Behavioral Analytics Changelog

Behavioral Analytics run on a different engine from Falco-based policies. Instead of triggering at single incidents, Behavioral Analytics detects both suspicious sequences of actions and unusual frequencies of activities across various services. This improves detection of sophisticated threats, such as privilege escalation attempts and reconnaissance activities. Here are the most recent changes to Behavioral Analytics.

Commit Date

Rule Notes

Version

November 14, 2024

Rule Changes

  • Improved the Suspicious Actions after IAM Enumeration condition.

stateful-1.1.1

November 05, 2024

Rule Changes

  • Added the High number of GetPasswordData API callsrule.

Default Policy Changes

  • Added the High number of GetPasswordData API callsrule.

stateful-1.1.0

October 15, 2024

Rule Changes

  • Reduced false positives for enumeration rules.

stateful-1.0.2

October 05, 2024

Rule Changes

  • Removed false positives for multiple Behavioral Analytics rules.

stateful-1.0.1

October 02, 2024

Rule Changes

Added the following rules:

  • Suspicious SES Activity Detected

  • Service Enumeration Detected

  • Suspicious Privileged User Created

  • Suspicious Fargate Cluster Created

  • IAM Enumeration Detected

  • WAF Enumeration Detected

  • S3 Storage Enumeration Detected

  • Lambda Enumeration Detected

  • CloudFormation Enumeration Detected

  • Suspicious User with Static Password Created

  • Suspicious Actions After IAM Policy Enumeration Detected

  • Environment Variable Enumeration Detected

  • Endpoint Enumeration Detected

  • Network Enumeration Detected

  • Workload Enumeration Detected

  • Suspicious Simulate Principal Policy Detected

  • Resource Permissions Enumeration Detected

stateful-1.0.0

September 30, 2024

The first release of Behavioral Analytics.

    1.0.0