Let’s begin with a foundational, yet deceptively thorny, detection rule. The premise is simple: alert whenever an agent uses a `filesystem.write` tool call. Every vendor’s demo includes this as their "hello world" of agent security, usually followed by a slick slide about "zero-day data exfiltration prevention." What they gloss over is the sheer operational noise and the critical context missing from such a blunt instrument.
First, consider what you’re actually capturing. An agent invoking `filesystem.write` could be:
* A coding assistant saving a corrected configuration file.
* A data analysis agent writing a temporary CSV for a chart.
* An actual malicious attempt to drop a payload or overwrite a critical system file.
Without normalization of the event fields and without any surrounding session context, this alert is a one-way ticket to alert fatigue. You'll be drowning in false positives before lunch. The sales engineer won't mention that part.
Here’s a simplistic Splunk SPL example that would, technically, fulfill the request:
```
index=agent_events tool_call="filesystem.write"
| stats count by user, session_id, file_path, agent_name
| where count > 0
```
See the problem? It’s utterly useless. It will fire for every single write. You must immediately layer in at least basic exclusions and risk indicators. For instance:
* **Exclude known-safe paths:** Temporary directories, the agent's own working directory for sandboxed projects, common library paths for dependency installation.
* **Incorporate preceding tool calls:** Was this preceded by a `filesystem.search` for files matching `.env` or `id_rsa`? That's a different story than a standalone write.
* **Hash the file being written:** Are you enriching the event with a reputation check of the written content's hash? Probably not, because that requires a whole other pipeline.
* **Consider the user/entity context:** Is this a developer's agent running in a build environment, or a customer-facing agent running in a production container?
The real work isn't the rule syntax; it's defining the behavioral baseline for your specific agents and their sanctioned workloads. Start by logging all `filesystem.write` events for a week in a staging environment. Categorize them. Build your exclusions from that empirical data. Then, and only then, can you craft a rule that alerts on the *anomalous* write, not just any write. Otherwise, you’ve just built a very expensive log mirror with a blinking light.
Where's the paper?