BGIJegMk4TYfZU65aHiCUVsSFmKXPM+Imz4LGrp8kYjkZJImJqSrlOaYBU4bu8TgsZECO9nvlnKODck7SSEqCvktJIWNcqlkSQCGtnO4VcuJC0sPMpQFlvJRZbtqL8ylEJoXkbQSJV8opDMkQuoIWc8JCP4Y0KFSgDC0LnfIRLED4lAtcyCmlEle+WdZnigvDl5BGmqaj8neH3mFpiHVOS6Bb5RKx0MdwPMRDms+R241CutAhQv04KmTIBV0hIw5LI0ULXxlBLlAxQ/iuX/isCJPxrJDBiilMRAmjKm9YyBG3+SRDMJBNFfJiUqJPjv4oJH3YLY0m92Gvd1CReXg0n7n/qgLysFtmL+4z5BUz4sK3cMoKQzrHJFLAFtPeoFRFsUkB3WISF/AsEComeaF6gUNEi3wpWDEVExcWES3KX2HkVpKMyTxbxgT/UUyXWSDmqCgLpoUPm/q0lIQhTnKMmTKjNJ05khn/0252AFq7Z1FzTzjjfwRKKRRSMtL20xHlYsRMcAJTy193Fu595LLEG1gZfLYKl69tFyhdEgI2tHYb15p2pKbeL9ZeNHKmMNjIj+ljbLg8NIhHQ77EY5vcchnIssu2TX21ZesXCWQasZ755ggFSCBHG+M6AR3Nj2im6NPAnnFMCnQhENCRvvexzphWHu9kkQ5iESpfpCojoKP2tJwxKGcEkIuAjgp5Q4iDch6f8XJWiDhXasACnHJqXciCsfBb5cIDSsVc5hgxojI/5VUhioZS3445JXNODb2BlqmpSfTLjo2JJ9mQMpuhkE5gsALhRAGdORHDk8UOFFNnkF7GJtrNur5WvQ7V1OmaVrjJ/d+gyws4gZETIRZiISn87+Dk+NLp/9Z3jk/fnb9PPauuh48VPGIedbsKJEK2oCo2RAOMFN6X3Rgm6JpwP1ys/JADmslLpRRse2jS5n7YBh5mSC6Q11JvlHZwEjKteW9vE2HZjNQPjw5sH3vIhkxgudBvHlXCw0zMnAhHyIFC7uYq1HyXiXtzcCqhgYQGZuLTKqR80RXHbkcu/VzUUl1ARLCZUuWBv4PL88sz54ePPzo/Xhz/yzk5fu+8O7v619mupHwV5KhY9BaLpSXfJiUTtjCmxIWYScZcuLPJ+mEFlugcvbLzg2kPKVtcegWc5iteA7GbI7QJVv4BOuA7wAoVBAnHi8NokZw6zcCKUR5kBkzXKiEKlwmrZq5Utet/1ai6nVUXO8ClQYBcsZE0e22bWmpHXQo8KKAtpbOt9ge2XoY1H+YZgSF2lW04YknAv1rDn3RANYRSg5sqgK7CxAFU08c6/FCzBETCbQdei9NWxJDSCb4A+VwV7i+1X8jyWl57T7/89HjGBqsZCeRLrni7dD06W4HPN3e1XU1w6rbgInrTTvQFvXd6q41FeA/Udp9RCR+MWB/JMgY0vAW+NJRb45hv2zB0zzsMXYFi2GjSyWhk7nMLGTzNeTZSUxZzAl552/hnxAgKQEi9OHW3EWAuUmcbwkdAld3YrCBVd6nqNlnbLFNrdV71zFIm76R/DZWWGjmt9p0fumsfAf2uECoMNXG932icjL75aw7U/n4yUHQqWZEyO+aIrT1ULOQ1ilT1SnZ5xGB4n4Mk691gjL6qHZX+TNkpZ4CFo2x6q4cngwQDLIoWwBAQNA1miZZr7dVKahmSuwyPiRNHEWJOAGeIZYr+HIjrQzJCjsAhAv8N9js8B1WlJJuvocGF/Gbl/g76zvn/fuxf3cnff11dqt8P1z8VL53lBbuW6f91u5G4bqYa6vV6KjqIUqSnSi5bqQIVCrit3WKseFoh63T4jLgOuh1Whf+SBMTcgBL0taI064lRNSFnQqZNBYDFh0KpzM0Pd9WPp3+YG20y6t2Orb7XRGuuHPLOwasCkC2Flg3lp0q6maA0ANsKo008J3OjUmFjKiFSkc8RZK4vZ8ohZYCnnqzWPsYoijfZVnVonVwXN7MNb+phpnFgztqhHblRfeTUf51cPuW4qUmc1NaI0pESnIrGgrZLwygW6F0SR3XS1cYYxEVJDG3bBNHmbQ8NYRwIHVxV22SXA7JuUN+TooL1YiD52PMQUa6HFkRAOjZw+pxh/mw2Hy2PBt4GZ7S5E/EvwGrlNHbFbf8Xq+3TEKU7j3z8unI8u9xxxSYYazYpbXBeIVnVmXTr4rbmQmFPuoXIn5jzeL1pRzbZUrH6nYjRCfYQU+Bwqk/H1Xs45S2sA3Q7k558r4ZtTuuRj3v3t38XviaJ0s//U0KAYLH+1LlrEByJJCH/ycpLQ5RWmgMbYhR4b+b7lQOBUYRIvmn9T4jgDeh20n8NqeKr87GhDSn+ZN4kMYZeEv2O5IsYs2dJK1xAdq9h8NJVbgWXbs2ft+bPaeazM3+uu4OBK69VbGQ4tOy+4JE6X0oNh7wQE8yTNXheUdRoniEThEe+I2mqbrJJ73Ul83zpgqCxI1K557o+HRcxq2+zszuzDOxHlA4RO780N+quUBTMrun5JS9mnKpA16XMd8cnSU6f4KGpZ5M1wNJTvsPDlzb0JohxyGY2JrbwkR1izwuar8lw5Lg+csdOLnp3aTl2+r4PAkrHsT5I9eRWVIf+Pr8EqjAwk+NCVNSI9JrY39iFxId/4iiJ/o0jG0Y4SYUzHLWonFsJT/JUV3DUgiH8kxK5kDAvpj4UmKsicAxDqGuZP/bLjIQ2wNpStVz3KFHLJUGn9UFVzNbVZOJIKZe4g1QYeAcGAZ1WLa3P1HsgGBwOsQsMnFEGJ7Wsg8TivjapySop4rVIY9aHj9eXH69bezs7vcPfO/bhp7ud3u8d++DTXffGu/u9a7/+dLd74+3etP55M9j998F/WnvHJydnl9dzqv0sXDizdrq9lzet3budbkf/vOzdtLq/H9mvP2Vp2Y5J//8qY//3jt01AK9lgaNXOnH0+kZu2W5auxsxcdOFfE9pKjFLwFdYyTNXLs5ITlDUHJWqoP2QABqLAY2JB86vTkCp6IqIN6Vb0PNYSzn5ffsWHB0dvTSTVvYSc0fb9kqIdDm81qCuEKa/87KbNyK2lSZ0db3RZziB5XuBjrarrhpwCQ7Kt2e31wK36+LtujgP3WRdvL0WaG2vBeYzttcC09T2WmCStb0WuL0WaPIe7VqgmW8WuTJRc49cHMoJ67NaGPooiBDbaIvxCHfsPsfRTCDWxFXG/2hQuVFDA0rHmZbHLIhVoRUXvDtVR9h6Pk+m8mQWTyZwNXebaVvN2Gqy1hObmaLV7KzkXTInJ9NxOhOrSVjPv7mpV826yYSbzLVmmjUzbDK5JvOqmVLNTJpMoOm8mU6XuVkymRyTOdFMhekMqCe+/HyXTXNqdtMiMGUaM4WlM5cWw2aeSqcnMyulk5H+k049ZsYxA5HNL+m0kp9G0tnDTBpqrkimiGRmSCcENfKJ+M+kfiLsVedzoj2V6FqQ5+R3Kra1tM6EdF4250VyXhLnBXAid424NfIpGX8jU1NRar5fCU4jL7WYNNIxE4pKFuZEYCL5NAXl5JwRb6lUS4SZkmFadKUSy8ipzKtZiV2WLqArS+ndoqX/ZDtCnaE3dvmfdL9hqf2bpd+orZal9iiW3ndZ6c4p96R3TJbZ91h6V2Ql+yBL73ysMPvJWkv2MpbevVhyr2Lp3Yml9yKW3n1Y+f2GuttdYWyc7TqM4LONNFNy3GQFcPDcxPj4FXci6iVnm44xPXCUxYGju1Fn1PZzPECMIIE4iKiXaICBqQKoKrSpW76aFeV8qtioMMb/kl3/5chlSPD2OO1TC9PEoML0KD2hX6XAp2xSz3qQ3qHXhhnz8/7WNn1rm15nm96AWiS5JP11cYDjMDe4LmXII7zwUQaIRohBNZUDqx1CAkdIPw+DGBFhD7D+qCxpVdzjCGjs2YR6yM5XYRjGlvIQ2S7HKtcQWPGN7TE80UpWZeNhw2mpuzDALlVtpEMPp7ytz21s1YMpFK6fp57qd6o8GWFya2OiDjcSbXBgOp5iLhaUu7CcHTEaUSalmpS7RRgfRozezupqlrJDTRzIDpFg2OWlwbZHY2Tr0HemyEApDrRtmW0GTn+CHG+BWGgsYm0fEi+YQ191jRMYB1WolB10hSZvfQVQoURKVlQMNznCIoADm8Uk/yarSbVQdetHs75CeIAJstVtraoaTMS/5Ay5MJBlApxDWBOm+du/zSvEzcSFyeg/8wW3N4i2UrqhlG7kQLfScqyCFHMwVWZjkg5zIIvMxo4e32ysfkGpbhw5+sZRbRBEQNDUgJrLSdmdiI1WiY0iHgZ40DZXolJKiM1ZTy5/heAXX/PS5WqXJfMlV7whPPed33LE3WXf+de3uWrH6Y229cNRrrcl3LcjxDjmApGcmXWBZQ9e2gNKhU2ZHdARJXreFJCJCisvw74VftzLjFsdfvGhGLc61uKWcbeMu+w7FzPuAwTCfF6MXufM40H4vCZgT2M2z9XVLIRj45q3AmQrQOYEyHNkbwor19/zrC0h1+NtWdK019K1OENGQ0c7Vipc4MmD5u/v/G6RoWNMRl+k5qOO7ojOOSpnDaLC60JxA0x0rCEydBhSO1UcTQ5MA87V2f+cnVznm2NwKpOxFzkehoqQsfIgJROL6KbwKV+sIQxcShR9VtM7jERLKwi8lgdxMJOZt/oD7ACNoDuzwzgQSsfGudH+2VPKxhueFNfQ4cIL88uLr03G93gZf57uF3ubzFxMaprV9/CLjLEpNyz0ObmRjfl9I2KN0c3x+CoSRruLbOB0rcH4VkubzUyLn9jQLibiJoOc3L3b8OJds3H/tui8JkLzgyyON3MQlquoLj7zdi28XQsv+85vai1cGyz6Qfi5PjJ0Y0bM1dY07HPjurdMvmXyb4HJ693TPgiT1wah3jLilhGXfee3xYh1EbEfiBHrwl9vGXHLiMu+8xthRM6WO8828Sa0K0pE5HcBWUg5h6WSQVFg8wi5eIhdoI24NonKnboICKmnjaNA+UK/cpIfcranvBPoT+CbeMv/qk5AJXk4AeYV18Abed8d36vzXUWsoMrDnWx4M28kS/1a3Jdf3jGhU+J4QeAYo8GZM0YzR3vXrLJG/1X7eAE/y4Lg9OKCq4ho8iVIqgBjNAOFKlb2GMORaCXVtWSP0onli/XTz2e/ORcfTo4vnHfHJz+dvz+76f/Wvz57d3OiIpGLE23y2Efixjze9HXF4J02s71R3Ze93wxPDR1ONHU8XSVgUqN5xyPcQSQOEauJjJK7JXD6vg/KsCtS+7yvGOU/jsxa8n8+cVvGBLClJgrFCoUyYhapMv2rXyp0lV/Z8cvBUerxJfH1uDp3BJ5jIg84MYl5DAMnwAMGmabHeQxc+whcnDqXV2cXH45P03j5AHMQ0SgOlNfhwQxAdYKuXRLnXSziAN1DUKc0kv4XK+vM2z3tOlHN77nszIniRpzwoH7YAzyIYOigQTR0fEor9qAXGk0GssUpkHDpbIB+uPxxneEdRMOWG3oS5IfLH513x5daWXw2N7Ni5SZHN3/T4nSjwW1qU9o5PLIxiWJhuzASMUPNR5RSgmaOiNWyhCchmCoGVgGCawMIdk5+ObN7nd6+ffC6290FpmC22FlnmLO7cJmz6v7H89MkJEf2PsYKGVluPgpTmRn2/nVx/sOJc/3x/fEPF2f9ByP4+w/LFKJwqHwrw6olp3oL6OAzcsU9RvSTi0VVdaXv1rfJ2WvCBvkL2YUtTW6/Uh0PorDHUTFNbJUP5AsWJ5nyUW491ct2SAeztt6l3L46co4O7AEVIkBMwgpbfaI9InGbz7jNKBXFXqiNShbGNYso6tk4cm1zc7z43dlFTTUsb9Qdc0ebDjiCwVCikSCwY2J07sreLQRNbravR5LNViNHvY7N0FD5upsg26UesuUUt8pKPMQEq5hgS5wMmhNL5ckuDqPCajypAwxjomrXJ6kuDfnE5S1vyWX1Zs4G1QbnHSb4dGGUMNXkJvue5iK6s29TngeWY7Dq2JORE1EaONpT4Pz4Z5tOud0KJsrmQq4JFclCzqmLYer80WWzSFBdr7p0MVnTNVa1e8Ev1l4rxATdhiz1KFhISgACCZWf1KJM6TRKaQnC4yiiTOSqmcuRYO6+Kpf4Kcyn5OuopzKwuk6cT8iXSPjqXhhKulHOkEDDXr6BQko1QCUrt0Kla8kn5EsWBZCI1u3sT/m2kDLDhMmIugiSpAflrK/jSfGr7tuTraB2Rm78W0saVk6fJStUKC+vkIuICLKNpF4dm9LIA7krM1pynL877a9DtcoVdswCJQzae+0QCagC+rUxDLPbYrn22lqSVAb9zgemSEJ9dHsdDu7uimirAtzv8E0mgKZCaPO7R6G6uu5TLpxhBfLkPki+1DgzManlLKDK3Uvgb1VTS9NktgJpK8Tod0PuqC2oZA257wvg7P4Dg6+wDFwrjHB+uJcHWVdwlaFL7mHEy0rFmIjnPZ6SHR0fewsWMCY6gl61qFLrjJymR/U3opiIVk6bpS6XtrtG764SvXxiP584yCcO84mjfOJlPvEqn3i92aan2Qpzg0gJBAk9SyTOUeZRczynMZF0PmVYCES0cuUe4pyUnGEY4zBjG1YODdnUUaKpUk4d5nHeZkxNQibIBZh3hZEsqLifLHeS1VGyhhlTK3egdndX485D7n6SQ7kAD9JnJNzm8TY2OqZZwbNst3OYegYQlAa2YJDwoZFjTQkr0eGZNcQ8ab0v0k3JR3qO7D5ena9DVP8HreRWs+psoRX55oxur/U5Gu1Zn8D/eU4oEFVht47LHLtx1K2Sk95syDl19U0FD+t9Btd7KPkspxA1tAQJFwo9zMRVSgUii63tIXW3JtJbqjTJ8JxoSSSGlWJd9spgvNt72eq0Oi0zW+yFVHiteBATEcuupIZrz4cWnLnAZAXCOMu9TVSKKpbVfUr4lTCZITJFmUNVb3mCtohyocLXvdVoUmm5nzDpa/Prvf3/9EMcybrzRX58KxN7lc3lTAMWEcgmlPA48eJSmlgSAGehsLiHde4zkR1//Y5lhwuFk/mzrFy5ZxFNMPHUNpuMQEQ5x4MAmTqMd3jdxHoTTZU2WFeuMZ/Dv1z27WRSIxd3JrDqY9JEkgLu7kB1SbKg5GSuZCI2lNp7ALlvaEGlZerT7gbrucdwqmdEgcMJHg4xGanQN/NEcSGZIXWXp91taiOR5JAceQAOhQ5kby6rKWsgYNSr90AWwo28OFTSQnAfsvEmMrrBCXgnOwE3o7PCsE6dASaQzXIhGJaJ5WzkUOZ1lqAp0DUp6TRUoTAwUScAWQEcLostVDPO1RKxoGebC8zbSA1XcdKzoWrjYWUkR0QgtgRnBgrEXBulDRiCYxoLQIebTaHlk8O3crJUbRVnrMLSyRKQjZB421Uc8rZbGYxrIxQ8kHaJcD7FwvXl0A+dkHp1zpkSQBDCGfDhBIEBQiTTeMttp0QHjIVPGf5zbVueFZw2aQ1A0rOW/ISche4aLnnmOO7B7FtT0qnyplfxMjtvLuatZie7iVBvYLh6eKRjX89sSRWIiCTajhnjMpVW2JRV0WelD6JHp88K30QN6PPrep7Z0vPTp+fqi0mPTM5V15WqqTlXqoGznSUc8QzRV30Z/HHRV7wkvlO6DH5nTgZ2m94KbyDGtkIGPHkqdSa9LaFWb8KyXGOC6EAB/gFe673VlrjBkybuuhv8j0vbNTf7m8yiy+/wf3vzaN0N7UdGYvXN7W9w+Gvu5T728Ffe1332wy88rtVdSscWYFIhvd5fn/YTO8IhYrJDShtZLnQPRseyPy0Pi2diVUyHQ0Q4niBn/IrXaNGP9XXB3J00ECEitDGnDhLvQ66JeZPD+6qAY+CLFc2ET8meCeC/Y/0cD3DfhaQVzSwJk2gVJ1LcW7KTXDA8Rqz0dhfs1gRcUqUwdyGxXlhjD49URA5Vle3HSn35wmJwPEacWy+sCGEGBeIGRCkLzTOMPRWmShUNsCmqgjLE3HrxxRpQMbA3WxosOwE46u7nPPtD4mU2vKtfhaMhHlWpMD+EWHlM1JGXOYAg1bB6wPVx4IE8D69ICQpHMfbAP94WLa6qvELKeqjpziZM11viPbHX2Z+/zuMGGJF13KCpXUR6f7zSi0Niyy9B1aFKzVVxsPOuf7ULChHulbRbZ+jLZmlvgdXmM24cN7RDztoRZDBEstJ2/v54zmytaDa31KWa3JKsj7ivasMuv4fzwBlAd+xRWnGYYiDSwxTEBRwEmPugUGZFNKCC0a1po3Tsr+Yb7mgS3Gi+WUb6ncPXhUMs8/lkZCsRFzFJDc3HdIKYIhkHEcFmyjR2Ef0XHCikhUtHiaWqVhzuKqpXhrMcBcP20Gt3N6Puez/RetBJIOpFmAyRK+Qal6QvaxEWwsQZpgHWN54jysTcJaTL3uW5qhuEMJhCtpbQMi21oOex1hCGOJiBv4Od4x+d8/dn13fm92g3h4oMHnNHGySAoofNDEJ1/B9vwVGn25kvr97+t3p7uIEYW+GcuPOym7easNUJ9+qGVyZWj6NjkIVo6VWDS10AZAX0FT9jR3MPNljZ4qxss/xV9EKr6XPyJVfzhHOvrP9QwrrwXi6q7YipbqAcBYVOwZCi5sD78vjdI2166wIUyU1vBMOWp43cs4zND743QO3DbJkrsFZ5DPyYWKuOTrMS1r7ucfDzw3K1TvDxkFzjxnEZjnNVNDgkbVDh89F1zaG0+sD00VD61R1qf8OorDt4eTRk1ntTXoaFIocuP4BpUOUzRmzdYczjIbbWg+63jIWaM5lHxEKd+9TGWNiepz89suN86jnF/VmB3q59ZKAAZcD1zXP+SlOiSNSdAZCkFxgUMGVrHa5U7Kxzw656kaJGbWqTvlXfNEmdOvVlKS7U+cZXQFBTNW/n9SvbDJMdQoKV0726HfLhfjcF1qdrNkMhncBVdCdcIIfXuH49fd8H+o6YVpBQgsCQMgB1uQEmdoDHCKTlV0RmtcMdK6k88VEz8ikXubRALMwlx8GICd+4xGFKgdpyVSK5d9Di/ldyPLOCtmvzWxGRi51u1zl0XIYlVwf6kgtGvE5hcWIAEx8mCXzNXLEODlfTV0iONJKR554TBs4ly68zITqXmQcdUCqekFfux5xh5j79W3bUbb74YfVczfyJdPaP7BDyP2LEKt3UVU3Aizi9Usn1iJxerePacvqW0786pz9Z3ehjSIbq/fmjCYaazfkDyoVcb5qpWB+wb1uZVf7070FmPTOJUq2XfyyJcm9q+Rqt/ANy/5b5wZb5nwHzV94P2/L/lv/XZqHvmP/XuWv4zGRG3envY4mM+sPfx2H2pufID9i77Uak/Onfgyx6ZnKlzvjg0eRKre3BlnO3nLvl3Bzn1hisPB7n1tmrbDl3y7nfH+ciFtS6okUsqPchnzioXYcz5/0rfrFkT/asKhsdZROCjAfaOWewXAVI0zjbG2DimUeZDz2PmaSKpktMArouioSBEx5O8rnwaCw2i2LWyItsr9sp3sGlQ2W6I1AS7rN5zInIjzZzJhz50f17EpaQkR/VI5TNuRQuYtQp4RIJp4BDk6dRWczTm+hinrprWcxiCHp7T9LJ8L2TRwSnKupaHZ38dAmmaAByl/FAUgZkZdZzK5HRhB7ZiE4RU5XuWS8sN/Ra6BYVzbPyAalyZmF+pEBfyCfbHWFdcANkLLuCdq94oEL7tnCmaKAR4ejvnMfHcTU21OV5zamUmYf7iCCwU2FUCfSCyIPct14YOJCfeMsvNHvMZ8mRc+2aWioKDOpanHuRZNq6jcpCf9ZUVteIW5M/rskXVQXkCkByOYPhUNv6cd3ZmM8G9Hb+IyrykwaGuOKrx9x/vT+Xy8qdTDIrYIMq2LAuc9EIu9yHLJorFtGaEWPuPI3UYWNWhfI/uX9YmZn0EnxK/aM0DVJQdKiSsyxWXwiF9cI8+iP5rUkipF6WoFOSJlIYDwqUPqfA3jB9wix5RK5Pk+cgrSrgyVM4zgGHY5K1HY4FCtMmw0nyFE1TEDnXBZiM03SYPeWq5QFCaUVciFn6PCNu8ixo7PpJIpbyOUlMTFUplzENmLJwj8dhIQNytN8r5xwdlHOSRlKi811KChnjUs0S84U0jwLl0ibLiQtJDzOXBpTxUma5aS/OpxCZFJK3ESReKacwJEPoClrMCQv9GNKgUIH29p/P8REsQPiUC1zIKaUIFzAI8lmfKS4MX0IaaZqOyt8deoelIdY5LYFuhZyFCn0Mx0M8pPkcgt1CfaTQIUL9OCpkyLVAISMOSyNFC1+pjMaLGcJ3/cJnRZiMZ4UMVkxhIkoYVXnDQo64zScZgoFsqpAXkxJ9cvRHIenDbmk0uQ97vYOKzMOj+cz9VxWQh90ye3GfIa+YERe+hVNWGNI5JpEitZj2BqUqik0K6BaTuIBngVAxyQvVCxwiWuRLwYqpmLiwiGhR/gojt5JkTObZMib4j2K6zAIxR0VZMC182NSnpSQMcZKjdAKuzyhNZ45kjs/Hw6kMwJqtd2EEXR/15GxFRpjcqn2IoKGJz2P5QkRm7qqt6O0XtQ3bszbZszzsMjnZHTgojDBDTgxdZzCLIF/oXKoQRCmEwvVVNOh046uvrXw8PgG6ruwDlPc8SuSYZ40D3bhqcb1tT+JNz2wn7ff0EtjvKTkH9hT8pONy2i742+3bv+3sjCLw088nH9/06VBMIUM377DLKKdDcfOrbgV8jORaYrdlfs2uNF/t+pX9v5tdSns4N38S2ypw+4KracfalV9y/UzFaE89+uiA7qu5+Vtle2vJlkJKko2q6e/GO9UHHGLBoIscSAT20CAeLWK6mCOuLvYRgW0FPVKuFFPWEhQMAuqOgX6J2Fpu9HSXWibupYS8vL46Pjlz1N93Z1/lZldDnetRr2cnHzcH2HCsMfm83BlVwXuYLgFc6kmyExRAQoWPGMjf8byvUb788PPZ9dn/XquJZhHQ6fH18VKgj/2rr46UzuFhctvVLg5uI6xMyRgLJ3UE6ZRC7SyYgRI1jVKWG10rZRzQIchPkDJ98suZ3ev0uvZBZ/9gHXyVtTbK2VuyHonG8m2mfUVkkmo2+z+dXVyY+ePy+PqnvdzVWAWXi9B4et6/vDj+zUCfnvV/vv5w6fTP+v3zD+/zBc2Ni84m64wVwht1jl7NO7FcWHop1pV7VscNsOPSypjaCkDznMR1xOgEe8gDNAkHpu6BgqVeeBsr0HM+Y+u06G5NnF3b3et/OPnZ6V9fnR2/SxYL7h6PB4Zes7y8llsljaI7yYjErKUIe6/c2F+V50Yk4kgpuZ6R70YGCaehXB05hFZdfr5MTkcySMkXCBgLPRATT4XbU2tHuVkAHmZIbu4xWkv+Lg3ZbV4XgmqnqqovVtunIUpjXTNz2PwiPdoun2ebNI1EbfDsgI6KaTyYyxtAdxxHhazpdJqPsV0dBZxZO//EuztMHfuiO4aUM8c7hqB3hwkXLFYYu/Pp1BH0TqPhTi4mdlt7OzMaM+fOZbNIqLw7WbkB2tVkWmozEWrMumnJEn/bZD22zFdrx8bExwMsbG3eYJvPa+6rkrmOpkbuFGwgCkR6dQIM0EaGEjubWVZXujnSxMS0CpYSdTpuctShuvVpd/e7MgBYi84a+Pvo7L+0B5QKmzI7oCNKkgNG4+nFCMrmO3DJgc44HiDtiHme6q59BLL3ktj0hKi3JeuR4CKJ1m7J1tq6OTXKSrgVcjcZ4wf1QcuQh7nDIfEG9NbRTtfnh/hUlePJIrFndw4P9tcZ1zJrvv2SI9LbV0fO0YGtitojErf3rBphbQV44Nq9Vu91iyvPGia93ymlu6V0r5TeL6UPSunDUvqolH4p059qJEd22qNG2XZ95I5t5g0s5RhEZnHEJohtRC6NTvDvN0xwQjQT5Gj/5RVTgQQB+m2m3zCLlQ0op35SqJ4LquhNhGp9UENbX6y9lsaRfIJ0aJ7mEF0iyfVxDNXo5kbCh9x/A/79n4YUsGyp2u29trkPGfJsjZBVhO8Ic8Fmjo8niDvykx05kM4YzRYsBBK9XlIcqOJaNMspTG06x2jWbJlQq/DiSLSSJlqyRzlh/dPPZ785Fx9Oji+cd8cnP52/P7vp/9a/Pnt3cxIzhog40b5x+kjcmMcb2csAc7GZ+rGZTqDb7SV+sZJPKGOlwj4uxQeLyWIUHIOrZPA1bMaFDzvoH368/vX46mxe65sg4he5oqDk5iomitU2rYQSF9VWlOigf6XTo4P93nvqVeijV+lZvVL7/XW5nmvEQkxgAPpKJNyc65PQBZU86Z40GugH7c3Z7Uacu3x1e3hQXt3CWFAV2n6NYCUpN5tjqeVc3deAmWA1vP2wLL0KWkyP+YfViKW+omeG4QDOHCgEdMcqDNSik6LEPFYdFyJuwkOpKoCuAqSRpFbGcaXt494lElhcUgFDo1+7onJ3KnMENVk/UVFI/0+M3Vkh53PMheO5yMlDgAzEYlToEyhg6dwk1Y8oDfowjAKUZF0hHlHiIWYyvlh7PByoUbjdq04TEYSFjAu5TU7az5lfFc9Az8mEjpF9DQVipZrLFZu0GyLAw0Hu7Zv31xfv/ExhaerMj+sm9Nr0nO3w8DAHye0ho6Gd+LW0lUprlUVfgCBHjgr9VLsnPMlixCiI3InQYJbGk8FkVKxvIfUu3Y2nttyFOq0aJWS61Jeb9EwdmddGWu29vHpujRg0G2B3hQOGo27X1uNsC2r7lIvm6IwHKOaLBE80Z5evRJApCTLCAsJHQ7GpFCqxIeQMRYxCnpjNt810+GbMBmKU5KqD83YQY+9NJ+HzMWIDlC+qN5iUBDPQjhgdsVSwRUKAtsC5yxk4lHMBJVCgmKcSgCGCpiVIyMdiJEA7B+ZDNkFcgLbS9k9gkAiQg7gEx33QTjjRZI5o4CEC2hDx3uFRUhIHE8SywtaeHv6HEiCvbC4QDOS8N6RshGwzuNzWY7GC/IiJ6wQIjmfOsGINc10IMDVgCI5pLBLd0oHd6x71jvTxZaw6PIwXU1uN1HB9D7MWn0nGCnLb/ygfgEqrATRo6eySz3h7yNuusni0qnf+skL5ua2NzpoeSg4Qt+C9uxo1Ekxff9R+k1PH3SoMEaHE5gISDzIPTOFmhv6VIjtVnMfETXXYfC5nkF7/s1X+3OnOuqL8u70CuT39eBp8yuEQyR3IEl7tG7BsL/iwm0B1kLhAmSb79wOlYqMRb6ZLOzzqqfNPzBLwJpNV4X2Fro27PvLiAHmOgHysb/HV2NykoECCKrHZRNW92jLJbKHkUsH1ZTs8bwBRiJac3DjcYOSX75Q7h/t2+uG27JBcO3ymgwZjb0YYqRnCMT10EBlS5qKw8hJa/+xCAoMcENAO8rUzePOV60xIph8tU3XLVKsNKBELMed4oiRV0krxfmAmLrUZylu5nvvh7OTDuzO7//Hk5Kzf3wgXX5MLEkwQjgWeIEcwdS5UReXJNgFzYKDy0YnNW8TVZUDue8rGOb3Vm9tE5E1AV8TUTr0t39nZz8utAs/Ofl5uFXh29vPH/pU+69FA6i9qoRh7ErAQO1md8qVxG7xgougkmJhzTBh6RweWCuYgK5FPI306FATeYPnh0HLqWGFW2swQMdFSckGjefrQliWuyEydJRyASbF10D1vg2alzViVhmayzY12TEtMaV69Tu4Q2OkwNBo7H7IojrQOMOZwVKFRMTA5e3HJQWrRkzEaKKF4vbmlNKa6YTW/zE0oZmB/UjGe5XheQuEn5nofyR8xFcgzyln5yrwxyszTiwtd0mS/U2sUWY0p8oNxtDL/PplariFPSp/SEGLyr8vLy+KG+gRK4EL+BiSwEkfdu+GnvmziYzmhzBwPBUhUngSoayE/aTA1A57mQFfks7z7qOxEuzWA3E96IiVW689SeoiLGeV0yyvXkEuqKbTScVXZXjBR3X1aIHezbVBuo7QJETSbdDsvO3ZqWL1CuBuwbPFZoAI+C6sdjh0DPgsHshblT1wJDH1hyM9RRmIjKiAbIaWSbXto0ibxEkcKi6RyGkQ9INWSuLVnuqA3akmD3wxOkqt/X5s3l9m9LDGGrLKeegjGrrag02y9gKuLE1N6vfKZ0wxBy2K8a6bVEd4JoLEY0Jh4gCAxpWwMSoVXJKFV47jXWDhpHxuW/pP50dAZ2h1G/if10mAprxeWfqMcVFjKs4OlvVVYqb+J3JP2M2EZbxGW9iVhJd4jLO0vwgqzn6y1xAOEpX0+WExmap8OlvbgYGmfDVbeS0MSUHxBAPsNiHCZidb93iYw3lwYVfZaS9RIivAMbEHhuw6lLbSb3TOt5Nm/vcfcigO4naUGfrsbnr0t12/clyUAWCYiAjxBzHF7Dg6jABKxzlGdrgS4PWAqWYi9ZoonpUp6T89usQB78xsD9frE3DKqe//7CSWcBujTmzcfYhHF4oy41MNk9Pb3a3QrWh+vf3yVZH1680YmN1GVrBD/rvOymzd+tQM4Q3LpTgV1aRPRb7BHXSg2c3imqrgHl2c7O1V7O1m5lXMqli7czJvdytWbUqpXuRtTKQmenqsmxhEcCY5TF2nCQ4xttg17YKHJfSeJSYs8Z4xmtWEM+/2fsmMxCfi1vYTmQsSl0zGwSr2Vy7BSVs8C2qtdXfxDfXOBc7+4KCtkJTet0txSrNwHC2+3XGQvDVe6gZSuJI/K2HePQB5pnLB1yaM6aN59kMeTjYn25Mipeov/4NRUoQpaiZhqPJGvSUu5jjULmrZmOw8ThP2BKao6YNaDU9RmKoy5itYnzZpIO1uSKZJMZZilLdXcM9WAh42/8+QorS44z4MTWj4EznoUUhvWZ00ayXWuaYieNVv6JmVYXXiWB6esynO1lSirNrDLFt85fNcE9Xh4fOeCeayJ77pwIN8zvrHQdhPauYL2nT+PbWNXPsSjmOkbxokHnJl2t0hkZWBKWbgOwhccaLUiRkZlvOTzNJTuXLsKuPiqQh++0vLnqeI6wyihJLEiX3gwJjlYuzcQytt8BguoMUdPrdEjyta6XVQ49JGVKNy+6rwArzrq76sX4OBg/wV4pf4eHBwcLDiy5NzfQH/deWUHUCAGAzukk8wScg4Jve7aLk3l+CcHjEtOJZPTBgOlzbogUWjRlmv3M+Bv34Jeb+4ArsFJZfHALkrtQbq9l62O/K/96gXomMf93gvw5k233e29kg/ydxP1dENUHR7tl1Blcz0Stq8so1bxhsl54LiICX2ghxwBwwgxTEb1quoLkCtQngF1eeMhcB1cVge1qlM3I+G2OQ/aske84OYrGuMnFIvqwe4hzKvQK9TmZa36XxaMzl/f5m/MxMqfru1CO08D1nwFVRc+7rGqbwxn1f5dzVWwTY4vGxqrHB7u2zweTBATtmAxF8lB59wkULmgqhchNccZjyNCqo8ktiKkWoQ8wDHLVuQ8Ho6/UZFTp6d5DIlTo2hpIHBytTQ7o2pQ5/cmxGq/cxWZAJbLhXuu7jvAQpWo2Uyh9Kgip+5M9BFETp2KZ9mBVt2J1ApiZTujPzarNWGzZ8peNefHWw77Gmxxj1V9hxwGQOUpfNW7ezyLf1QOrT93fwQGrT86b8BquXqaHpM3qPV7W3lvBdVjY6CJoHqGgqbeDOMxBE2tJcWcSNiKgK0IeGgMfKsioNYy51FEQJ1xzVYEbEXAo2PgeYuA2KOIcUdDpB7Ma80SNLipUHI3qrHNUyKAxgIkFnPLXd+sJBPKpgqyAi0PdBetDe66fVcEvB5pruBq5/DglQ0HsaTiAE30pV1DoXaIXB8SzMONSLX6+PsJkWrxSHwxqT7AgfCzR3nN/uTJYLy0Y5lDeA528cFjPal8G4isOdR5VERuYMCbi8lfDmA1h8j5mFTbueXJ0WetzvVRKTQvaub0sEuEzUJt67cubmo1W08GnXParm8eJXWahqeDkrL2YfH67XFE+mO6oH9GNIg9HQtxgacmCPofz081wU0hBxp0vctmOxyJGHs5B8R3d8DkySyVtzuvQtCbUNB3zlVf5MpiDiatMv8mCZ+/TB8kMSipdxPtxNdGYP1liphH2MU05s4ACw69EJM637zHOWiQQqdB9tPYio2wvIpv3rSthd55oefJYprDUvfvL3RAGx6HaCMeW8GrVrdzaGMykl9kC0oDWzBI+HAVP0wZVlJ547gBrnQKf5yLJBNCAkfaL3wscIDFrMB3QMUvScHXYcOKGGrG8ayUfSoGtQhST4JVJgVrDf9SR1hHndf5iNCSWjAXLOEPhbnqgt2O7aEooDO7ODArIsoLgrpbmadBAOQrgYi6PJbno/R+5nrcosk8zy9fgLXX8gLtGzz/2kPKc3lpGr05Vdk3e2n8Qh3VYr93YywDMohLHU3qFAp4o3F+U++7VCLczIqKbb9l3BPhcclvdZKzn+FbQQA6BEmZ9fBeISWTChcKSQlUkpAbCMXGobU6nX2b8jxwPgDCiqOtlh4LVh1XyEVEBLOU5yjLFriysF6QrDZf1fobXLLYmF/H6q5oj4uOXA+D/wb7HZ75ICzykNVUg261aSTaHhTQoyNbBQVso3CAPA95eqGs4gTKFeoSQB1fwI4YHaBG8MiNGRYzu3EL5nuaF1CBIxaCp19Y/Z1tGIVtHe+hDWNBHf3szAfU8lSoIhvrALyV7zJhUwNVDVDd6STHDWIupPwy3f9SLBBBdwxHKDPYyr80rSCmnElvwNCPtxBVNOcVPPXWnZwdJ/E0HmkXW3e1Vynu9HeY3xRZqV6v+rXaAc+9+g5P4Fc/YNyA2JetKw6PXttGFq7gYQAs2zlXU3rlwdvjU3r1DdQtpd8LpT/Z88knxBm1QT8elTFq7Cjvny9yjTa7V3n/XfjuWPPbYJzq8+BHZpz7voy0pfYttStqrztdfmR6r7/bc/+UW5wqGl0Fuv9ObNnnWbJP3Wn+Y7NP7Y2VLeVuKVdTbo3Rw6NTbt1Fiy3lfn+UKyBbdGJxDRmAzPXxBDUKmr70bDazrUkGWUBWjFHp6FW4OjnQbVovLHcj5fFr26VBUBqU4uB2bPOdCSjybA8K2GCMzUiKmY405WDiFA/tyuyvgklJLgcQXF//dt8n4Snbl4Zd8bmleUqF2ku5M8ds5RcDFVpqPisLMVhRS0WBQV2Lcy+SzDRoYEWhP2sqq2vErckf1+SLqgKS6zHBgsFwqA0ouO5sEhix/BEV+UkDOoRiqYAJoFjKZeVOJpkVsEEVbFiXuWiEk0CNpWI6bGMFPHPnaaQOG7MqlOuwjxWZSS9B4Txfslv1UeTTte5YKkJiQlDgCAaHQ+zqXheksXqPyQio4P1MgCFlU8g8mZUGJlflVhQZO6XwcxGeUEGg62JLbtmKL0eUC6twfFwW2xdypjyRf66sT+XwdgqCSwpQDpm9op1GuaorCabqO5V/pvPQCo5ZOzu9w9879uGnu53e7x374NNd98a7+71rv/60e+Pt3rT+eTPY/ffBf6xPoDLgHvdjIQJkLeqMMiXS/oLlkzo8DZQ/7vnPfJtG8avr8PXJ5YF9cd6/Pnv/5q7/4eTn/m7NaGHqYaKa1E/KnNMjXNb+Alg+JDz5teNBTEQsk5GmJ5uM9FAP5c9+xOitigpMRoyOi8MZQYaIyDWshTMw0WWBZX70Xy0kgWV+/tQ/Y/2jBNynDRZEK9i1Hb7spbEhbZEwSWO2iz00WRKIVVsaARYHG62Dqt3Uy9Wz7ENbVs9bXuJ/Xs43VfnJXFT7Tq1o6yBYTMr58y7tjf7zq/urPzw4stEEEWELhkcjxJC3UvhWg0AiJyu0ZOF17aME8qvaIKbcbxqz7t3kcAVbiKNuV4FEyBZU2Yg0H1WOmJP4VRJiNj+ixwqmEMV+giGABKgYn7LHEwSMQ/W1xzOzOlIiSTYJPSUBCZrKlI7Z4XnyWdOyKpdbITS3VXruG9GqnVRqh3W60SZqOTd395XZHRQoCUKxGrF5OhD/UmIzcA9EbB5S87yHgi2BbUJABx0bhxF0ayIx7HfTyCXaXnOFQP+ahqZoAKPIwaHHnV+6DkN/xIhX2KX/igYgF1waGEDkgfN3p/1JF2TWoHwdQpIdaMEpb2GuOzPpSXA1VJJM1PuYBdokur3XDpGAStnQxjDMjBZz3WjrEN47NRSWESyMoOujnl7fYXKrsC9o6EJNa74QSkzc3dVRa2qsHfnRnrUU8C2wPsMJtDZY6T0EYXhMxXHnEZwS5NWFBP+B0akUMr+iwakqAEwBkBVYkRhKS+siur5Yrs9oiHTvFIJGyB1Tnc6JmqxYKsx1SVWE0lGA7CxDPWHN0kPM0JDebsK4na6tw/wstKTuvu7Y6DYKKBZ2FA8C7NpD6GIyygdyb44ybV/uDCgVDkMjuameOWOUXSqs4GtdBsgyICkDxmjWLJZYrUk7R6KVVNeSXcgt3n/6+ew35+LDyfGF8+745Kfz92c3/Q8/Xv96fHV28w67jHI6FMkNBvD++uYkZpIQfpFTKSU35wT/iAP0DkYRJqOb/m/967N3LUzwjfyKzUxmm3mW6XZ7thqfmZ185MpYcmnosMh1PDSIRyPtx3IllF1dnoCTD+9AWsFzwZ9580QQVaHgT1HEZpGgIwYjH7vOIKAqtlFyU3dFdBUqA0llphePjq2TrHezmw/npzdnxKUeJqPrWYRAR7/vn1+eBsGVnElQH48I8k6hgO/46CFQ2dyb03LWUx8bqot4Zq6Zx9sxyIGpJXREhV5aBLNm10wWX/gpXeZxo1huUalcxugF6J5HidwXBGiCApPFIPFoeGt3RwM7giOU3P9R+tM4/C/hRqUczoNiTnceqDsP1ZuH6uWgCHaRD7lvkjPEIzqV0/EGhLB4TXPw+shmiNOYuWiNQGMJ7tV0y1Bygid7uYB5TSmQlCpdNtqMa9UFw8SmJ7vOh0tX+Uz5m6QP6krYBsPckN86+0d2CPkfMWLQqxjpBXJTrp+mMEjiW5rolasKzKSWUgzMR5zk1EIjmc1OtPTpI3HTN2fLN30fMuQdqwXfzSVkMESyRzc/mk+5VEN3sxGXNETfZjOfT7ng2iNAPaKEj1IGUQUy3wCb4WVFxtAn/Pu9G73/4DdIuDeqQw8wzhuwSbJpdRDnZs/aTCqFybQNkipAVgXIqngYNJiLxECuyXm2pAD9pG8n6q77Tcg5chF/+uJLWyQMaeAhxleVWtpQwRR+TGFVuyIvL8fPzLxy01dd/1F3XU/s91PxR44YKNX+tClASRQHkQlmNEREOBPIsOLKFclBV0GUE4ekjsekCvVhFVOYebzp64rBO+V7gt2cZf1/4jjTnndXxY8u9ZgYSdhJrQ1wXoImfPVR9fEhhr/BomHRAjugo9WXeUm5p4CDhtoL1d8nj48Qa9UtJqM63e2J8faTHudOMAS/vjtfb9QrDoO+WGpbqJrfs15Ybqj9h1RZUBQV5L+G+JJN+mdf291I5+Clbb7IzhzuqDv4LJaPzXSw/zcAAP//UEsHCNE5ZgjYRgAAUisCAFBLAwQUAAgACAAAAAAAAAAAAAAAAAAAAAAADQAAAGN1c3RvbS5wb2xpY3ncnU9v3DjSxu/5FELe8yRk/SMZYA4B3j3sYXYHg9wHspuOe7bd6rTk2P72C6mDCdZp75gKFqnHOQ0G3e3nJ5JPFYsl6f+6v//y6z9/+/D+Hx/edX/bbKexm4Zuut6O3dV2V7u77W7X7Yepu6jdsV7t6uVUN912303Xtfv/fuo3w8fu/eHQ9fvN6cMXtRs+1+PdcTtNdd/dbafrbl/vusOw214+nH51M9ztd0O/Gd90v+5qP9buZthsrx664+2ujud+/mo4dle3u113dbu/nLbDvt9tp4c3rz7X47gd9u+615pjSa9fLb/w7lXX/dRtN++63/r9ZrjZ9zf1Vdd13aaOl8ftYTp95fXy/662u6kel+/M/37qhrH7+efu9W67v70/faTeH451PP2h4VD3b2aKN/OvLp+s0+Xb8brfDHdvD/043g3Hzel7m+3YX+zq5l131e/G+qeqet/fHHb18lj7qfaX4810Pf/n2H+s+2kmONbp9rgfh38d63gY9mONKQqZGMm3HL88dO/nLy5Xbw1Sva+Xj5DG6/8FgRUDJ0iZAzZBtiLgBJkzNkGhFMiACZRywl4HKqLY60A1gHuRqhhhrwOLmbDHIMeC7aaaDXwdGAfwmGwSA/Q64CxWcgm4BCKk2aAJlEIJzgg2dVefTUBKRQMxLgFTsuxtj9ZGoMbizYs+1umZ8qNE1UQRVj6l4i0at8hXzkQKK9+UvWUSTfIteUtGW+SnkpCvvsPCSoN8jeQucrXI58SC6zwqgYCjripH5LmvFgx38lhQd9vHFvmsBOw8poqcMCfxV4NrkJ+FDFh+Cequftgiv5i7g4wm+TmKs3rD8+VT4AhsnBRDUty5TzFG4K06RTNg46SY56067NKNZU4aYOWTIYct4piAcx4SigrsPGICnDSQZAEulJCKpYzrPJqzu8aTBvlZ/PULNMgvQsAVZiopA8vnQEFxcx4OogE35+FQGHjpMgVk52FS5CIhE/TRHJPDtucW+UvHMKx8DhH4WJoZ+nCIeWmzBZZvAdg4WRPwXpfZAnBTAHMK7m6aapFfDPnqS4BOmCUU4BItCxfg4wkWITHgqy9cvLUCN8nPwP08LLkgbxalROCWDNaQkPe6StHdfcpN8jNwfZ9VBbnSoGrIxqmGfDjEmgS5zqMlAJ9tsZaCHLaSMEdGvfpCkjhmciX/9rB5/g2AX24eOkPwoY4TCgPT/A+cQSP8OAjx2f0XFIPGs+EAisHsbA0IiiGHs6UIJAYN5WwxC4pBCX8cLMH7kj7Rdo7EYPF8bRqK4YkSKRTDE+18UAyZ8OdSMfi5tNyADZ63ZjqfL+Hs4rIEQx+FIhF9JmmglNEZlpv6wRkoETzD8nQCcAaJBj8Oy2Mr0Rm0wPuSzIkGOMPyAFF0Bo7wc2npEARnWNoE0RkYP06bnc9bYXYPmgz+/OT0PBtwBsPfxVmO8Flrigw/l5LgO2uyBF9byjnCZxolMPzZdClzsoTOkNErZBQkoc8lChbQ4zRFkgx+9kCRUwY/A/rySCVsBkoBve+HOPD5hyshMeCfrxMv54nYDMZPVMhQKgKUMhX0TCObydkojTIKHKKh9zhwIEOveHMQ+B5pJiL0/jGmpTcXeUUz/tk6c5TzKxpnFAh+/8aM3+HAzPB1VubldYTQq+Gp8yugUZCY0PsbWAS+G5RF6XyvDMxqEIXvZ2VJCb0OwJLK+Wd5IDEsT8TAZjjdWw/OYBF/HKyg35fImgj9nj7W/ERVCYjBghl63m05JJYzL67FYZAQSEOEXg8SyEr2w3Dz8Psi9/c//+YPT0M/7f7YXm1vLi6uv9Wzven61VqGQ90/0lKny7fjdb8Z7t4e+nG8G46b/y5uHIdpd/Hp2N+7EDcdb79qm+o4tb3N2mJRTtnHuK+QbzFqcXIf2hr5lIWArz4HNicvdFwlP7IiX33WiCxfU3DyHv1ZftML3E/GmZ28AX2F/MU4E658ysJOqmZr5M/GWYDlRzbguc+shCxfU3AUdRue/nZyTSfP3mvVbjGap4DVpH32S9A5M5tlcpTjt2mPrjLkNu2sXl7X3q5dU3AUYD8OTdlxVBNf6WUjAFvJFj2lOK0A2SglT7bzR/+5b0KgbDFZcjQGzQhMWqJ4mkYzwvONaN5kqXgqUB0eputh3zQIpCQhexqENRCWM4fgaMu4AoIjBQ7J0bb9eNsSlylEtZgd5dCz/r88vrnoN8f66Xb++FcUoWglmR+U6eHwRUbTnBILJZXoKM9bDRKzsJcno38XiAgrOVrlq0GUSjl35AwHYtEovQSQFMi8PH7/+0ByIXVUSfoK0ljOW+zX5WJvBFns9yWMyGK/jtLd1SCL/bpc7I0gi/2+BJDFfl2mKK0gs/26dK3nb0di0BBKcpn6Pp9CtGSz7NKvGihOcRCeYgmCLneFLRRzBGRH1ed1FEv4c5mQtFAssc9lyGihWAIf/FjMUc9T48NXilVFrJPpejrj+26g2X/F5WpZCbRYsctEayXQ7MrqspSyEmgxaJeJy0qg2avLSxqh2bYTpm3/x/GPWKFy7iDux9w68j0oqWjkfMbX4FAkqLBkR43Ya0FO2YDLzUsjyJIFuMw2G0GW6P8SptYS9fEtGDraf7sjKy9hRJbo7qg4/Jfyn9i5FGVPnUIrMSxGi46Sx7UYlEUchcK1GBxc9duvxojsqU6/GsPXXn41hiZCWuKPksPZaJHWxOMEJFpECneP5M/GirQGHsmfDRXJiR7Lj+ypf7RZvq/tULN8TT/6xsN/BwAA//9QSwcIGtP+XRwIAABNywAAUEsBAhQAFAAIAAgAAAAAANE5ZgjYRgAAUisCAA4AAAAAAAAAAAAAAAAAAAAAAGRlZmF1bHQucG9saWN5UEsBAhQAFAAIAAgAAAAAABrT/l0cCAAATcsAAA0AAAAAAAAAAAAAAAAAFEcAAGN1c3RvbS5wb2xpY3lQSwUGAAAAAAIAAgB3AAAAa08AAAAA", + "headers": { + "Content-Type": [ + "application/zip" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "55f150be-464c-275e-744d-c8db63b1ef2a" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze deleted file mode 100644 index 24a790d0a6e..00000000000 --- a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:54.462Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_OK_response.freeze deleted file mode 100644 index 76a83128373..00000000000 --- a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:54.711Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze deleted file mode 100644 index a6328571453..00000000000 --- a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:55.749Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index 5c69286972a..00000000000 --- a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:56.067Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze deleted file mode 100644 index 881abb7569a..00000000000 --- a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:58.452Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index 72cbb497c85..00000000000 --- a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-18T09:10:13.933Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json deleted file mode 100644 index eeeb58fc665..00000000000 --- a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json +++ /dev/null @@ -1,79 +0,0 @@ -[ - { - "httpRequest": { - "body": { - "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413\"},\"type\":\"agent_rule\"}}" - }, - "headers": {}, - "method": "POST", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules", - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "body": "{\"data\":{\"id\":\"ajb-znb-t3g\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967414208,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967414208,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", - "headers": { - "Content-Type": [ - "application/json" - ] - }, - "statusCode": 200, - "reasonPhrase": "OK" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "396a5dc9-132e-919e-9d88-cf562a6e9d95" - }, - { - "httpRequest": { - "headers": {}, - "method": "GET", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/ajb-znb-t3g", - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "body": "{\"data\":{\"id\":\"ajb-znb-t3g\",\"attributes\":{\"version\":1,\"name\":\"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967414208,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967414208,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", - "headers": { - "Content-Type": [ - "application/json" - ] - }, - "statusCode": 200, - "reasonPhrase": "OK" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "8d9f05ef-f286-26ab-9b61-6ec475d8c5a2" - }, - { - "httpRequest": { - "headers": {}, - "method": "DELETE", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/ajb-znb-t3g", - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "headers": {}, - "statusCode": 204, - "reasonPhrase": "No Content" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "123e0530-9270-5bba-2906-395d131199f7" - } -] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..55b4f086077 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:29.126Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.json similarity index 100% rename from src/test/resources/cassettes/features/v2/Get_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json rename to src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.json diff --git a/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.freeze new file mode 100644 index 00000000000..be1db65e685 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:29.280Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.json new file mode 100644 index 00000000000..80ae067131d --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.json @@ -0,0 +1,79 @@ +[ + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1747319669\"},\"type\":\"agent_rule\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"edf-58c-lqp\",\"attributes\":{\"version\":1,\"name\":\"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1747319669\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1747319669780,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1747319669780,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "f2497205-a6e0-8861-4793-ed839e315b64" + }, + { + "httpRequest": { + "headers": {}, + "method": "GET", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/edf-58c-lqp", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"edf-58c-lqp\",\"attributes\":{\"version\":1,\"name\":\"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1747319669\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1747319669780,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1747319669780,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "e45d6e75-910f-d297-145c-6198d6bd3a95" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/edf-58c-lqp", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": {}, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "2c9d5d85-9db7-a45a-389b-62debaaf55dc" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..6e36c7f173e --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:30.237Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_returns_Not_Found_response.json similarity index 100% rename from src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json rename to src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_returns_Not_Found_response.json diff --git a/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_returns_OK_response.freeze new file mode 100644 index 00000000000..737ef57156d --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:30.450Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_returns_OK_response.json similarity index 55% rename from src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_OK_response.json rename to src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_returns_OK_response.json index 7dfde91e1be..94137ff8acd 100644 --- a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_rule_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_agent_rule_returns_OK_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\"},\"type\":\"policy\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1747319670\"},\"type\":\"policy\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"lxh-tyq-n9u\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517856115,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"1it-bne-ftb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1747319670\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319670515,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,13 +27,13 @@ "timeToLive": { "unlimited": true }, - "id": "b3afdaf5-8519-ae56-8384-8974c6321350" + "id": "50412372-e0d3-dcab-06e0-aef43ca7fb12" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"policy_id\":\"lxh-tyq-n9u\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1747319670\",\"policy_id\":\"1it-bne-ftb\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -42,7 +42,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"k1m-gqh-zqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517856488,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"updateDate\":1743517856488,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"23k-ekw-ia2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1747319671106,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"1it-bne-ftb\"],\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1747319670\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1747319671106,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -57,23 +57,23 @@ "timeToLive": { "unlimited": true }, - "id": "27a6662f-7392-6412-b20f-f83d031acdcf" + "id": "59b8d4d6-a392-2c4e-94a4-c0d06d56ae23" }, { "httpRequest": { "headers": {}, "method": "GET", - "path": "/api/v2/remote_config/products/cws/agent_rules/k1m-gqh-zqm", + "path": "/api/v2/remote_config/products/cws/agent_rules/23k-ekw-ia2", "queryStringParameters": { "policy_id": [ - "lxh-tyq-n9u" + "1it-bne-ftb" ] }, "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"k1m-gqh-zqm\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517856000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testgetacsmthreatsagentrulereturnsokresponse1743517856\",\"updateDate\":1743517856000,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"23k-ekw-ia2\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1747319671106,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"1it-bne-ftb\"],\"name\":\"testgetaworkloadprotectionagentrulereturnsokresponse1747319670\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1747319671106,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -88,13 +88,13 @@ "timeToLive": { "unlimited": true }, - "id": "9edf3fa7-1822-39c2-f6c8-b4041c573e95" + "id": "ab964379-67cb-d933-dd8e-840a9c203254" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/agent_rules/k1m-gqh-zqm", + "path": "/api/v2/remote_config/products/cws/agent_rules/23k-ekw-ia2", "keepAlive": false, "secure": true }, @@ -113,13 +113,13 @@ "timeToLive": { "unlimited": true }, - "id": "8721cb1e-d70a-2ced-a636-c8e94ceda016" + "id": "8929e7ef-2010-83dc-6469-40f3fb18bbac" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/lxh-tyq-n9u", + "path": "/api/v2/remote_config/products/cws/policy/1it-bne-ftb", "keepAlive": false, "secure": true }, @@ -138,6 +138,6 @@ "timeToLive": { "unlimited": true }, - "id": "995c1950-79a6-e4ab-6918-978d0ac9090d" + "id": "08aef328-89b2-8932-7722-eebec9ba4b89" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_policy_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_policy_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..10324acfbc8 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_policy_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:33.565Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_policy_returns_Not_Found_response.json similarity index 100% rename from src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json rename to src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_policy_returns_Not_Found_response.json diff --git a/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_policy_returns_OK_response.freeze new file mode 100644 index 00000000000..41f50457617 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_policy_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:33.775Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_policy_returns_OK_response.json similarity index 63% rename from src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_OK_response.json rename to src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_policy_returns_OK_response.json index 5ba2550acfd..28f88f3b289 100644 --- a/src/test/resources/cassettes/features/v2/Get_a_CSM_Threats_Agent_policy_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Get_a_Workload_Protection_policy_returns_OK_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1743517854\"},\"type\":\"policy\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testgetaworkloadprotectionpolicyreturnsokresponse1747319673\"},\"type\":\"policy\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"egv-qkr-ihb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1743517854\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517854753,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"6zj-1yv-myk\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetaworkloadprotectionpolicyreturnsokresponse1747319673\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319673849,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,18 +27,18 @@ "timeToLive": { "unlimited": true }, - "id": "819fbd0e-656d-0570-1df5-8cdb4e34e693" + "id": "11e97d12-e061-5849-c552-a92c0cbfba9c" }, { "httpRequest": { "headers": {}, "method": "GET", - "path": "/api/v2/remote_config/products/cws/policy/egv-qkr-ihb", + "path": "/api/v2/remote_config/products/cws/policy/6zj-1yv-myk", "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"egv-qkr-ihb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetacsmthreatsagentpolicyreturnsokresponse1743517854\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517854753,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"6zj-1yv-myk\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testgetaworkloadprotectionpolicyreturnsokresponse1747319673\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319673849,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -53,13 +53,13 @@ "timeToLive": { "unlimited": true }, - "id": "f78656fc-8bce-c105-3d97-4a2d06011032" + "id": "378862bd-26ea-bb8e-43ac-461344bb6a35" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/egv-qkr-ihb", + "path": "/api/v2/remote_config/products/cws/policy/6zj-1yv-myk", "keepAlive": false, "secure": true }, @@ -78,6 +78,6 @@ "timeToLive": { "unlimited": true }, - "id": "7c1f0e88-a5c0-0171-a979-6268102a9b1c" + "id": "52783fc2-304b-4bc2-f446-ee70c58f93c7" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_policies_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_policies_returns_OK_response.freeze deleted file mode 100644 index 8fe4f3f1934..00000000000 --- a/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_policies_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:58.530Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_policies_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_policies_returns_OK_response.json deleted file mode 100644 index 3b803f7f9a5..00000000000 --- a/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_policies_returns_OK_response.json +++ /dev/null @@ -1,28 +0,0 @@ -[ - { - "httpRequest": { - "headers": {}, - "method": "GET", - "path": "/api/v2/remote_config/products/cws/policy", - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "body": "{\"data\":[{\"id\":\"CWS_CUSTOM-canary\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"disabledRulesCount\":1,\"enabled\":false,\"hostTags\":[],\"monitoringRulesCount\":418,\"name\":\"Datadog Managed Policy\",\"policyVersion\":\"53221\",\"priority\":1000000000,\"ruleCount\":419,\"updateDate\":1742473183000,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"CWS_DD\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":true,\"disabledRulesCount\":1,\"enabled\":true,\"monitoringRulesCount\":225,\"name\":\"Datadog Managed Policy\",\"policyVersion\":\"1.40.0-rc76\",\"priority\":0,\"ruleCount\":226,\"updateDate\":1737661272000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}}]}", - "headers": { - "Content-Type": [ - "application/json" - ] - }, - "statusCode": 200, - "reasonPhrase": "OK" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "c11ab989-2196-f6ff-9cd9-f75438c46596" - } -] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze deleted file mode 100644 index a1b59dc82f5..00000000000 --- a/src/test/resources/cassettes/features/v2/Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:58.973Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_agent_rules_US1_FED_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_agent_rules_US1_FED_returns_OK_response.freeze new file mode 100644 index 00000000000..fc418fa6e92 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_agent_rules_US1_FED_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:34.919Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_agent_rules_US1_FED_returns_OK_response.json similarity index 100% rename from src/test/resources/cassettes/features/v2/Get_all_Cloud_Workload_Security_Agent_rules_returns_OK_response.json rename to src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_agent_rules_US1_FED_returns_OK_response.json diff --git a/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_rules_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_agent_rules_returns_OK_response.freeze similarity index 100% rename from src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_rules_returns_OK_response.freeze rename to src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_agent_rules_returns_OK_response.freeze diff --git a/src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_rules_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_agent_rules_returns_OK_response.json similarity index 100% rename from src/test/resources/cassettes/features/v2/Get_all_CSM_Threats_Agent_rules_returns_OK_response.json rename to src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_agent_rules_returns_OK_response.json diff --git a/src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_policies_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_policies_returns_OK_response.freeze new file mode 100644 index 00000000000..258a7be8029 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_policies_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:50.303Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_policies_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_policies_returns_OK_response.json new file mode 100644 index 00000000000..4b621a6c62f --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Get_all_Workload_Protection_policies_returns_OK_response.json @@ -0,0 +1,28 @@ +[ + { + "httpRequest": { + "headers": {}, + "method": "GET", + "path": "/api/v2/remote_config/products/cws/policy", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":[{\"id\":\"gxu-c6v-pka\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1747260251\",\"policyVersion\":\"2\",\"priority\":1000000069,\"ruleCount\":227,\"updateDate\":1747260252444,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"1os-ptz-he9\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1747217050\",\"policyVersion\":\"2\",\"priority\":1000000066,\"ruleCount\":227,\"updateDate\":1747217052175,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ddu-dat-9cx\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1747188251\",\"policyVersion\":\"2\",\"priority\":1000000061,\"ruleCount\":227,\"updateDate\":1747188252541,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"oiv-iar-6uj\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1747188247\",\"policyVersion\":\"3\",\"priority\":1000000058,\"ruleCount\":226,\"updateDate\":1747188247541,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"n6v-uoj-6jv\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1747173848\",\"policyVersion\":\"3\",\"priority\":1000000056,\"ruleCount\":226,\"updateDate\":1747173848994,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zay-klh-gzk\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1747145048\",\"policyVersion\":\"1\",\"priority\":1000000053,\"ruleCount\":226,\"updateDate\":1747145052780,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"t0c-318-ksc\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1747130648\",\"policyVersion\":\"1\",\"priority\":1000000048,\"ruleCount\":226,\"updateDate\":1747130648466,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mnq-jea-ord\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1747116251\",\"policyVersion\":\"3\",\"priority\":1000000045,\"ruleCount\":226,\"updateDate\":1747116251418,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hjq-1ou-gxj\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1747116248\",\"policyVersion\":\"1\",\"priority\":1000000044,\"ruleCount\":226,\"updateDate\":1747116249173,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"zt3-q2u-xka\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1747058651\",\"policyVersion\":\"2\",\"priority\":1000000041,\"ruleCount\":227,\"updateDate\":1747058653022,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"n52-kmk-gy5\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1747058647\",\"policyVersion\":\"2\",\"priority\":1000000039,\"ruleCount\":227,\"updateDate\":1747058651011,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"lwi-ota-cdp\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1747029847\",\"policyVersion\":\"2\",\"priority\":1000000037,\"ruleCount\":227,\"updateDate\":1747029850531,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"eme-xsc-20m\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1747001050\",\"policyVersion\":\"2\",\"priority\":1000000035,\"ruleCount\":227,\"updateDate\":1747001052678,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"acr-3t9-p0d\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1747001048\",\"policyVersion\":\"1\",\"priority\":1000000033,\"ruleCount\":226,\"updateDate\":1747001048728,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"hw2-pev-bdl\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1746986651\",\"policyVersion\":\"3\",\"priority\":1000000030,\"ruleCount\":226,\"updateDate\":1746986651360,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"mm8-gf5-1mh\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1746986648\",\"policyVersion\":\"3\",\"priority\":1000000029,\"ruleCount\":226,\"updateDate\":1746986649139,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wfe-tga-w8i\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1746943448\",\"policyVersion\":\"1\",\"priority\":1000000025,\"ruleCount\":226,\"updateDate\":1746943448597,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kz9-gsr-aet\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1746929048\",\"policyVersion\":\"3\",\"priority\":1000000022,\"ruleCount\":226,\"updateDate\":1746929049088,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"u2n-mby-zu5\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplegetacsmthreatsagentpolicyreturnsokresponse1746914646\",\"policyVersion\":\"1\",\"priority\":1000000018,\"ruleCount\":226,\"updateDate\":1746914646907,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ygu-bj5-cnb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplegetacsmthreatsagentrulereturnsokresponse1746900250\",\"policyVersion\":\"2\",\"priority\":1000000017,\"ruleCount\":227,\"updateDate\":1746900252089,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"8h9-6l9-ofq\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"exampledeleteacsmthreatsagentrulereturnsokresponse1746885848\",\"policyVersion\":\"3\",\"priority\":1000000012,\"ruleCount\":226,\"updateDate\":1746885849173,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"x6i-kv0-iby\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1746871448\",\"policyVersion\":\"1\",\"priority\":1000000009,\"ruleCount\":226,\"updateDate\":1746871448758,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"wry-lqz-m1l\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplegetacsmthreatsagentpolicyreturnsokresponse1746842646\",\"policyVersion\":\"1\",\"priority\":1000000006,\"ruleCount\":226,\"updateDate\":1746842646921,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"ljy-djc-pxw\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":226,\"name\":\"examplecreateacsmthreatsagentrulereturnsokresponse1746828247\",\"policyVersion\":\"2\",\"priority\":1000000005,\"ruleCount\":227,\"updateDate\":1746828252931,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"kmt-lzi-f6r\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"examplegetacsmthreatsagentpolicyreturnsokresponse1746813847\",\"policyVersion\":\"1\",\"priority\":1000000003,\"ruleCount\":226,\"updateDate\":1746813847517,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}},{\"id\":\"CWS_CUSTOM-canary\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"disabledRulesCount\":2,\"enabled\":false,\"monitoringRulesCount\":491,\"name\":\"Datadog Managed Policy\",\"policyVersion\":\"58197\",\"priority\":1000000002,\"ruleCount\":493,\"updateDate\":1746789273109,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"hdo-seh-iaa\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1744718519\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744718520126,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}},{\"id\":\"CWS_DD\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":true,\"disabledRulesCount\":1,\"enabled\":true,\"monitoringRulesCount\":225,\"name\":\"Datadog Managed Policy\",\"policyVersion\":\"1.43.0-rc80\",\"priority\":0,\"ruleCount\":226,\"updateDate\":1742407951000,\"updater\":{\"name\":\"Datadog\",\"handle\":\"\"}}}]}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "c11ab989-2196-f6ff-9cd9-f75438c46596" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_the_latest_CSM_Threats_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_the_latest_CSM_Threats_policy_returns_OK_response.freeze deleted file mode 100644 index 9c2278bbc1e..00000000000 --- a/src/test/resources/cassettes/features/v2/Get_the_latest_CSM_Threats_policy_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:59.240Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_the_latest_CSM_Threats_policy_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Get_the_latest_CSM_Threats_policy_returns_OK_response.json deleted file mode 100644 index 44f02bd4027..00000000000 --- a/src/test/resources/cassettes/features/v2/Get_the_latest_CSM_Threats_policy_returns_OK_response.json +++ /dev/null @@ -1,28 +0,0 @@ -[ - { - "httpRequest": { - "headers": {}, - "method": "GET", - "path": "/api/v2/remote_config/products/cws/policy/download", - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "body": "UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsvX13G7fROPp/PwW6tyc/iY9JSrLsJL6P2qtISqMnsq0jys3TE/nuAbEgF+EusAGwpJiq/uy/g7d94y6XpGTRaZieWgR28DaYGQCDwcz/Ay7fXr+/uT19d/sGXARECiAZkCERYEQiDGYkigBlEgwx4HgUYSRxAAgFMsTgHEoYsDE4TRIAaWCAhxiwKeYzTqTEFMyIDAHFM5CwiKC5qTVgMxoxGIgeuI4wFBjELCCjOeBphEVd9SPGwSiNIjBKKZKEURgROe/9aYq5IIy+AYe944PeQZejr1//Sdfy5k8AdAEJ3gCYJJDHjPu6EYIDX8r5nwAAIMACcZJIXcMpVS2dKkiQcGaGDwVwpVS3IAWESswhkmSKgcBCta7rGpFIYq6bVf91ARPg5AR4EaHpvadz8X3CTYk3AN9j1FNt9CiMsar7Zw/CbkAEHEbYewFUCrE4iSChNgnTgEjvI/jqK1NcyrmvS//5xDMt2OLBGzCCkcA5ClRJJCM/FXCMF8d+G+IMBiAWx3o6oQCpwIGiCDs/GiZ4gvEqSNeglw0I8rHwRxEcC01zGilCDT7yPraPL/ARoyMyzuZ5yTgDYGBTDtUXsDjbinBZKkEqCB1nyNlk6CzB1Aw9gTLUkH0sUV/Xaf4Neqo7GhEGWuPgK7D33j+7uTi9fXjv3958eHf28N4/vb6+eHf+8N6/Of/p5uG9/9PN+3dX/9wHfwUHqnjCGcJCFFD95yKqV8GiYh9flV8NkYZnnxGBmiwKGNQd6AUm1dMpRTNVHNsvH7eN5JnwUUSWceLpTwNwdnUJUkmUlNNoVfyRSvxkvDcT7d3EE+ELzKcEYR8ixFIqfckmmKoUFqKJMFT/L34cAFsW2LJAl9WjKZVfczRVdvoEvP4U8j5PaV9gxLEUfTwRPRjD3xiFM9FDLO7bvtiu9DudArOVMKM76S3Msm4rE0p9lsh+YNanLhxjKvs4HuIgwEF/SGhfZ2kibAEUcyFx3E04G+KV4DFKOZHz7sot2FGsXkByiPBS8GyE9ePswyTuE/oLRorzJPPNb5+nFGnYVHBdRxB0QyZkl1AhYRTVfkOMSkgo5k1Q9QD1nXY5KEqFxDwb5KdygQSiCRxjoahk4aNtBXP1tWVVmgmfxIGo32v8NACXb88Hmh+QqjEAUwIBBBTLGeMTx/6b8IjmeLWOG3KdjbGeJZRyjZ5olnTdHqywn1DLry7wyescvv62d/TquGf/9iMosZD9GEvYVajoExjn1Ig4DjCVBEaib3CWV/D1Qe/oL6c/Dfyz9+9uTy/fXdwocXt+8e728vRq4N9cXJ3eXv7jwv9wc1lTst/pFyr/GwlOWrH+W8rxEryrz78nzCuUG4xrLMh5n8FUhkd9Lan+BhPStbvgVtQMocCvj/0AIxY0rD0GpHYPaIoBQkeMx3rbtDGCyiLXtFm7DdRIDFqGhTCXasqa1tQz+720kOpzDodUxEQCxt3oIEiYNNQWzUEMI4IIS83+ZulwZ4QGzK2qLQN2He7he6yHvbdn6CYOIkKxXtM6KY8QRCHu5IgpfRdJRGTH2wcPDzVfzXA63v5yzIVQcsZin+NfUyxkDceA83cDYD+bDR4MsD6Pwaw4CFgMyUbkEFDR03UTRgtHoYAIxLjaFsf68JOQnsQRHnMY9xgfa5YKaM+CwSTRkC1kwuKYUZ9i6RMqeao64KtpqBt1RRSAPRrDZN/WEc0NUxB9HDQ1ASglRBPx1Ls1jQ7VuBpzDIVAUJ8HRwmhGg+/jTkcZj+O1C+eCungEqp/fVx6yPqHgrRSpB2LiTobwJHE3A9wRKaY1x2nHSQHM86k4iyRiqTATvpADbL1exNcPXQtYGlDb/fzarduPysWsz8B2KvbQco4adgUWrHcmzC9PPU63sf9rK6Hh7rTySezI7V16i0EZ0y6REdvRuwHtZWJGIJRPyLDfE8BwH6h724rmi8sv8Ap1LspFEFDB2Ok00OEvI+qX64MpAgLyfhmpSuEuHrBvNm1qiiMerELGb0mJNHYS+YyZDTH2Vdf5fTUI4E+ljWdcwCAWpNUILYQivAN+Ne/q8TOfUL9MqE20npxiSFUkAADNnosne9VthXt01AnRdpL7dUsVmPm1e5ThimJAkvQPFWTsL9fMwFe6SxVoQrNMWqSsh09IhFJY7szXy6IOESTGCa+6plfkrilyfmRshkFbDTCVJApBpKxKCush7WauF6+wLvF1yLH1a++WRyhGKv1vpBK5m0btnzrmysvURizmmEO1PC0VjIvpMWsADPMca6XsfoYQBntCglpAHmgkbIJYWYCOBevAOzpLlZkolXIiBAGbOY5/czYpkFBpi4yf+nwDby+UJQyJYmpR5FOOcemxrz6vZCjic2RapBlG1Hc8FGfIRma1BeoftFtjjlLExhUclOBeW1mzGoyA1w+9Y4TKMSs3C0UwjEuF0VhDZzNAh/r0V3Hnw7xn/JaYCI7Zawkk3EpgydxKZ1SKCWmAQ66aTLmMMClz1SDF1pISLKwQBbyc8B5GudzDpNJPjFk2BcUJoH5N19XtZDKKTRQm0+qzzO9WB0B/nxS/BxnR6W1eJTN6JfOo2xW3bfseHTHo18OjxZJtMikqdnYFb6qnIcH0AA/XoAfk6DlXFzD0xGhky+bpVUP1+ToQvGHB5BXUMTfypXtxMNOPDyPeFibedUh3Z8efdH8W76ULNxKli4h3S3lvruNLEqAGl3Ejml3TPtlMG1ZOYA4hhIHPpTgr+DbA7E2S3NMYVyj7f+COHrP9HFNjiyvycUqdqvyjsG/YAZfm4VT+uVvqk0f12ThHc/teO5L5TlJYlxjGvFF8Zzu447ndjz3e+Q5IgmCkc/xmAjJ5z6+TxivMa3geIwDIjP7GgOXVQBcBSAk06exPdG3gByPtd3JC+DZHujkxwUrE3uVFU6i2F5ahRM89zUq/RiikFB3m2XMGF0CZr+sfVj7NZfFmR2Itj4WS8yPYY4lW2TRAHkzjM04kdluW1u+Fm7178511l3nzpa/MwN/eXTXagyIOKM+lP4vbOjrsw9htOku75SClMJUhoyT33AAfmFDYzYbBIZUVGVAoBAHaUTo+Okkb+3NnTVnEAljUV81nVk1KAmsMnqdhSypjVLKGdqici1BnckLWRZWtgHw2Eudlh58Ton1FGvH+pJvIyKtvczaJpHWXF39Xoj0GW41dkTdTtT1B8/t0XTdIfOJSbrQ3Ap3PRs3vt5OfGXe2VH2ipTNEvwlSeump1a1L6uKHFF3l7ExUT6jkN8R6oqE2qTA3xqpNqjrn5joymK4Xb2/cfM7Qbxd+m7Sbm+Pvut12RsT2E6ofoFE16De3SLR1Spzd0T3eyW6eSJZrBr2IR/XUZrDFohgShVBGScgkI/TGFMpABSCIQKl+1KoU2xCd/mzJqb74J4ooCTtJpwwo4JU4w0YhRJ3IzzFUafwUKLwJkq1wyENWHzfPRwPuwkcY+GVIJ1mVEgOZRr/l0QWnVmOEFE553AR6HAR6mgR6qgARQnCIRShTc6xSNgM83WmDNNpzZRd2wnDdEo4o2qWwBRyoqoTIIYSuUlCKeeYojnQ1W08WaobRht9/f79lf9hcHGjKNYkbq6y39eng4FKnL9/d3p74V9d/OPiqm20aSJ8kcAZxYEvQhzVPO8bqOyMTC0wGHEWg4QTKrXngkcMb0SKfiFKD2ASyDGVBQhV14ixGEqCupwkLY9eUh75hsd9of7U3CvchhicaxBgQLSg53iE1dRZRzYAfbi5cs98n2Cg+llryuudueiZTim575oONbx8NuPqKZiOAam8JWp+zGWwE0AJh1BgM+/2TZB7p1wRUg4WwCSJCDJuYBwpQKBreGH+uEegLwDj4Ifb2+vHPBDPF8kcg8U7Ti3EoQi9F9mSVpDu1Q8qsy5LanJqqKWmwLCpxYUPLrNr2qgt9FtDZU2NoIb8SUO+rCsQkWGfUCI5jEeiKxmLhOlsKuZDdr84iJp818CI1Ix6IsJvXy7k8monXWYNbFQHGzdlLsMwEiHkyUKxhDVgjKNFGmmajXndlP8mwle1ma6XQK2m7jteywtCpVyZJUxLSG3W7M9wrEbuEvrC2yXYjGaJDCaAEme/M+BglP0i3P3EKGTud5RVFQn3K54UgOMJzduOJxLHWZPx1P1KZhkIxzBQ568sHee/CtWKCOOsIiHlPPs9p8j9lixFoUukSgK7xNRWlfEcN4AZQx+JNC5lQIFfHlVzXh9Xc1wjGQmGiNFSxqRSsyKAUlq7LCjlpKVkQDhiEeOiklltOkiLKUynpeR9AmlQySmhZASRZOWcuNSPEYtKFWgbjFKnQgxLECETkpRyKinnmybP+oWREvocaWRpNq6OOw5eVVBscnoS32uHEqU+xpMRGbFijtpAltKlDlEWpkkpQ21aShlpXMEUK40ygULicoYMUVgaVkLoZF7K4OUUobIyozpvVMqR98UkxzBSTZXyUlqhT4F/LSVDeFjBpgjh0dFxTear14uZL7+pgXx1WGUvEXIclDPS0lgE4yWULjCJErDldDCsVFFuUkJUTpLSPEuMy0lRql4d11mZLyUvp1KKYHmiZXUUVm65ZEoX2TKl5NdyusoCqcBlWTArDWwWskoSxsTlWAsmzli2crgV/+N+ftXQuC/Xa088F79G+jAdMzo2plUJE3LMrSc5W8uf95bu79W2JBh6OXy+9VWfuwjoMzgGXejtr1xr1pGGej95nWTsz2DU5gUmwMN0PBItTg7UscJCVr0cPNa9Qb5dUEC2EW+TAwCOsMS+scrxIzZeHEaunjDAgfXpAkwhELGxMXvcZCC1CtbcPV0qY+3GRWdEbNyfVTOG1YwIChmxcSlvBElUzRNzUc2KsRBaeVGCwyjluJQFUxn2qoWHjMmFzAnmVGd+LB5p9cRlrjkKCqiCimr5mT3AScTmfsLJdLmbDQVBIjzWs2bhjBsv85pkkzlrOrHXPlX5b3AoSmOHiZ9gHhOpKOkrcHZ67Q/+OfBPz99evssc0DSPeyrCePk5VfUs5zWto+gHeNoXYdwHAeFY7WU2OolWNtsKMqu502lhNMLl3E9Ign0o1c63Rg9x7RxpgXMFDRS06kDEiDTH7WLRNTu/p5ZJhHu6C5hKPte6BvAVuL68vvC/+/C9//3V6d/9s9N3/tuLm79f7KuZ1d47y0XviWwteeJKumm3xjolZ6DWIOegRdbmiCuiYgPsPR5rqwz9r+AAPNXQmaRY+kEaJ8tI/jwHK7ufUxkwk94xjtvofjWPLcZdmm60q9po8reGWBRhJNsYY05hTJC2L8LceSRuvArMhmMgtOrJVgFMFdZRsZYDm0x5w5KEJepHQU+wXsKxPoe/AMVc7Y84u2vJ83pBv2M+ftzexch6FxrFkmsae683y9p2eNkkG0dokj35JDd6SH6CKX5KX8nPRiFbujoDK76EaHXCu7K33p0D4f9gB8Las1kkat8I/Ig5xRGIWZBmb7QiImT2QkuGGOiyj77lyU5murrl65/usjmJL/ZZHSHNt5KD2ZXcr63UQasCWKGHPBYNZ1z9SXHxmMP4Kfum6m3vWirVJ39IpK9tM+o7mUOCIZFlSw4IKJ5Fc3cm2nhRyW6qCg8nCPXTJMHcj+Ac81zxUABBIaRj7EsSY/Df4OWBKEAtnOZra1jh8cZq5b4CA//yfz8Mbh7U37/fXOu/729/KJubZhKbj6dGPP/XfQtnqvZ8MafIx/ejOg+yapI4ihjFn8uNv+6oaUJJLG6uB4AnRlKrEOwfgfSfwPzhKGkdGQ38gsvtxaEpiIx/BYYchUrejBgHIntEurEKpcw0qq1695OFLraJ0TFKmv2B//3s+kv2Bu68f/fGjI01A0rMKYz6iMVJKvFb5x18emguGSjCLthB10Y7EP0Aj2AaSeMy3FiPVN2MP6K+5dgPSRBgagKK4EYvnacWzug7FvWLRd/BLAoeoWcsKFE/Aa9XOO6VN9CfvH7IYpyt4UVvvlXvvgW1yXJkKDL0p4dNnsoLcQGmhyWv20SIdDOxoZrsoYilgZ9wNiUB5hoczoyKVX+HM9EjJlqBPz1S33W/FzbwRTe8f/lXaTQuVIj4dwUDkqdmqAv+dgWWLqH+U5VXUJRVWgAbERwFbxb7VQCBSYJpsWnzn5TRG3B4kP2XT0se1MnajrQ4/K3EgdJWImqahIT8ST3/ZotwDYXurEV21iJZ5u/OWqTJTozUmn61XPwQOsVkHPpqIpuEa2bl6BaWilmqvQfSuZemPuMsOq/vcZpGu6QPEsZGmF9eWzvOG5xE81t2eS3KGec6qEIl8+3pmcsZUDKy9bQsOomPQowmfiFMQ2XxPX83ABFjk9ToXAO1bzUxHi6vgS7sojktxUODEGsI8kAQpCH8jSQuzANJujAhLhXPSdJjSpBT4fJ0V0hSDu6kPsxCKInQReAExtDUsqijzO94WlCmD1fCx2M1Ch9GEZvV7Vsu9HcgORyNCAIWzh7BXS2b4Ky8D3Y1lZ2pu30i995/uL3+cNvr7O0dvfr5oPvq48Pe0c8H3eOPD4d3wcPPh91vPz7s3wX7d72/3Q33/3X8717n9Ozs4vq2orPihagQ3Ns7PPr6rrf/sHd4YP58fXTXO/z5dffbj3latWPT/7/OePnzQffQAnyrCrz+xiRef3untpp3vf02guVIrb4Uo6ZbsewWAAYYQApYKocspQG4vDkDlaJrIt6W7sEg4D3tkePkBLx+/fprK5Xyj0T4STqMCFIQ2VajaVC/wCmsGqb65mK/boQKfMFEeWeXuttp7HYaRehVdho7u1RvZ5dazNjZpWapnV2qy9rZpe7sUm3e1uxS7Xqz7L0YcZGc1IL1i94YhjhKMG/ZU/+SJnOJ+SpPo/7HgKqDAB4yNslPzHb/qQutub+shpbS4zDLp1s53aLp1ku9VNpVUi+Qem0064hdEfViqMWLWwLd6pctfHrNM8tdYaXTi5xb39zSZlc1u6C5tcwtY3YFswuXW6+yZSpbnQqLkluL3BJkV55swTHrTHF5yVcVvZgYiZPRqF0xsoXCSD27LGSrgV0EMtlv/skkvRXwFhG5OM+keFFqZ8Laymgtmp1EdoI4k78a807a5kLWyVbd+YIkzQSokZsFcZlJSSMcc5lYFIVFCVgUfEV558SclW5WHDj8WxGWSS47fi2nrHgyUskKo1wGadFTkDhO0BgKKogVK00yIeJkhxYZRlJkAsKKhcYAbq371dpS5nDmmX/yA5jJMOeo4p9se+/p45JnvuiTjaePBJ455njZQaXwyxxQPHvM8MwhxHPHDs8cNLw4/5O35o4OnjkseOpo4JnDgGe2/p7Z7HvF7b225a+xuSnEyjPSrGulmRabNiuCwxapOflG+AkLNgqD/mM6xJxiiQVIWPA80dBJHn2yGA99knWlR1hNLHR9ibVOgYJlGNlFT98ZP21m/LSUThShuJ6WokKqHiLGcUBFaTgWiCWYQ708Aq8fQwrH2PweRSmmsjskZjh50qsxEYxYGnQpC3C3WIVlj66SMbiLBNG5lrTKX7oBJ1PMu+7OtQtnle7CiCCm28iQDmeib1TbXd2DGZQoLNJN/Tddno4Jve8SqhXSemI5U5g2+HJzlkomEKxmJ5wljCvRBaMqTAgTzu7nTTUrSaGFMe7GWHKCRAXZ3fEEd41vY1tkqM++xo6haxFnhqDwLTGPrRVPN4Q0iBamr77GKUyjuqlUHUTSELbONVOixCcue/MeExnBYZentPglr0m3UGdQapheT3hEKO5qQ+C6GqxLZzO4CiKrBLgwYTvr0p2AXVPALt/baAtS31iQNrqiBhTPLKg1Ns2tDTfZsKzndzoiw741cc2Gm1qleiF/DVd3n9PqfD1r8WLJNd8lLIzzP9ntfts4S/GjJ5mF8uZOwVdlmHq32M/FMPU+sHcMs2OYtnEuZ5hncFC+GoM1PZl7Fv5qcJS5MnsV6lrN2fbKNe8Yd8e4C4y7DlsxWLvPW2QpBbkZT6mStr2eqcUfcRb75tFuyby4CFq0Lv7ZoyPfGj29yAygfNMRk/O6mjVMSp9LxS0wNV4/6cjnWG/7STI9tg34Nxf/c3F2W2yOQx0QKg0SPyBQExDRr5NVYtl8lYbyyRvBCDGq6aKezmAie+a0FfQCSKK5yrw3A+hGeAzRvBunkdQaByGsLqQ7Y3zSevWzOP/LvSzkrhXM3JkXRWUCeSxVNPlaWMXYs2Y8Bepah7aNP4UVnpKvMKJ6Om81C1s+mOUTtcqwnCn6I+3QVxvpY+eyIXbBsyz5j3vnXNw7NEQu2K3wuxW+bZxPssI3BlZ4Fj5qjqKwMgMUals1RMLKde+Ya8dcj2GuZlcuz8JcjSEcdgywY4C2cT4NAzRFmHgmBmgKJ7FjgB0DtI3zkQwgeLuPJ+vTzob0pao+HVRWu2RhijFw1BUJRmREkI3x+5i4F9kTsZgF5p4WVB90afdlseAd/TrNDEG0+DFTyPEjImreJq3keWbypI5n9FSBOv8IquHWi07KZtQPokJM5gmeLwkv/JONKfyjKgjOr66EdtCqPuZRmSd4/shYwwLLnquup3qUybNP3g8/XvzTv3p/dnrlvz09++Hy3cXd4J+D24u3d2c6BIc8M9YDAyzv7M+7gakYvDUWK3e6+6r3rQjKrL38gAof0zTGvMEvYcGq7fzdAFRh15zmxZeh2jUBnffU/8UU9exleE/LB00DpTJynugyg5t/1Cgf2p55RoFvfaP5KU1FCiM/IkMOuZmLxdHfhhhcnfvXNxdX70/PsyApgAiQsCSNtMOd4RxArfI33niKritIhJ/AaWcWPuWTl3fmpGNcUmiRWsjOnVO0UEFEhgmMfTxMRn7IWM0e98rgxkL2BAMKLuN7/N3195uMaZiMeigOFMh319/7b0+vjfLlYkGSEf0s1TR/1xOsbUSMUTz3ZarFsHAeN2sGpgHBrQUEe2f/uOgeHRy97B5/e3i4D2zBXLhvMszcNjd3TjT4cHnuPOXl31OikZHnFp1uVimg8/ery+/O/NsP706/u7oYtM1yjONRYOKF1axj+itgw18wkk/oVFetQLrqWm8rJ618GhNKtN/Qlqf9Vhupn7CncVJakVwdYJRS/TjYaEkRi8UUiV7Q8qxhtSf+eql9Syg5X+pJVDfZsgKr/tKxnzAW+eZp/uK4820Hx4JFU62rV2JZY70xzpZCiXZdsuFb4fr3/J+8Ti8mFN/HPHvCX0oqAAopU0PqMa53k5W0AhFpkjAuC9Us5Cgw9FKXc44Biin1OTnSGUQbfBcT6iOWobYyxK4b1QwFNDoqNlBK6QYYiwjtxXqXW0yojzyJIJW9+/lv6mspZdFE6JghDKnrQTVrY9cFbk9iPC5ZH0KKkrRjHcRxnSOsG4wwlVG+ozFLlS2NA1Bwt2X45vLt+WAT2tHuhlIeaVbod/oxlrCrPU4RGOcGhIX2+oaPap3hm+6arZlzOXd4dCDAw0MZeXWALw/E8n1/rG39QyakP6pBmtoMqI8GV9Z/vJI9utyTeMbXNfUESzkqCMu+Roj5NhK+3gMpwmBTzCM438RzvhlqewQADVfr0u4JRls90KRUbj4WNf1+SIIly4V1OWbWCF1qk16bedD/JoxQ2Sts47V9a//QnnN14qiYeFlMHBcTr4qJ18XE18XEN8XEt22LP8XSiAX3aqhuSanuV9UkqzOjxNRsbZ/AMV6m2yndutlLt6rr4FUf7NsqlaywPxcv47TUsa7bwOIbFreOidCtMm5RckvHhBWjjT48NLzASQXPtFARGfaLoUxX9iLXppdQ0+nOLVZUL07ou/JsVdwfFSb7w83lJlP5f9ZzqlB3iO8loQt72fslGXe8j+D/tA9c1vndPK1S56PdblYco+QDFQwZY5KAmK2MMNs09VstC3pAFEsEpRkcRVqvRVWxjb1S7De4Uz1xthQ5drOYt5+8jj4+q15ZPB8efd076B30rGjqxEwGvXSYUpmqrmS3cG0zYPyfyiZtwUXhqzs9afeaTylD1sJfTbCcUthY8EkH1ukqjj4xyNFptUWx6Vv7Nzj5/8yPNFF1F4t8f6ISndrmCtrWZdOyIv5bHBUuZYcnWLJ/J9zx52fnDgRlU/hZt/3IXc8RGui9KR2DhAlBhhG2dVhPTwGWGG0owOreBJvKDb4LWFdL517OFwWvfJHX7LEvUXh/eAD1JemSktOFko4xtIZ+mAc71mmV+rjfuiYqevcFJaOROvZIxmrm4ErNePYW1zydN6psp9FUZ+mRNLEZrDmc9u4J7EH8CWZBoiRITcAnKULIJ61MP/OHhEI+L7gQaxMAefdx7saB4hkwNWk+GGnfaYRqRUlegMRtjg8bBlvPe6UD2YIn8ZXOa2Xt0YonYiowlZi3YMpCZfFmhhzDCUslYKPHiciqLuxECUPdViVYcnEZ8iTkYyxPDjVxnBxuFA+ZCjEjEoU6QIkfs6DplZcDBDGcgxBOMRhiTHNlgNoqKlTAVIaMk9821vev8frL7JVdz0xAkvzydoO3PQs09mxXn9m0PW80krVpo/ZB09Zpo+ah0wq08XmfsexoaTkt1dtIbZmU6iyn6impUGqF1zst1Lgm6uptoLeLurJt9F7FBvrB6m32VzWGXoF9d8y1nEL86dGOSPLtUCFE51/BtwdiR0LLSajJRHy7FNRgOr6KjG43En9aKd1kBrxlBNabBz/x0BsMQLc99FrD0EcNXQY2KLY2Y4sIreGYd7fnA3dZOsIcU2T0atVCT2BXoPrTC0hbCFI2GmEqyBT7k29Eg/rj1BjFFSy/QKKOpMLaKbIIhFCYCXyM8rzO6yP45CVzGTLasWEg9rwf0yEZIEh7ydxTMO5MPFWs7alOCsnJRJ2YS1/3wX6D1ztdiggEqffCmwRkrF046aq6YaoP3y88DicTLIT3wksw4VBiYUEEggm2v2EaaF+BumhEbFHtxScV3otP3pDJYbdNBLOYjOtO3u9jol9yGhfvQge4zWNchyQK3Dq2Cfo1YtT55q+ViL11r1VVPcx2p4XC1AYks4attQV3dikKVGucGgxfwd7bwc2+jX+a2ouC0YYR66p3fSfA64u5sObf/VjwfgI5jLGqtF+0hi3cBZbvIlsfALYG+Va1ChH5Q4gmAWM1micLkWmesJBwGBERglKZNZGBS5fpto2KDlyLFeGjiGDaKlammGtkmXDb+qp72cyXDKGzwhUNY6WqNYdYN9/6IlzgaNQfBf3Dx83rBiq35CghdISRXCuARSFkhbEZ1XEnqvZb10fXl7puEMNoBvlGPFKKYDGCMYnmart++r1/+e7i9sH+fb1fGP+SiBcLELrjfz0Brw8ODxbL66//rb++Ws411smVb7zvxbjVOOXaFAB5AWMGaC9OnuCqK19lqhf9n+Ugsd4BoFhyvfcS6xI4jP2Scr5BpXx9+nZLG8EmX2JqI5jAuBcYg4s84/Gq5XUxVqto3SbG6p1JrYWxz6twXQ/D9Wez7SG44c1mG34LVayghlyhwtXOPQvorFdJbg2dn91Tw2dCY5PSZWuIbH6q34aBMmW2K19WqHJDpDYpYraH1MYn2p8LAw36mC1ioOmN7soY2Olvy1MuxCxYFrTjNsQWCjAOUGh/F42+3OlSE8EcQJpZv2hgxjdS8NRsigtD1r3I0GJDn9jcWqugzPnXQJUSUutYWpEjsS8anuU2B7bU5YaEdiMywSArv+b4G0Jbusrd65FxyIQspCXmcSE5icZchvaxCteH4h7SCckhFSPMeyLc/ElIgoh/eOi/8hEnkiAYGSsigkXT7v3MArpXDQ6+QaBsgrn1Nu+KdCz7iMJvR2mFZPVzzmkLmUXQIWPyC/IPsE0xtDD0/2SXAcUV5ykPfctYrvb4t0WWqz/97Vhux3KfneW2qTVoZtH6I8XWOLThPPGMDFrozWqaiGfs2054VIf+RxAem7J2vS5rW6z9ZKqsBk3WM7LhjgvBjgvX4cJaE8YdI+4YcWNa/gMz4nJz2E3ZtOnGYltc2nxhsR3+WvXu4xl7t9sNV4f+R2D/TRm86fZsawzeeHm2Y6EdC32ZLNRw/bo9Fmq6fd2x0I6FtshCmEeP84ihalBsFDy9U4yTE/DJU/V3vLpraX2nixccZNjJ6whFNM53iOqg/anyYRBwm9ROkqlNQIRwIi2cDIjLFzJgqVzuF6PsFcN4yWjzi5GEySOxHyafBe9eEibNSOctSPcr6MbSL6HZ5hlsl/PMIamcp23Uy1kcw6Dz9H5K9HwkcKadfDZNzA/XYIaHACZJZK19gCsD8jKbPS3KJ8EMJWEzzHWlHe+Fh+Kgh+9x2eag6HmxYOsQJhr0hfrVRWNiCi4fPZPGu6M/w0MzfN/UvoiF03oc6FclhiAZtz+ewpvUXo1Jiw0xHkARei8y+V4Q0tUPhgoWsySUBHUbaqkpMGxqceGDy+yaNmoL/dZQWVMjqCF/0pAv6wqo1YJQIjmMR6IrGYuE6Wwq5kN2vziImnzXwIjUjHoiwm9fLuTyaiddZg1sVAcbN2UuwzASIeTJQrGENWCMo0UaaZqNed2U/ybCV7WZrpfgY/ZCblUnWuUndQW7Lj1CKL0X9mc4VmN1iZgFeYLNaJbIYAIocfY7Aw5G2S/C3U+MQuZ+R1lVkXC/4kkBOJ7QvO14InGcNRlP3a9kloEoka6OmVk6zn8VqhURxllFQsp59ntOkfstWYpCl0iVVHSJqa0q4zJuADMWPhJpXMqAAr88qua8Pq7muEYyogsRo6WMSaVmNfOltEgi/agxz0lLyYBwxCLGRSWz2nSQFlOYTkvJ+wTSoJJTQskIIsnKOXGpHyMWlSowjrqKOSGGJYiQCUlKOZWUC8OfZ/3CSAl9jjSyNBtXxx0HryooNjk9ie+lWoVKfYwnIzJixRxKUKk+WuoQZWGalDLUClzKSOMKplhplNr+sJwhQxSWhpUQOpmXMng5RaiszKjOG5Vy5H0xyTGMVFOlvJRW6FPgX0vJEB5WsClCeHR0XJP56vVi5stvaiBfHVbZS4QcB+WMtDQWwXgJpQtMokRqOR0MK1WUm5QQlZOkNM8S43JSlKpX53hW5kvJy6mUIlieaFkdhZVbLpnSRbZMKfm1nK6yQCpwWRbMSgObhayShDFxOfr8iELOWLZyuDW+6K+x1r93vsuECUQhPlKrFR0Teq+325LF1n+kF0qZ2LWrsaKTT/q00fFatubZTtjHcUI49lOI/OE8gWLpW+eSa80YShRqR/vZqcrYHX84PQOmLiAxCin5NcXaWwCjaqR548A0rlvcbIvvvAfYs0r3HbsG3XeMXoLuDPxgnF93EfjL/clf9vbGCfjhx7MPbwZsJGeQ47u3BHEm2EjeuXg4HxK1gu/37F975ClWu3ll/2+rETxnSMeAWGIGf2pcFzhTdx3uIXtpa2JDrOfWYJ0jlKdaihl1hyHb31VOQ5JDhH1IJQnwMB0vI7JUYKGN96kkXQ091i4bMlKSDAwjhibAfNwwtpTpUs96lVaQ17c3p2cXvv737cXGpuhmqIT+0v42uvSC3JQAiAUK25IBSJkMMX+Me4TGQV6///Hi9uJ/b7U0WQZ0fnp72gr0YXCzHCczOiHSzxw/+FggGME29Chx407C+n241dowLgAbARuzxpyY2QjYkDaH3eODl8ebYKt6MD4pBlNLJuprrscpBqgZ/HBxdWWFxfXp7Q+dwtsPDVdwiHx+Obi+Ov2nhT6/GPx4+/7aH1wMBpfv3xULupA4LaJcOxrxUUR8xGpDAWgAQ1YKoQlnUxLgADDnDFW7cQGtflxW1ncVvJ80Kb1Qg5/0LuoM3p/96A9uby5O3zrxizoiHVqiyPOKSimdLOoNu6iTyHlPU0+n2tiftVMILNNEH9Zb3EJwSAWLlYz3Kat7g3PtFIg5pJpw7MILgZQG2suuXgHVRiOLkEXwRmzdGlzAfi65/8+OuZ+8fshinHnl5/ZS40V2hVK9N7FplshGN/8RG5fTZLiQN4RokialrNlsVowGUB+vgHt7fyP7e1xfL+AHjhGbYv6gDrkP6rTDUy1pH0I28yV7MNPwoJaI/V5nb85S7j/o0EA670FVboH2DWlU2nTcyr27nirxl5bVjSPfkINYEnLv5gxYoEfdiO09zo6r9kWwmU1u9CfqIAOyHH174n3c3/9D3fQ0TjSGgT9Jh9h481mc5NsQg/y7mlsbIhYpxG0248s4uN9TrfVNc3pQmplLuW1DCojwBaTBkN37xi/U4rjO9YWIcEvsUffg1fHLTQZTG63ETcT9N6/918ddXbQ7pmm/MYKJF5Eh6h71jr41cUtc+uVBJX1YSR9V0i8r6eNK+lUl/bqS/lrH6GvgjlwdqbHcRSFGky4Php5+BKmyBOZTzFecoym2IYprpIsCcUGJsxPAI+LbtcqZevFSN73twWgMStQvyEb21wJeKxSwKUqBDgzHaAETIRThG/CvfxcQbqOohmSKhQkopMazYlTVLIKqLm6kQOTCq355UVVVL1eJMpthhad0OSJOwY1DgYHNSfJ5h/7++9ufTm8uFg/nDh3/wFzVfHeTUk13j62EUYQbK3Kqgp/Y7PXxy6N3LKhRG6zTs2bdw7vbaj23OvwfjMBA88fdpVETL6nki+7JSoh+1t5c3K/KP0pCEYTb+WhgAHOBYrnpeZloHUTYHov3601Pc0WtOI3g3IdSQjTRnkCXKc+yIKpQohAL6yFUVwFMFSBzJro2VmtNDjrXWBJ5zSSM7cH0hqkdrsqRzGb9wGQp/T8pQfNSzi+pkH6AsF+EADmIx5k0SjngmVyXGiSMRQMYJxF2WTdYJEydSG3GJ68j4qHGwn2nPk1lFJcydHAZ137h/rWsjr2kUzbB3VsoMa/UXK3YplGMgYiHha9v3t1evQ3zk76ts4jXVgrBUGBfe/1s3OCe5Q4bNURBNTecZ84dCR2X69tkZ1XZAynIUp1ew7Hdy0PpFQ/wxfO71+8UD7QbOIRcjsp0iFOxjMOSBUMrzWu2ZCHGKpAhHsnHsluF3qDgOOEMZlGu+lbSvpnwoRy7XK0070cpCd4cOIKeYD7ExaJm68xoNAf9hLMxzzg4kRL0JSkYxJE4wVwwCiVORUbqHFM8q0BCMZFjCfoFsBDyKRYS9LXj3SmMHKccpxU4EYK+82RjM8csCjAFfYjF0avXriSJppjnhb2OQX8rp6QU+RGGk7k/qlmMbkt+TbPgQfZIeNw9Onx99NrobFN93B2ly+e2gT9QGBDeE3OBYBQVjhFJ0e+pOU4Y0IrCVsxFfyT6SN+kL4Zlyu7J1HB7bbo/hZKiL6p6tCgwF23KhMe1bqi0T07KaFdISAPIAzCDjzPeqhUMmT4lNcHO8lvJUs4wM//t6vwFrdumAuMPawK9U4q9AQKO8JAx2cInAwuWb2afdxer3ygsOQWr/n3HmGwbLQpxkEY48CUUE2Ni23CNlYECBaoFwyoKmfWWPLvvU2IfhaodUbzuKEflt+bAy8eHtQTy7Xcf0xHjSLsbrpnTiysFDApAwLg0M77IbBubCDzbj56tumerNdfQ6sgmBJlqTnCtlC15c3Y0Vz4namX87uLs/duL7uDD2dnFYNCKCSqIJFPsSw4RoUsvrYkAFqro3t5+xUIb8Iow0BYSmcF5YTuk9iSuiTUxtdd8NXtx8WP7Je/FxY/tl7wXFz9+GNwYfZwB0v/iHk5NaN7FeNaZp7sgmup5iqZWtQvj4PWxp93fqUrUr7HR4EVRMGxT4LnZMWdoIVmyODHmRRKSuaWEggPQFdsEzzWG/VkzXu1tpmqzbdOlzWnTxJxdU+HCUZZHY2AKph+KjLRkz6kNVO7UNxMvlfGZhrWIWZApdpA/kF8gmqixXUMZuvvZD/TXlEkc2GO8+mS/2EP4+dWVKWmz3+rFQFVji3xnX5Mtfndi9RYKV/qcxZDQv19fX5f3x2dQAZfy26YDR5EfEiU65n6AIyxrFTPafOkHA6Zl3XkBdE3CKr4IzfXbvSEUoeuJ4o3eb5X0iJQzquleUK2hkNTCsvYtavVG2B01Py7h8HxDVdhyrYNpMY/r3+meAjGPhywiSDtl0pRvjMfCAvbdTbuJKaqksI41T9OWByTLWD2LLBHRevbudWwXzLbKNbjWuJ2B4+emsbbbnJZb47oruOcg0Pq7T0OeS6izLMUyI9IV5oXitrgWhvhMVAsKWCqHOrSwi0JeKbzmNK0bu6Lhbsy81vHMP/mLHJNhHtYU/2TvPTz9fsYzX/RTF0+/EfHMuxcve7lS+GVerHj23YlnXqV47h2KZ16eeHH+J2/NvSXxzOsRj6tM8zrEM29BPPP6wyu+93AxHZYE7VhhohPO9LVey6FFT7aFLR3tN5ndpTf5HdtKkaz7HY5qFHp7rdex+626PBGRKeY+OvJJnESQyk3UeqYSgI6AreQRO4/SUeUdu7gnEnQWdx3685m1WWv6/vMZo4JF+OObN+9TmaTygiIWEDo++fkW38veh9vvv3FZH9+8Ucm2wwB7dLh7XcUTPDDdq4Yc0zs1VblXeMKZrV72y37tEqb1AHWPO3VKgWdKT6eiF1gKkj1IlQHmvHVTJULfOWLHgT/B80a3zIPBD7n2TAF+bmcCBZe3NA+tVumtWpsqWUcutFuTP2djiCNEWF6pSlnOUC7L/XwxWurnoNZP7xbmIPNpuukc1Dv4fYo52KL/1ro5q98lP/uU1ZxY1pqxBh84G05YoWOrOW/dsJ3V4lfUTVu9U85nn7bHHQMWKtp8/hucCG5lXmrdNO6m5omnBmzuv69u4poc9z37vBXd422G8EaXfxuivCwNV3Lft2FLm/Ndk1u2Z5++WuXbWtPX6NDt+ZHa4Kjr+ZFacNC1IVKbXHx9dqQSaXTxxnre+MtZRKk1hiiE9HVPeubmFSxVlYEZ4/EmWF2i9+olnI6rgy/mGSjTuX4dcPlTjXphrcWnFaGUUWf9sFS1pqiUUCJNPNhSxFhmzSgyK4qE8Y1srxZjtSrUfnPwAnxzoP/95gU4Pn75Anyj/z0+Pj5eolgUImzRGojQdxrCFcPlWihzaQWpxoq5EHua8Z6cgKOjBQ3aCqrGssYtyZT/h0df9w7U//rftGkBIh9hLo26DfsSxgnmhI6bdQFXoFCgKrVMefs0dBPkrBefCUvUFyLqqx6J0jO4ZEK+IJ+Az2YPsqijqNFLVNUWf1qCnT+fFC2XUv1qvotgt0gD3mIFdYY3T1jVf9ic1b9qt+ZwbUrQJRzcoEnaDgc3B/vdcfBWIhTtOH57c/x5OL7p+LYNhl8SjbaF3wu1rKY4XKHOP5oMaRznOiwJ2tnyiav7A8xCHae3H4GbOL5Jhb0Fjm86rrapRpeFQ1+Rq3fr2bYpfRUq34y6Gy4CdgT+OajyCav6AxI4AI+5TmliguZLlS3wQPO9yArUXKhn1TuQFWr9o23tdrJg2zOwiixYn8+bb9+2weeNF2gLHLnjwB0HPvcMfCYObLyq3QoHNt227jhwx4Fbn4FHcWAaMMyFn7CIoNzVTuOVowEHBlwxF26wldAcyFIJnAVD+8u7tViyeg2pKjDsaLroPcJQ+A9FP+tTRv1V1hdEGeXrreWU8QyXO+tiuGHv+cUguLIbXcBvAXb5pUHzzGyEtwYF7Fbx9gjDoUJghKrXyAW8LTqC3AmqRmXNVgmiyEgLCpwWVlqqpnliZmo8An8x2Fs4Fj81BpqOIF8OBqrHkuVL3XbkwzYdEDVPOQmM19oljzohGHy4PDfzWwzsssn87QksUxIUvIE8PACbp7J03v7iVt7sRsHAv9R9UavCAkxWZfGLC47Qdi4b6pBFAWs7JYiEIMJS4Q+JFDCICW1yxnFagAYZdBZG4fNEX1GwWVtL3XHAIFDFDOV0ShFAORZpjNtpJ8NFRr0+ikhD5MrcI1wMKRwbH0A2SmU5XpD2hZaBb0JlNS42resJxUna77qMsvfh9mrEEEpL0JbCoIMoajL6Po8ioD5JTLV1bpESMvPvzebbTFRxxj8Br9MLIuNapvg5wNrxTUXA3Z3r7LtO5pzVeLx6eXRnrzJyiGvjz/AcSnhn8HfX7EFBIc/KK014q+KRykAoOmjio0GOOw0B2Ai4MpvhsIZnXIVLWUYBVfhlZRbRknaJkL3BCFMZzTO6YTxfPlVhI3/XkxqND8NbZOviKmm6Yrwf+Gq1Bf8NXh6I/LF4mQ68VTUHJlZIACUM2Lir3Zr2cTzEQYADswxrT6dq/WsBNC6WuglnQ7wSPEYpJ3LeXbkFO57VC2inVUvBsxHWj7MPk7hvwj31YSqZDRblLzprDLohE7KbhXSs+ZZJuiaoeoD6TrscFKVCYp4N8lO5QALRBI6xKEWGcR9tK5jngV0aGUlPblBywtGkmjt1vru2tBltehegD3NmHPZvvxg/Z8lnvZFd+PQH1LCvr8HchKpq1Xrbp6p6W/UdVT0JVW1T+1lHhY0+zrZKhA3X709Pg4VGVzO3fvou/OHYYH0irdczb5lIn9oickdZW6CsJpX1lmmr2dLw6amkLAJXMkx8+k7sSLWVVJvuB7ZNqo3Gcjsq2QaVNNyhbJ1Kmgy6dlTyealEQr5MHXgLOYAchWSKV4oF0KoIz6/F3IAk5EviLus2vRceatHMSDk33i59Qv2y0r5K6NqhpQ7PDcHt7T+fWumfEXhl0JqiTbxi4+42o8MCWVU/DLV7y8Ws3EduTS01BYZNLS58cJmZ19uaQr81VNbUCGrInzTky7oCir4JJZLDeCS6OhC26azz7FsdRE2+a8D4AK4UsB6AK7m82kmXWQMb1cHGTZnLMOw8DVeKGb/DNfAcLdJI02zM66bc+C2uyXS9BKXrFsVu9Vr2NS+yZEopjnzJ4WhEkAEtCSD9ndAx0IEouAQjxmeQByoriy+gy63Jp3sVv7MJmTJJIULEy+PDuY9jJqRXjppbkVRXShCfqX9uvI9Vv7YaQii0ayc81dAflapuFJiu71z9M1uE1nDc29s7evXzQffVx4e9o58PuscfHw7vgoefD7vffty/C/bven+7G+7/6/jf3kdQ62lXhKmUEfaWdUZfVXIcM6lXMK2Mj4iQmC4O8yRz39vU4duz6+Pu1eXg9uLdm4fB+7MfB/sN2CIsIFQ3aX5p44OAClX7C+CFkAr3t5sOUypTlUwMPXXp2KB6pP68TDi71/7a6ZizSRmdCeSYykLDRiIC65McePaP+ddIJuDZP7+ZPxPzR0uVj8vX2zTA0xYf3ubaE/A0etSaW++SS+2KVB/6qnrRC5yvLSVd6/Kd5G38pncqTRA8pdX8xnB/rb65UqqEIm5Z4G9D7CA/67V+RvC2MW+DW/xUYO67p5BSzhdHc6phSiEjpgQCSIGOvgeRVDszYXq28VjyS1PNAapJGGiGo3imUsb1XRCo34VoTYVVYPWr1t/7trpur5pdI5+3bFP1jNsoLa0zbuGeacYDrGV7gKPdLLfM4gwPYZL4JA6E/49D34afWpzLn/AQwCSJrKgHFhAH4PLt+WB6WAioJTaZStWBHpyJHhGmM9MjBa47qyZKf095ZIxz+p1+jCXsBlDCPoFxbnpQ6IYNVLnXMMc5ycAEohAfmVWV0HuNf8liBM1sh1Jqbnl4aKKXzGwoCZOO1wp4Arxf4BR6y9fXGR4GXEeKEAmcURw0xUD4jrOZYrSf8PBcFwC2AMgLrDkdlS1FGWGfPBRyFmPTO42iMUYTZtIFdsuLZVLFlNRFGBtHuJtn6F/EkPWIcDxibVG9rTmSr0MgZiG+l8f1dtHIy/EQnz+yd2Nk+5o46ZeUfE8i/BYmCaHju8E/B7cXb3uEkjs1ijZLD4clxGKfJ8gP8DAdj43PgbVQdnN9Bs7evwVZBb8X/NkvKyOKzxPJxhwmIUH+MGJoorBljbjXRFqpMuAqcxbe28bZWd67+d37y/M7F5rldp5gcGC+Dy6vz6PoBsdsigdkTHFwDiV8K8brITTW5qxWstTtFgpgetOQMGlEeTRfzThvtSg3Bj8dlKTdhBOmlg2z5HYCHUe6G+EpdqGgOaQBi++7h+NhN4HjLCaekBzKNP4viZJKjhBROedwEehwEepoEeqoAEUJwoVQ7HMsEjbDreFf3Azg+yRiHDsFqYJdQru2FHClKoaSjyNabeDrrt1yc1pSMaW15e9cH7QZ6WqDVYvHDEbOj7T1Er0u47paKr6mtyjytNivCaNrozaKu4E6vQWnOgL43TXkMMaqR3ff26Fca6FztyrRhExIYd4yNKNLhjijF10gf9XwOOysSSfmXuTl0Z3ZAok7LNGd7tCKo3VbSB8LYXeQq3FL7KQpcFWAvAqQV/E8+LAG5kBtGEQu6cHA9e1Mvye4i4XACIs12MrcSYxYFGAu1uUmc1VhC2+TiRr3DdVNw4UVPHcmEN33putG/j5NxR/Upr1S+4pToYndx3RK1O6ZSn8KuY7Quu68mCqofjri6tjm9OiBLQsVbioGb/WLF353kfd/VeQZ/w7rIsqU2iZqHIFpKU6KzO0o7YPu4wp4iNh4/QXRlfsScLDirl/3txUfMTEnbLXJbzhiu6iHmep1SiD46e3lZqOu0Vt98vR+Tjff8V54KDZPfuoU/GVNwk8xuebTwUXzC6H/GwAA//9QSwcIkllWq048AACIrQEAUEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAANAAAAY3VzdG9tLnBvbGljedSdz47kthHG7/sUxObsXbL+kRzAhwWSQw5ODGPvhqbFnpajltqSenvm7YNWLxzY1mRHEwSjb06LhaT+fiJZLFYVqb+4v//w4z9/+vzpH5/v3N/qZhrd1Lvp0Ixu37TFXZq2dV0/ufvihrJvy24qtWs6Nx2K+2s1VXX/4D6dTq7q6tvF98X1X8pwGZppKp27NNPBdeXiTn3b7J5uT637S9f2VT1+cD+2pRqLO/Z1s39yw7kt49Lj9/3g9ue2dftzt5uavqvaZnr68O5LGcam7+7ce2Wi8P7d/IS7d85955r6zv1UdXV/7Kpjeeecc3UZd0Nzmm63vJ//b9+0Uxnme65/37l+dN9/7963TXd+vF1SHk9DGW8/1J9K9+FK8eH61PnKMu0+joeq7i8fT9U4Xvqhvt1XN2N135b6zu2rdiy/qSqP1fHUlt1QqqlUu/E4Ha7/HKuH0k1XgqFM56Eb+38NZTz13VhCDEImRvJnjh+e3KfrjfPbew1SeSy7PyCNh/8HgWUDJ4iJPTZBsizgBIkTNkGm6MmACZRSxB4HKqLY40DVg9siVTHCHgcWEmG3QQoZ25pqMvBxYOzB52ST4KHHASexnLLfFEFd2vJiAlLK6olxCZiipa2tD9YRqLFsbRw8lOmF8oME1UgBVj7FvLWZYI185USksPJNeWuz2Cr5FrfmCK2RH3NEfvsbXNSvkK+BNjdzrZHPkQXX8qh4Ap51VTkg9301b7idx7xubumyRj4rAVseU0V2mKNsL/6zQn4SMmD52evmYldr5GfbXBB9lfwUZGPxhpfLJ88B2HBS8FFx+z6FEICX6hTMgA0nhXRdqsMO3ZCvTgOsfDLkaYs4RGCfh4SCAlseMQF2GkiSAAdKSMViwrU8mtLmih5WyE+yvVz1CvlZCDjCTDkmYPnsySuuz8Ne1OP6POwzAw9dJo9seZgUOUjIBJ2aY9pgye0a+XO1Kqx89gE4Lc0MnRxinks8geWbBzacrBF4rctsHrgogDn6zW3YWSM/G/LbFw/tMIvPwCFaFs7A6QkWITHgty+ct1YKvEp+Aq7nYUkZebEoOQCXZLD6iLzWVQqb2yO7Sn4Cju+zqiBHGlQN2XCqISeHWKMgx3k0e+DcFmvOyNNWFObAqG9fSCKHRJuSfz7VL98A+HXz0ALB5zJOKAxM1z9wBg3w7SDEi+svKAYNi9MBFIPZYgwIiiH5xVAEEoP6vBjMgmJQwm8Hi/B2SZ8pO0disLAcm4ZieCZECsXwTDkfFEMi/L6UDb4vzRuwwf3WRMv+Es4qLok39FbIEtB7knqKCZ1h3tQPzkCR4Bnm0wnAGSQYfDvMRyaiM2iGt0tydTTAGebDK9EZOMD3pblCEJxhLhNEZ2D8edps2W+FWT1oNPj8ye08G3AGw1/FWQrwXmsMDN+XouBb1mgRPraUUoD3NLJn+Nx0zldnCZ0hoUfIyEtE70vkzaPP0xRIEnjugQLHBJ4D+nqkEjYDRY9e90PseflwJSQG/Pw68ZxPxGYwfiZChhIRoJgoo3sayUwWZ2mUVmAfDL3GgT0ZesSbvcDXSDMRodePMc21ucgjmvFz68xBlkc0TisQ/PqNGb/CgZnh46zM86fwoEfDc/kroFaQENHrG1gEvhqURWm5VgZmNIjC17OyxIgeB2CJefksDySG+UQMbIbb3npwBgv47WAZfV8iayT0PX2s6ZmoEhCDeTN0v9uSjywLH67FYRDvSX2AHg/iyXLaDsPx6edZ7s+//eabu6G/tr80++Z4f3/4s57m6KpXa+lPpfuDljLtPo6Hqu4vH0/VOF76of7v4qYyTg/9qm9GBzVRThv5XO4rANhysmAZFyAZxRg3smHtCvBL9aVahUDJQrS4oTZYjcCkOciWutEV4eWH14SgWSVvqBednqZD361qBFISn7bUCK+BsJTY+42ETV4JwYE8+xi3AzGcx+nlw4F8UAtpwaN8S/3fdMbuq3oov56vl/8HRShYjrYdlOnp9FXGyxskePU+x418Yff3FN9slt/HgSxTXrJRb+Mj/y8oMWvgtDDI4VDEq7Ck9Lbd698BAAD//1BLBwgtiMaVEgYAAImSAABQSwECFAAUAAgACAAAAAAAkllWq048AACIrQEADgAAAAAAAAAAAAAAAAAAAAAAZGVmYXVsdC5wb2xpY3lQSwECFAAUAAgACAAAAAAALYjGlRIGAACJkgAADQAAAAAAAAAAAAAAAACKPAAAY3VzdG9tLnBvbGljeVBLBQYAAAAAAgACAHcAAADXQgAAAAA=", - "headers": { - "Content-Type": [ - "application/zip" - ] - }, - "statusCode": 200, - "reasonPhrase": "OK" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "55f150be-464c-275e-744d-c8db63b1ef2a" - } -] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze deleted file mode 100644 index f0de7ad5984..00000000000 --- a/src/test/resources/cassettes/features/v2/Get_the_latest_Cloud_Workload_Security_policy_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:30:59.438Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.freeze deleted file mode 100644 index 27be8fe236a..00000000000 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-15T09:10:08.098Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze deleted file mode 100644 index 435b652a26b..00000000000 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:31:00.854Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_OK_response.freeze deleted file mode 100644 index 562f84a677a..00000000000 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-15T09:10:09.401Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze deleted file mode 100644 index 12d907c5d09..00000000000 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-15T09:10:11.192Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze deleted file mode 100644 index 1a52f175ee4..00000000000 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:31:02.941Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index 4dd297f02ff..00000000000 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-01T14:31:03.998Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_OK_response.json deleted file mode 100644 index 086d7f0a3dc..00000000000 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_OK_response.json +++ /dev/null @@ -1,147 +0,0 @@ -[ - { - "httpRequest": { - "body": { - "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\"},\"type\":\"policy\"}}" - }, - "headers": {}, - "method": "POST", - "path": "/api/v2/remote_config/products/cws/policy", - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "body": "{\"data\":{\"id\":\"evg-ugc-rb3\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517864028,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", - "headers": { - "Content-Type": [ - "application/json" - ] - }, - "statusCode": 200, - "reasonPhrase": "OK" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "0c3fda99-1c43-1b08-836a-391d182a1d50" - }, - { - "httpRequest": { - "body": { - "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\",\"policy_id\":\"evg-ugc-rb3\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" - }, - "headers": {}, - "method": "POST", - "path": "/api/v2/remote_config/products/cws/agent_rules", - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "body": "{\"data\":{\"id\":\"pqr-gh6-gj4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517864391,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\",\"updateDate\":1743517864391,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", - "headers": { - "Content-Type": [ - "application/json" - ] - }, - "statusCode": 200, - "reasonPhrase": "OK" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "a3be8466-7def-08ce-24be-d8ef3fb00988" - }, - { - "httpRequest": { - "body": { - "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"evg-ugc-rb3\",\"product_tags\":[]},\"id\":\"pqr-gh6-gj4\",\"type\":\"agent_rule\"}}" - }, - "headers": {}, - "method": "PATCH", - "path": "/api/v2/remote_config/products/cws/agent_rules/pqr-gh6-gj4", - "queryStringParameters": { - "policy_id": [ - "evg-ugc-rb3" - ] - }, - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "body": "{\"data\":{\"id\":\"pqr-gh6-gj4\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1743517864000,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsokresponse1743517863\",\"updateDate\":1743517865118,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", - "headers": { - "Content-Type": [ - "application/json" - ] - }, - "statusCode": 200, - "reasonPhrase": "OK" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "b034f20b-0de9-d90d-4bc8-1f6b2418a850" - }, - { - "httpRequest": { - "headers": {}, - "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/agent_rules/pqr-gh6-gj4", - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "headers": { - "Content-Type": [ - "application/json" - ] - }, - "statusCode": 204, - "reasonPhrase": "No Content" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "eebe739e-597a-a7ad-2ae5-5b6070b7c5a1" - }, - { - "httpRequest": { - "headers": {}, - "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/evg-ugc-rb3", - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "headers": { - "Content-Type": [ - "application/json" - ] - }, - "statusCode": 204, - "reasonPhrase": "No Content" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "0c78cd95-6f69-98e1-e8cd-000071236304" - } -] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze deleted file mode 100644 index 36ea0d26094..00000000000 --- a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-18T09:10:14.669Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze deleted file mode 100644 index 30a73c79d2d..00000000000 --- a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-18T09:45:20.422Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze deleted file mode 100644 index 0ad336788ee..00000000000 --- a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.freeze +++ /dev/null @@ -1 +0,0 @@ -2025-04-18T09:10:15.690Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json deleted file mode 100644 index 441e5d5d1aa..00000000000 --- a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_OK_response.json +++ /dev/null @@ -1,83 +0,0 @@ -[ - { - "httpRequest": { - "body": { - "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415\"},\"type\":\"agent_rule\"}}" - }, - "headers": {}, - "method": "POST", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules", - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "body": "{\"data\":{\"id\":\"szj-quo-wak\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967416010,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967416010,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", - "headers": { - "Content-Type": [ - "application/json" - ] - }, - "statusCode": 200, - "reasonPhrase": "OK" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "54f8bc31-f520-cf8c-abba-6e785e33b5c4" - }, - { - "httpRequest": { - "body": { - "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"Updated Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"szj-quo-wak\",\"type\":\"agent_rule\"}}" - }, - "headers": {}, - "method": "PATCH", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/szj-quo-wak", - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "body": "{\"data\":{\"id\":\"szj-quo-wak\",\"attributes\":{\"version\":2,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415\",\"description\":\"Updated Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967416010,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967416272,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", - "headers": { - "Content-Type": [ - "application/json" - ] - }, - "statusCode": 200, - "reasonPhrase": "OK" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "699d0e12-aa45-3822-5218-e33c74419e60" - }, - { - "httpRequest": { - "headers": {}, - "method": "DELETE", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/szj-quo-wak", - "keepAlive": false, - "secure": true - }, - "httpResponse": { - "headers": {}, - "statusCode": 204, - "reasonPhrase": "No Content" - }, - "times": { - "remainingTimes": 1 - }, - "timeToLive": { - "unlimited": true - }, - "id": "f0e156b5-4936-979e-a781-80a7393794af" - } -] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_Bad_Request_response.freeze new file mode 100644 index 00000000000..28a0e1a88bc --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_Bad_Request_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:50.645Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.json b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_Bad_Request_response.json similarity index 56% rename from src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.json rename to src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_Bad_Request_response.json index 29725cfcb09..6cd8d6e9bff 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Bad_Request_response.json +++ b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_Bad_Request_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414\"},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateaworkloadprotectionagentruleus1fedreturnsbadrequestresponse1747319690\"},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"03s-ro8-kgi\",\"attributes\":{\"version\":1,\"name\":\"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"creationDate\":1744967414924,\"updateAuthorUuId\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"updateDate\":1744967414924,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}},\"type\":\"agent_rule\"}}\n", + "body": "{\"data\":{\"id\":\"qny-a5d-mul\",\"attributes\":{\"version\":1,\"name\":\"testupdateaworkloadprotectionagentruleus1fedreturnsbadrequestresponse1747319690\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1747319690855,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1747319690855,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n", "headers": { "Content-Type": [ "application/json" @@ -27,22 +27,22 @@ "timeToLive": { "unlimited": true }, - "id": "6117d741-146f-7545-62ac-cea7ec42f4ff" + "id": "de32e4a7-c5db-021a-7243-d04f578629ee" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\"},\"id\":\"03s-ro8-kgi\",\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name\"},\"id\":\"qny-a5d-mul\",\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "PATCH", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/03s-ro8-kgi", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/qny-a5d-mul", "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414` error: rule syntax error: bool expected: 1:1: exec.file.name\\n^)\"]}\n", + "body": "{\"errors\":[\"input_validation_error(Field 'expression' is invalid: rule `testupdateaworkloadprotectionagentruleus1fedreturnsbadrequestresponse1747319690` error: rule syntax error: bool expected: 1:1: exec.file.name\\n^)\"]}\n", "headers": { "Content-Type": [ "application/json" @@ -57,13 +57,13 @@ "timeToLive": { "unlimited": true }, - "id": "8b083a0f-780e-6fec-489c-57490e757c7e" + "id": "f4568639-7bcd-2446-5f0f-cede781ec74f" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/03s-ro8-kgi", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/qny-a5d-mul", "keepAlive": false, "secure": true }, @@ -78,6 +78,6 @@ "timeToLive": { "unlimited": true }, - "id": "253a3c81-6e61-cec1-0cb2-25fbb073e320" + "id": "de15ac51-ce62-296a-f85b-56266b54bec7" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..0976bce00c5 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:51.338Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.json similarity index 100% rename from src/test/resources/cassettes/features/v2/Update_a_Cloud_Workload_Security_Agent_rule_returns_Not_Found_response.json rename to src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_Not_Found_response.json diff --git a/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.freeze new file mode 100644 index 00000000000..a3784746d87 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:51.443Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.json new file mode 100644 index 00000000000..c3f9c48a2c6 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_US1_FED_returns_OK_response.json @@ -0,0 +1,83 @@ +[ + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateaworkloadprotectionagentruleus1fedreturnsokresponse1747319691\"},\"type\":\"agent_rule\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"fbb-jub-hb7\",\"attributes\":{\"version\":1,\"name\":\"testupdateaworkloadprotectionagentruleus1fedreturnsokresponse1747319691\",\"description\":\"My Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1747319691636,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1747319691636,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "b8fe0891-3257-0135-6b33-11f3dac72a6c" + }, + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"description\":\"Updated Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\"},\"id\":\"fbb-jub-hb7\",\"type\":\"agent_rule\"}}" + }, + "headers": {}, + "method": "PATCH", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/fbb-jub-hb7", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"data\":{\"id\":\"fbb-jub-hb7\",\"attributes\":{\"version\":2,\"name\":\"testupdateaworkloadprotectionagentruleus1fedreturnsokresponse1747319691\",\"description\":\"Updated Agent rule\",\"expression\":\"exec.file.name == \\\"sh\\\"\",\"category\":\"Process Activity\",\"defaultRule\":false,\"enabled\":true,\"creationAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"creationDate\":1747319691636,\"updateAuthorUuId\":\"3ad549bf-eba0-11e9-a77a-0705486660d0\",\"updateDate\":1747319692038,\"filters\":[\"os == \\\"linux\\\"\"],\"actions\":[],\"agentConstraint\":\"\",\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}},\"type\":\"agent_rule\"}}\n", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "f7f88a7a-071e-8b3b-daf9-110a757c974d" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/security_monitoring/cloud_workload_security/agent_rules/fbb-jub-hb7", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": {}, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "593e05eb-d077-74d6-72b6-c0d8b3dcde08" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_returns_Bad_Request_response.freeze new file mode 100644 index 00000000000..12d86b4a88a --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_returns_Bad_Request_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:52.248Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.json b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_returns_Bad_Request_response.json similarity index 63% rename from src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.json rename to src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_returns_Bad_Request_response.json index 51948623958..78e0c35802d 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Bad_Request_response.json +++ b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_returns_Bad_Request_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\"},\"type\":\"policy\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1747319692\"},\"type\":\"policy\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"1i5-k3r-2dg\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708211304,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"cas-zuo-dud\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1747319692\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319692308,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,13 +27,13 @@ "timeToLive": { "unlimited": true }, - "id": "11c0a116-8511-2ec4-19e0-00da0df22c67" + "id": "d5045508-3fee-a6db-e323-844feb7e1c88" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\",\"policy_id\":\"1i5-k3r-2dg\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"name\":\"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1747319692\",\"policy_id\":\"cas-zuo-dud\",\"product_tags\":[\"security:attack\",\"technique:T1059\"]},\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "POST", @@ -42,7 +42,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"qtl-8mk-8gy\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1744708211716,\"creator\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"name\":\"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211\",\"updateDate\":1744708211716,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"sa6-p9i-qqx\",\"type\":\"agent_rule\",\"attributes\":{\"category\":\"Process Activity\",\"creationDate\":1747319692771,\"creator\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"},\"defaultRule\":false,\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"filters\":[\"os == \\\"linux\\\"\"],\"monitoring\":[\"cas-zuo-dud\"],\"name\":\"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1747319692\",\"product_tags\":[\"security:attack\",\"technique:T1059\"],\"updateDate\":1747319692771,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -57,17 +57,17 @@ "timeToLive": { "unlimited": true }, - "id": "f04fc9f7-33c8-f920-4e1d-f0f3edfee6c9" + "id": "a8989ed5-5eac-710a-06c7-8442b504b338" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"1i5-k3r-2dg\",\"product_tags\":[]},\"id\":\"invalid-agent-rule-id\",\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"cas-zuo-dud\",\"product_tags\":[]},\"id\":\"invalid-agent-rule-id\",\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "PATCH", - "path": "/api/v2/remote_config/products/cws/agent_rules/qtl-8mk-8gy", + "path": "/api/v2/remote_config/products/cws/agent_rules/sa6-p9i-qqx", "keepAlive": false, "secure": true }, @@ -87,13 +87,13 @@ "timeToLive": { "unlimited": true }, - "id": "e52d38b8-0b43-82d9-0ebf-96069dc20eab" + "id": "83be1c08-18cb-d2f9-6904-a50ef3e02ce7" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/agent_rules/qtl-8mk-8gy", + "path": "/api/v2/remote_config/products/cws/agent_rules/sa6-p9i-qqx", "keepAlive": false, "secure": true }, @@ -112,13 +112,13 @@ "timeToLive": { "unlimited": true }, - "id": "a69cd5fd-0e07-d6d2-a98b-3dc95cae8960" + "id": "975ef467-b442-7773-d245-d98cf319186a" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/1i5-k3r-2dg", + "path": "/api/v2/remote_config/products/cws/policy/cas-zuo-dud", "keepAlive": false, "secure": true }, @@ -137,6 +137,6 @@ "timeToLive": { "unlimited": true }, - "id": "1346db6d-9d2d-5b3a-73df-39a434f3cce3" + "id": "f43a7c39-0ebf-d701-5b10-05be66739c39" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..61d6ca096ed --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:55.281Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_returns_Not_Found_response.json similarity index 73% rename from src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json rename to src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_returns_Not_Found_response.json index 5ba170cc43c..492c0d3c925 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_rule_returns_Not_Found_response.json +++ b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_agent_rule_returns_Not_Found_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentrulereturnsnotfoundresponse1743517862\"},\"type\":\"policy\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateaworkloadprotectionagentrulereturnsnotfoundresponse1747319695\"},\"type\":\"policy\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"jnw-szj-ssb\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentrulereturnsnotfoundresponse1743517862\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1743517862965,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"ybs-zrz-2xw\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateaworkloadprotectionagentrulereturnsnotfoundresponse1747319695\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319695364,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,13 +27,13 @@ "timeToLive": { "unlimited": true }, - "id": "a5b4f0f5-921d-1238-a3ba-7be467925bdd" + "id": "3aff4464-71f6-8ec1-8e0f-2c4dce047542" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"jnw-szj-ssb\",\"product_tags\":[]},\"id\":\"non-existent-rule-id\",\"type\":\"agent_rule\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My Agent rule\",\"enabled\":true,\"expression\":\"exec.file.name == \\\"sh\\\"\",\"policy_id\":\"ybs-zrz-2xw\",\"product_tags\":[]},\"id\":\"non-existent-rule-id\",\"type\":\"agent_rule\"}}" }, "headers": {}, "method": "PATCH", @@ -57,13 +57,13 @@ "timeToLive": { "unlimited": true }, - "id": "01c1270a-1be6-f0b0-dc98-f31d16c15991" + "id": "218ef584-d52f-14bf-ae13-b64111d22972" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/jnw-szj-ssb", + "path": "/api/v2/remote_config/products/cws/policy/ybs-zrz-2xw", "keepAlive": false, "secure": true }, @@ -82,6 +82,6 @@ "timeToLive": { "unlimited": true }, - "id": "4f00a455-c419-4dd2-6a08-813d14665dd0" + "id": "8363239a-923b-52dd-93bf-b1fc8fd8ccd2" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_Bad_Request_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_Bad_Request_response.freeze new file mode 100644 index 00000000000..c91e88a821f --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_Bad_Request_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:56.405Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.json b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_Bad_Request_response.json similarity index 65% rename from src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.json rename to src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_Bad_Request_response.json index 1e779b5c9c5..8e4509c420e 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Bad_Request_response.json +++ b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_Bad_Request_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1744708208\"},\"type\":\"policy\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateaworkloadprotectionpolicyreturnsbadrequestresponse1747319696\"},\"type\":\"policy\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"pp8-iw5-agt\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1744708208\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708208235,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"kfz-e8v-7v0\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateaworkloadprotectionpolicyreturnsbadrequestresponse1747319696\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319696483,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,22 +27,22 @@ "timeToLive": { "unlimited": true }, - "id": "b2969d22-85e5-4937-1c5e-69b0b4dd2cdd" + "id": "d99f1a86-437b-26ee-8ee5-d4e83efe9bb1" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:test\"],\"hostTagsLists\":[[\"env:test\"]],\"name\":\"\"},\"id\":\"pp8-iw5-agt\",\"type\":\"policy\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:test\"],\"hostTagsLists\":[[\"env:test\"]],\"name\":\"\"},\"id\":\"kfz-e8v-7v0\",\"type\":\"policy\"}}" }, "headers": {}, "method": "PATCH", - "path": "/api/v2/remote_config/products/cws/policy/pp8-iw5-agt", + "path": "/api/v2/remote_config/products/cws/policy/kfz-e8v-7v0", "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"errors\":[{\"title\":\"failed to update policy\"}]}\n", + "body": "{\"errors\":[\"input_validation_error(Field 'tags' is invalid: cannot have both the new and the legacy field populated)\"]}", "headers": { "Content-Type": [ "application/json" @@ -57,13 +57,13 @@ "timeToLive": { "unlimited": true }, - "id": "65009941-1ff9-1bfa-4706-321ef39f0234" + "id": "47a96894-a8cc-4185-7aed-a89f2e2b9071" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/pp8-iw5-agt", + "path": "/api/v2/remote_config/products/cws/policy/kfz-e8v-7v0", "keepAlive": false, "secure": true }, @@ -82,6 +82,6 @@ "timeToLive": { "unlimited": true }, - "id": "f0b05244-2995-2cdc-71ee-d76275cc04bd" + "id": "ed70b129-6f53-c096-0e65-11d9cb8cfd01" } ] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_Not_Found_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_Not_Found_response.freeze new file mode 100644 index 00000000000..99dffd5245e --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_Not_Found_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:57.482Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_Not_Found_response.json similarity index 100% rename from src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_Not_Found_response.json rename to src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_Not_Found_response.json diff --git a/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_OK_response.freeze new file mode 100644 index 00000000000..777ee4fc3e9 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-05-15T14:34:57.719Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_OK_response.json similarity index 66% rename from src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_OK_response.json rename to src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_OK_response.json index 4208a01d615..961f76ef729 100644 --- a/src/test/resources/cassettes/features/v2/Update_a_CSM_Threats_Agent_policy_returns_OK_response.json +++ b/src/test/resources/cassettes/features/v2/Update_a_Workload_Protection_policy_returns_OK_response.json @@ -3,7 +3,7 @@ "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateacsmthreatsagentpolicyreturnsokresponse1744708209\"},\"type\":\"policy\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"My agent policy\",\"enabled\":true,\"hostTags\":[\"env:staging\"],\"name\":\"testupdateaworkloadprotectionpolicyreturnsokresponse1747319697\"},\"type\":\"policy\"}}" }, "headers": {}, "method": "POST", @@ -12,7 +12,7 @@ "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"99n-cjh-wuo\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateacsmthreatsagentpolicyreturnsokresponse1744708209\",\"policyVersion\":\"1\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708209551,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"qsc-b2c-cxf\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"My agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTags\":[\"env:staging\"],\"monitoringRulesCount\":225,\"name\":\"testupdateaworkloadprotectionpolicyreturnsokresponse1747319697\",\"policyVersion\":\"1\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319697796,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -27,22 +27,22 @@ "timeToLive": { "unlimited": true }, - "id": "1fb5c500-dfb9-2425-cd65-56ea5193a93b" + "id": "a4592542-132d-2480-4060-ae7fb5005828" }, { "httpRequest": { "body": { "type": "JSON", - "json": "{\"data\":{\"attributes\":{\"description\":\"Updated agent policy\",\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"name\":\"updated_agent_policy\"},\"id\":\"99n-cjh-wuo\",\"type\":\"policy\"}}" + "json": "{\"data\":{\"attributes\":{\"description\":\"Updated agent policy\",\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"name\":\"updated_agent_policy\"},\"id\":\"qsc-b2c-cxf\",\"type\":\"policy\"}}" }, "headers": {}, "method": "PATCH", - "path": "/api/v2/remote_config/products/cws/policy/99n-cjh-wuo", + "path": "/api/v2/remote_config/products/cws/policy/qsc-b2c-cxf", "keepAlive": false, "secure": true }, "httpResponse": { - "body": "{\"data\":{\"id\":\"99n-cjh-wuo\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"Updated agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":225,\"name\":\"updated_agent_policy\",\"policyVersion\":\"2\",\"priority\":1000000001,\"ruleCount\":226,\"updateDate\":1744708210164,\"updater\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"}}}}", + "body": "{\"data\":{\"id\":\"qsc-b2c-cxf\",\"type\":\"policy\",\"attributes\":{\"blockingRulesCount\":0,\"datadogManaged\":false,\"description\":\"Updated agent policy\",\"disabledRulesCount\":1,\"enabled\":true,\"hostTagsLists\":[[\"env:test\"]],\"monitoringRulesCount\":225,\"name\":\"updated_agent_policy\",\"policyVersion\":\"2\",\"priority\":1000000070,\"ruleCount\":226,\"updateDate\":1747319698400,\"updater\":{\"name\":\"frog\",\"handle\":\"frog@datadoghq.com\"}}}}", "headers": { "Content-Type": [ "application/json" @@ -57,13 +57,13 @@ "timeToLive": { "unlimited": true }, - "id": "dece4030-3b3e-2573-dca5-4114f43a268e" + "id": "1ae40c02-c3ee-0927-d67e-25a25799b0d6" }, { "httpRequest": { "headers": {}, "method": "DELETE", - "path": "/api/v2/remote_config/products/cws/policy/99n-cjh-wuo", + "path": "/api/v2/remote_config/products/cws/policy/qsc-b2c-cxf", "keepAlive": false, "secure": true }, @@ -82,6 +82,6 @@ "timeToLive": { "unlimited": true }, - "id": "28e61e7e-d20c-905a-fde7-6eaf56075e7a" + "id": "a4de4bbc-9c9c-6556-1568-5494414d154f" } ] \ No newline at end of file diff --git a/src/test/resources/com/datadog/api/client/v2/api/csm_threats.feature b/src/test/resources/com/datadog/api/client/v2/api/csm_threats.feature index 53c8bd62e25..180770f74b4 100644 --- a/src/test/resources/com/datadog/api/client/v2/api/csm_threats.feature +++ b/src/test/resources/com/datadog/api/client/v2/api/csm_threats.feature @@ -1,10 +1,12 @@ @endpoint(csm-threats) @endpoint(csm-threats-v2) Feature: CSM Threats - Cloud Security Management Threats (CSM Threats) monitors file, network, - and process activity across your environment to detect real-time threats - to your infrastructure. See [Cloud Security Management - Threats](https://docs.datadoghq.com/security/threats/) for more - information on setting up CSM Threats. + Workload Protection monitors file, network, and process activity across + your environment to detect real-time threats to your infrastructure. See + [Workload + Protection](https://docs.datadoghq.com/security/workload_protection/) for + more information on setting up Workload Protection. **Note**: These + endpoints are split based on whether you are using the US1-FED site or + not. Please reference the specific resource for the site you are using. Background: Given a valid "apiKeyAuth" key in the system @@ -12,28 +14,31 @@ Feature: CSM Threats And an instance of "CSMThreats" API @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Create a CSM Threats Agent policy returns "Bad Request" response - Given new "CreateCSMThreatsAgentPolicy" request - And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "hostTagsLists": [], "name": "test"}, "type": "policy"}} + Scenario: Create a Workload Protection agent rule (US1-FED) returns "Bad Request" response + Given there is a valid "policy_rc" in the system + And new "CreateCloudWorkloadSecurityAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name", "filters": [], "name": "my_agent_rule"}, "type": "agent_rule"}} When the request is sent Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Create a CSM Threats Agent policy returns "Conflict" response - Given new "CreateCSMThreatsAgentPolicy" request - And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "type": "policy"}} + Scenario: Create a Workload Protection agent rule (US1-FED) returns "Conflict" response + Given there is a valid "policy_rc" in the system + And new "CreateCloudWorkloadSecurityAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "my_agent_rule"}, "type": "agent_rule"}} When the request is sent Then the response status is 409 Conflict @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Create a CSM Threats Agent policy returns "OK" response - Given new "CreateCSMThreatsAgentPolicy" request - And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "my_agent_policy"}, "type": "policy"}} + Scenario: Create a Workload Protection agent rule (US1-FED) returns "OK" response + Given there is a valid "policy_rc" in the system + And new "CreateCloudWorkloadSecurityAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} When the request is sent Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Create a CSM Threats Agent rule returns "Bad Request" response + Scenario: Create a Workload Protection agent rule returns "Bad Request" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name", "filters": [], "name": "my_agent_rule", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} @@ -41,7 +46,7 @@ Feature: CSM Threats Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Create a CSM Threats Agent rule returns "Conflict" response + Scenario: Create a Workload Protection agent rule returns "Conflict" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "my_agent_rule", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} @@ -49,7 +54,7 @@ Feature: CSM Threats Then the response status is 409 Conflict @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Create a CSM Threats Agent rule returns "OK" response + Scenario: Create a Workload Protection agent rule returns "OK" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} @@ -57,53 +62,50 @@ Feature: CSM Threats Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Create a Cloud Workload Security Agent rule returns "Bad Request" response - Given there is a valid "policy_rc" in the system - And new "CreateCloudWorkloadSecurityAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name", "filters": [], "name": "my_agent_rule"}, "type": "agent_rule"}} + Scenario: Create a Workload Protection policy returns "Bad Request" response + Given new "CreateCSMThreatsAgentPolicy" request + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "hostTagsLists": [], "name": "test"}, "type": "policy"}} When the request is sent Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Create a Cloud Workload Security Agent rule returns "Conflict" response - Given there is a valid "policy_rc" in the system - And new "CreateCloudWorkloadSecurityAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "my_agent_rule"}, "type": "agent_rule"}} + Scenario: Create a Workload Protection policy returns "Conflict" response + Given new "CreateCSMThreatsAgentPolicy" request + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "type": "policy"}} When the request is sent Then the response status is 409 Conflict @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Create a Cloud Workload Security Agent rule returns "OK" response - Given there is a valid "policy_rc" in the system - And new "CreateCloudWorkloadSecurityAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}"}, "type": "agent_rule"}} + Scenario: Create a Workload Protection policy returns "OK" response + Given new "CreateCSMThreatsAgentPolicy" request + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "my_agent_policy"}, "type": "policy"}} When the request is sent Then the response status is 200 OK @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Delete a CSM Threats Agent policy returns "Not Found" response - Given new "DeleteCSMThreatsAgentPolicy" request - And request contains "policy_id" parameter with value "non-existent-policy-id" + Scenario: Delete a Workload Protection agent rule (US1-FED) returns "Not Found" response + Given new "DeleteCloudWorkloadSecurityAgentRule" request + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Delete a CSM Threats Agent policy returns "OK" response - Given there is a valid "policy_rc" in the system - And new "DeleteCSMThreatsAgentPolicy" request - And request contains "policy_id" parameter from "policy.data.id" + Scenario: Delete a Workload Protection agent rule (US1-FED) returns "OK" response + Given there is a valid "agent_rule" in the system + And new "DeleteCloudWorkloadSecurityAgentRule" request + And request contains "agent_rule_id" parameter from "agent_rule.data.id" When the request is sent Then the response status is 204 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Delete a CSM Threats Agent rule returns "Not Found" response + Scenario: Delete a Workload Protection agent rule returns "Not Found" response Given new "DeleteCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Delete a CSM Threats Agent rule returns "OK" response + Scenario: Delete a Workload Protection agent rule returns "OK" response Given there is a valid "policy_rc" in the system And there is a valid "agent_rule_rc" in the system And new "DeleteCSMThreatsAgentRule" request @@ -113,134 +115,134 @@ Feature: CSM Threats Then the response status is 204 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Delete a Cloud Workload Security Agent rule returns "Not Found" response - Given new "DeleteCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter with value "non-existent-rule-id" + Scenario: Delete a Workload Protection policy returns "Not Found" response + Given new "DeleteCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter with value "non-existent-policy-id" When the request is sent Then the response status is 404 Not Found @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Delete a Cloud Workload Security Agent rule returns "OK" response - Given there is a valid "agent_rule" in the system - And new "DeleteCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter from "agent_rule.data.id" + Scenario: Delete a Workload Protection policy returns "OK" response + Given there is a valid "policy_rc" in the system + And new "DeleteCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" When the request is sent Then the response status is 204 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Get a CSM Threats Agent policy returns "Not Found" response - Given new "GetCSMThreatsAgentPolicy" request - And request contains "policy_id" parameter with value "non-existent-policy-id" + Scenario: Download the Workload Protection policy (US1-FED) returns "OK" response + Given new "DownloadCloudWorkloadPolicyFile" request When the request is sent - Then the response status is 404 Not Found + Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Get a CSM Threats Agent policy returns "OK" response - Given there is a valid "policy_rc" in the system - And new "GetCSMThreatsAgentPolicy" request - And request contains "policy_id" parameter from "policy.data.id" + Scenario: Download the Workload Protection policy returns "OK" response + Given new "DownloadCSMThreatsPolicy" request When the request is sent Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Get a CSM Threats Agent rule returns "Not Found" response - Given new "GetCSMThreatsAgentRule" request + Scenario: Get a Workload Protection agent rule (US1-FED) returns "Not Found" response + Given new "GetCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Get a CSM Threats Agent rule returns "OK" response - Given there is a valid "policy_rc" in the system - And there is a valid "agent_rule_rc" in the system - And new "GetCSMThreatsAgentRule" request + Scenario: Get a Workload Protection agent rule (US1-FED) returns "OK" response + Given there is a valid "agent_rule" in the system + And new "GetCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And request contains "policy_id" parameter from "policy.data.id" When the request is sent Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Get a Cloud Workload Security Agent rule returns "Not Found" response - Given new "GetCloudWorkloadSecurityAgentRule" request + Scenario: Get a Workload Protection agent rule returns "Not Found" response + Given new "GetCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Get a Cloud Workload Security Agent rule returns "OK" response - Given there is a valid "agent_rule" in the system - And new "GetCloudWorkloadSecurityAgentRule" request + Scenario: Get a Workload Protection agent rule returns "OK" response + Given there is a valid "policy_rc" in the system + And there is a valid "agent_rule_rc" in the system + And new "GetCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter from "agent_rule.data.id" + And request contains "policy_id" parameter from "policy.data.id" When the request is sent Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Get all CSM Threats Agent policies returns "OK" response - Given new "ListCSMThreatsAgentPolicies" request + Scenario: Get a Workload Protection policy returns "Not Found" response + Given new "GetCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter with value "non-existent-policy-id" When the request is sent - Then the response status is 200 OK + Then the response status is 404 Not Found @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Get all CSM Threats Agent rules returns "OK" response - Given new "ListCSMThreatsAgentRules" request + Scenario: Get a Workload Protection policy returns "OK" response + Given there is a valid "policy_rc" in the system + And new "GetCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" When the request is sent Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Get all Cloud Workload Security Agent rules returns "OK" response + Scenario: Get all Workload Protection agent rules (US1-FED) returns "OK" response Given new "ListCloudWorkloadSecurityAgentRules" request When the request is sent Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Get the latest CSM Threats policy returns "OK" response - Given new "DownloadCSMThreatsPolicy" request + Scenario: Get all Workload Protection agent rules returns "OK" response + Given new "ListCSMThreatsAgentRules" request When the request is sent Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Get the latest Cloud Workload Security policy returns "OK" response - Given new "DownloadCloudWorkloadPolicyFile" request + Scenario: Get all Workload Protection policies returns "OK" response + Given new "ListCSMThreatsAgentPolicies" request When the request is sent Then the response status is 200 OK @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Update a CSM Threats Agent policy returns "Bad Request" response - Given there is a valid "policy_rc" in the system - And new "UpdateCSMThreatsAgentPolicy" request - And request contains "policy_id" parameter from "policy.data.id" - And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": ["env:test"], "hostTagsLists": [["env:test"]], "name": ""}, "id": "{{ policy.data.id }}", "type": "policy"}} + Scenario: Update a Workload Protection agent rule (US1-FED) returns "Bad Request" response + Given there is a valid "agent_rule" in the system + And new "UpdateCloudWorkloadSecurityAgentRule" request + And request contains "agent_rule_id" parameter from "agent_rule.data.id" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name"}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Update a CSM Threats Agent policy returns "Concurrent Modification" response - Given there is a valid "policy_rc" in the system - And new "UpdateCSMThreatsAgentPolicy" request - And request contains "policy_id" parameter from "policy.data.id" - And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "id": "{{ policy.data.id }}", "type": "policy"}} + Scenario: Update a Workload Protection agent rule (US1-FED) returns "Concurrent Modification" response + Given there is a valid "agent_rule" in the system + And new "UpdateCloudWorkloadSecurityAgentRule" request + And request contains "agent_rule_id" parameter from "agent_rule.data.id" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 409 Concurrent Modification @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Update a CSM Threats Agent policy returns "Not Found" response - Given new "UpdateCSMThreatsAgentPolicy" request - And request contains "policy_id" parameter with value "non-existent-policy-id" - And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "id": "non-existent-policy-id", "type": "policy"}} + Scenario: Update a Workload Protection agent rule (US1-FED) returns "Not Found" response + Given new "UpdateCloudWorkloadSecurityAgentRule" request + And request contains "agent_rule_id" parameter with value "non-existent-rule-id" + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "id": "invalid-agent-rule-id", "type": "agent_rule"}} When the request is sent - Then the response status is 400 Bad Request + Then the response status is 404 Not Found @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Update a CSM Threats Agent policy returns "OK" response - Given there is a valid "policy_rc" in the system - And new "UpdateCSMThreatsAgentPolicy" request - And request contains "policy_id" parameter from "policy.data.id" - And body with value {"data": {"attributes": {"description": "Updated agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "updated_agent_policy"}, "id": "{{ policy.data.id }}", "type": "policy"}} + Scenario: Update a Workload Protection agent rule (US1-FED) returns "OK" response + Given there is a valid "agent_rule" in the system + And new "UpdateCloudWorkloadSecurityAgentRule" request + And request contains "agent_rule_id" parameter from "agent_rule.data.id" + And body with value {"data": {"attributes": {"description": "Updated Agent rule", "expression": "exec.file.name == \"sh\""}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} When the request is sent Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Update a CSM Threats Agent rule returns "Bad Request" response + Scenario: Update a Workload Protection agent rule returns "Bad Request" response Given there is a valid "policy_rc" in the system And there is a valid "agent_rule_rc" in the system And new "UpdateCSMThreatsAgentRule" request @@ -250,7 +252,7 @@ Feature: CSM Threats Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Update a CSM Threats Agent rule returns "Concurrent Modification" response + Scenario: Update a Workload Protection agent rule returns "Concurrent Modification" response Given there is a valid "agent_rule_rc" in the system And there is a valid "policy_rc" in the system And new "UpdateCSMThreatsAgentRule" request @@ -260,7 +262,7 @@ Feature: CSM Threats Then the response status is 409 Concurrent Modification @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Update a CSM Threats Agent rule returns "Not Found" response + Scenario: Update a Workload Protection agent rule returns "Not Found" response Given there is a valid "policy_rc" in the system And new "UpdateCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter with value "non-existent-rule-id" @@ -269,7 +271,7 @@ Feature: CSM Threats Then the response status is 404 Not Found @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Update a CSM Threats Agent rule returns "OK" response + Scenario: Update a Workload Protection agent rule returns "OK" response Given there is a valid "policy_rc" in the system And there is a valid "agent_rule_rc" in the system And new "UpdateCSMThreatsAgentRule" request @@ -280,36 +282,36 @@ Feature: CSM Threats Then the response status is 200 OK @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Update a Cloud Workload Security Agent rule returns "Bad Request" response - Given there is a valid "agent_rule" in the system - And new "UpdateCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name"}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} + Scenario: Update a Workload Protection policy returns "Bad Request" response + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": ["env:test"], "hostTagsLists": [["env:test"]], "name": ""}, "id": "{{ policy.data.id }}", "type": "policy"}} When the request is sent Then the response status is 400 Bad Request @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Update a Cloud Workload Security Agent rule returns "Concurrent Modification" response - Given there is a valid "agent_rule" in the system - And new "UpdateCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} + Scenario: Update a Workload Protection policy returns "Concurrent Modification" response + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "id": "{{ policy.data.id }}", "type": "policy"}} When the request is sent Then the response status is 409 Concurrent Modification @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Update a Cloud Workload Security Agent rule returns "Not Found" response - Given new "UpdateCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter with value "non-existent-rule-id" - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\""}, "id": "invalid-agent-rule-id", "type": "agent_rule"}} + Scenario: Update a Workload Protection policy returns "Not Found" response + Given new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter with value "non-existent-policy-id" + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "id": "non-existent-policy-id", "type": "policy"}} When the request is sent - Then the response status is 404 Not Found + Then the response status is 400 Bad Request @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend - Scenario: Update a Cloud Workload Security Agent rule returns "OK" response - Given there is a valid "agent_rule" in the system - And new "UpdateCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter from "agent_rule.data.id" - And body with value {"data": {"attributes": {"description": "Updated Agent rule", "expression": "exec.file.name == \"sh\""}, "id": "{{ agent_rule.data.id }}", "type": "agent_rule"}} + Scenario: Update a Workload Protection policy returns "OK" response + Given there is a valid "policy_rc" in the system + And new "UpdateCSMThreatsAgentPolicy" request + And request contains "policy_id" parameter from "policy.data.id" + And body with value {"data": {"attributes": {"description": "Updated agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "updated_agent_policy"}, "id": "{{ policy.data.id }}", "type": "policy"}} When the request is sent Then the response status is 200 OK