Behavioral Analytics Changelog

Behavioral Analytics run on a different engine from Falco-based policies. Instead of triggering at single incidents, Behavioral Analytics detects both suspicious sequences of actions and unusual frequencies of activities across various services. This improves detection of sophisticated threats, such as privilege escalation attempts and reconnaissance activities. Here are the most recent changes to Behavioral Analytics.

Commit Date	Rule Notes	Version
February 18, 2025	Rule Changes Added the following rules: `Access Key Enumeration Detected` `API Gateway Enumeration Detected` Improved condition for Suspicious Simulate Principal Policy Detected Default Policy Changes Added the following rules: `Access Key Enumeration Detected` `API Gateway Enumeration Detected` Changed Managed Policy `Simulate Principal Policy Detected`	stateful-1.6.0
February 13, 2025	Rule Changes Added exceptions to stateful rules	stateful-1.5.1
February 11, 2025	Rule Changes Added the following rules: `Suspicious Files Deletion Activity on S3 Bucket Detected` `High Number of Bedrock Model Invocations` `Organization Enumeration Detected` `Backup Enumeration Detected` `IAM User Created Without Password Reset Enforcement` Improved condition for the following rules: `S3 Storage Enumeration Detected` `Suspicious SSM Parameters Retrieval Detected` `IAM Enumeration Detected` `Workload Enumeration Detected` `High number of DescribeInstanceAttribute API calls for userData` `Suspicious Secrets Retrieval from AWS Secrets Manager Detected` Default Policy Changes Added Managed Policy `Sysdig AWS Behavioral Analytics Notable Events` Added the following rules: `Suspicious Files Deletion Activity on S3 Bucket Detected` `High Number of Bedrock Model Invocations` `Organization Enumeration Detected` `Backup Enumeration Detected` `IAM User Created Without Password Reset Enforcement`	stateful-1.5.0
February 04, 2025	Rule Changes Improved condition for `Suspicious SES Activity Detected` rule Added the following rules: `Suspicious Secrets Retrieval from AWS Secrets Manager Detected` `Suspicious Files Encryption Activity on S3 Bucket Detected` `Suspicious SSM Parameters Retrieval Detected` `High number of DescribeInstanceAttribute API calls for userData` `Execute Commands on EC2 Instance using User Data` Default Policy Changes Added the following rules: `Suspicious Secrets Retrieval from AWS Secrets Manager Detected` `Suspicious Files Encryption Activity on S3 Bucket Detected` `Suspicious SSM Parameters Retrieval Detected` `High number of DescribeInstanceAttribute API calls for userData` `Execute Commands on EC2 Instance using User Data`	stateful-1.4.0
January 28, 2025	Rule Changes Added the following rules: `Suspicious IAM Roles Anywhere Trust Anchor Created` `Bedrock Enable and Invoke Model Detected` `SSM Shell Command Execution Detected` Improved condition for the following rules: `Endpoint Enumeration Detected` `Suspicious Actions After IAM Policy Enumeration Detected` `Service Enumeration Detected` `Network Enumeration Detected` `CloudFormation Enumeration Detected` Default Policy Changes Added the following rules: `Suspicious IAM Roles Anywhere Trust Anchor Created` `Bedrock Enable and Invoke Model Detected` `SSM Shell Command Execution Detected`	stateful-1.3.0
January 28, 2025	Rule Changes Added the following rules: `Suspicious IAM Roles Anywhere Trust Anchor Creation Detected` `Bedrock Enable and Invoke Model Detected` `SSM Shell Command Execution Detected` Improved condition for the following rules: `Endpoint Enumeration Detected` `Suspicious Actions After IAM Policy Enumeration Detected` `Service Enumeration Detected` `Network Enumeration Detected` Improved condition `CloudFormation Enumeration Detected` Default Policy Changes Added the following rules: `Suspicious IAM Roles Anywhere Trust Anchor Created` `Bedrock Enable and Invoke Model Detected` `SSM Shell Command Execution Detected`	stateful-1.3.0
January 15, 2025	Rule Changes Improved condition for `Suspicious Fargate Cluster Created`. Reduced false positives for `CloudFormation Enumeration Detected`.	stateful-1.2.0
November 26, 2024	Rule Changes Minor Reduce False Positives changes	stateful-1.1.2
November 14, 2024	Rule Changes Improved the `Suspicious Actions after IAM Enumeration` condition.	stateful-1.1.1
November 05, 2024	Rule Changes Added the `High number of GetPasswordData API calls`rule. Default Policy Changes Added the `High number of GetPasswordData API calls`rule.	stateful-1.1.0
October 15, 2024	Rule Changes Reduced false positives for enumeration rules.	stateful-1.0.2
October 05, 2024	Rule Changes Removed false positives for multiple Behavioral Analytics rules.	stateful-1.0.1
October 02, 2024	Rule Changes Added the following rules: `Suspicious SES Activity Detected` `Service Enumeration Detected` `Suspicious Privileged User Created` `Suspicious Fargate Cluster Created` `IAM Enumeration Detected` `WAF Enumeration Detected` `S3 Storage Enumeration Detected` `Lambda Enumeration Detected` `CloudFormation Enumeration Detected` `Suspicious User with Static Password Created` `Suspicious Actions After IAM Policy Enumeration Detected` `Environment Variable Enumeration Detected` `Endpoint Enumeration Detected` `Network Enumeration Detected` `Workload Enumeration Detected` `Suspicious Simulate Principal Policy Detected` `Resource Permissions Enumeration Detected`	stateful-1.0.0
September 30, 2024	The first release of Behavioral Analytics.	1.0.0

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.