November 15, 2024 | Default Policy Changes | 0.179.2 |
November 14, 2024 | Default Policy Changes | 0.179.1 |
November 12, 2024 | Rule Changes Reduced false positives for the following: Updated Indicators of Compromise (IoCs) rulesets with new findings. 0.179 Cloud Rules. Improved condition for Backdoored library loaded into SSHD (CVE-2024-3094) rule. Added the following rules: DNS Lookup for Tunneling Service Domain Detected
Run PowerShell Script in a VM via Desired State Configuration Extension
Run PowerShell Script in a VM via Custom Script Extension
Azure Delete Diagnostic Settings for Subscription
Entra Add External User as Member
Entra Add External User
Entra Remove Service Principal
DNS Lookup for Offensive Security Tool Domain Detected
Updated Indicators of Compromise (IoCs) rulesets with new findings.
Default Policy Changes 0.179 Cloud Rules. Added rule DNS Lookup for Tunneling Service Domain Detected. Updated policy for Azure rules. Added the following rules: Run PowerShell Script in a VM via Desired State Configuration Extension
Run PowerShell Script in a VM via Custom Script Extension
Azure Delete Diagnostic Settings for Subscription
Entra Add External User as Member
Entra Add External User
Entra Remove Service Principal
DNS Lookup for Offensive Security Tool Domain Detected
| 0.179.0 |
November 11, 2024 | Rule Changes | 0.178.5 |
November 08, 2024 | Rule Changes | 0.178.4 |
November 07, 2024 | Rule Changes | 0.178.3 |
November 06, 2024 | Rule Changes | 0.178.2 |
November 05, 2024 | Rule Changes | 0.178.1 |
November 05, 2024 | Rule Changes Added the following rules: Run Several XLarge EC2 Instances
Set 1-day Retention Policy on Bucket
Update Lambda Function Layers
Azure VM Reset Local Administrator Password
DNS Lookup for Remote Access Domain Detected
Improved conditions the following rules: Program run with disallowed http proxy env
Delete or rename shell history
LD_PRELOAD Library Injection
Improved the following lists: sensitive_file_names
code_compilers
Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following:
Default Policy Changes Added the following rules: DNS Lookup for Remote Access Domain Detected
Run Several XLarge EC2 Instances
Set 1-day Retention Policy on Bucket
Update Lambda Function Layers
Azure VM Reset Local Administrator Password
Improved condition for Program run with disallowed http proxy env rule. Updated policy for Update Lambda Function Code rule.
| 0.178.0 |
November 04, 2024 | Rule Changes | 0.177.3 |
October 31, 2024 | Rule Changes | 0.177.2 |
October 29, 2024 | Rule Changes | 0.177.1 |
October 29, 2024 | Rule Changes Improved condition for DNS Lookup for Uncommon TLD Domain Detected rule. Improved the suspicious_domains_contains macro. Added the following rules: LD_PRELOAD Library Injection
EKS Pod Attach Policy to User
EKS Pod Create Access Key for User
EKS Pod Create User
EKS Pod Attach Policy to User
EKS Pod Create Access Key for User
EKS Pod Create User
Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following: Download and launch remote file copy tools in container
eBPF Program Loaded into Kernel
proc_exepath_exists macro
Default Policy Changes | 0.177.0 |
October 28, 2024 | Rule Changes | 0.176.3 |
October 25, 2024 | Rule Changes | 0.176.2 |
October 24, 2024 | Rule Changes | 0.176.1 |
October 22, 2024 | Rule Changes Improved condition for Hexadecimal string detected rule. Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Clear Windows Event Log
eBPF Program Loaded into Kernel
DNS Lookup for Uncommon TLD Domain Detected
Change memory swap options
Find GCP Credentials
Updated policy for the DNS Rogue Server Detected rule. Improved condition for the DNS Lookup for Suspicious Domain Detected rule.
Default Policy Changes | 0.176.0 |
October 21, 2024 | Rule Changes Reduced false positives for the following rules: Clear Log Activities
PTRACE attached to process
Contact Azure Instance Metadata Service from Host
Modification of pam.d detected
Find GCP Credentials
Improved output for Change memory swap options rule. Improved tags for Kill known malicious process rule. Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.175.4 |
October 18, 2024 | Rule Changes | 0.175.3 |
October 17, 2024 | Rule Changes | 0.175.2 |
October 16, 2024 | Rule Changes Reduced false positives for the eBPF Program Loaded into Kernel rule. Updated Indicators of Compromise (IoCs) rulesets with new findings. Improved output for Attach Full Access or Administrative Policy.
| 0.175.1 |
October 15, 2024 | Rule Changes Improved condition for Clear Windows Event Log rule. Improved the output for Create IAM Policy that Allows All. Added the Attach Full Access or Administrative Policy rule. Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Write below etc
Ransomware Filenames Detected
Execution from /tmp
PTRACE anti-debug attempt
Modification of pam.d detected
Dump memory for credentials
Find GCP Credentials
Suspicious RC Script Modification
Modify ld.so.preload
Find AWS Credentials
Default Policy Changes | 0.175.0 |
October 10, 2024 | Rule Changes Reduced false positives for the following rules: DNS Lookup for Reconnaissance Service Detected
eBPF Program Loaded into Kernel
Potential IRC connection detected
PTRACE attached to process
DNS Fast Flux Activity Detected
Interactive Reconnaissance Activity Detected
Reverse Shell Detected
DNS Lookup for C2 Domain Detected
Improved output for Workload rules. Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.174.2 |
October 09, 2024 | Rule Changes Improved output for GCP Create Route rule. Updated Indicators of Compromise (IoC) rulesets with new findings. Reduced false positives for the following rules: Reduced false positives for Openshift - Workload.
| 0.174.1 |
October 08, 2024 | Rule Changes Added the following rules: Updated policy for Interactive Reconnaissance Activity Detected rule Improved condition for the following rules: Delete or rename shell history
Junk Data Padding Detected
Escape to host via command injection in process
Improved output for Outbound Connection to C2 Servers rule Reduced false positives for the following rules: Modification of pam.d detected
Kernel startup modules changed
Suspicious RC Script Modification
Find GCP Credentials
Change thread namespace
Dump memory for credentials
Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes | 0.174.0 |
October 04, 2024 | Rule Changes | 0.173.1 |
October 03, 2024 | Rule Changes Added the following rules Reduced false positives for Modify ld.so.preload rule Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes Added the following rules | 0.173.0 |
October 02, 2024 | Rule Changes Reduced false positives for the following rules: Dump memory for credentials
Create Symlink Over Sensitive Files
Suspicious RC Script Modification
Interactive Reconnaissance Activity Detected
Clear Log Activities
Kernel Module Loaded by Unexpected Program
PTRACE anti-debug attempt
Suspicious Access To Kerberos Secrets
Standardise all AWS rules output Updated Indicators of Compromise (IoC) rulesets with new findings.
| 0.172.1 |
October 01, 2024 | Rule Changes Added the following rules DNS Fast Flux Activity Detected
AWS SSM Agent Activity using StartSession
AWS SSM Agent Activity Using SendCommand RunShellScript or RunPowerShellScript
DNS Rogue Server Detected
Improved condition for the following rules: Possible SSH Hijacking Attempt Detected
Active Directory Connection Detected
Shared Libraries Reconnaissance Activity Detected
Reduced false positives for the following rules: Escape to host via command injection in process
Modification of pam.d detected
Possible Backdoor using BPF
Suspicious RC Script Modification
Updated policy for Possible Backdoor using BPF and Shell Spawned with Inline Python Command rules Improved output for GCP Sensitive Role Added to User rule Updated Indicators of Compromise rulesets with new findings
Default Policy Changes | 0.172.0 |
September 30, 2024 | Rule Changes Reduced false positives for the following rules: Malicious filenames written rule
Possible Backdoor using BPF rule
Find GCP Credentials rule
eBPF Program Loaded into Kernel rule
Reverse Shell Detected rule
Reduced false positives for Openshift Workload. Improved tags for the following rules: Improved tags for Workload rules. Updated Indicators of Compromise (IoC) rulesets with new findings. Improved output for Suspicious RC Script Modification rule.
Default Policy Changes | 0.171.1 |
September 29, 2024 | Rule Changes Default Policy Changes | 0.171.0 |
September 26, 2024 | Rule Changes | 0.170.3 |
September 25, 2024 | Rule Changes Default Policy Changes | 0.170.1 |
September 24, 2024 | What's Changed Rule Changes Added the following rules: Shell Spawned with Inline Python Command
System Capabilities Configuration Updated
EC2 Instance Attach Policy to User
EC2 Instance Create Access Key for User
Attach Administrator Policy to Role
Attach Administrator Policy to Group
Get Account Authorization Details
Improved conditions the following rules: Suspicious Kernel Parameter Modification
Modify Timestamp attribute in File
Modification of pam.d detected
Updated Indicators of Compromise (IoC) rulesets with new findings. Reduced false positives for the following rules: Create Hardlink Over Sensitive Files
Suspicious Process Loading Vault DLL
Mount Launched in Privileged Container
eBPF Program Loaded into Kernel
Junk Data Padding Detected
Read sensitive file untrusted
Added exceptions to GCP rules.
Default Policy Changes Added the following rules: Shell Spawned with Inline Python Command
System Capabilities Configuration Updated
EC2 Instance Attach Policy to User
EC2 Instance Create Access Key for User
Attach Administrator Policy to Role
Attach Administrator Policy to Group
Get Account Authorization Details
Updated policy for DNS Lookup for Reconnaissance Service Detected rule. Updated policy for Junk Data Padding Detected rule.
| 0.170.0 |
September 20, 2024 | Rule Changes | 0.169.5 |
September 19, 2024 | Rule Changes Updated Indicators of Compromise rulesets with new findings Reduced false positives for the following rules: Suspicious RC Script Modification
Junk Data Padding Detected
Possible Backdoor using BPF
DNS Lookup for Suspicious Domain Detected
Kernel startup modules changed
PTRACE anti-debug attempt
DNS Lookup for Dynamic DNS Domain Detected
Suspicious Domain Contacted
Improved output for Tampering with Security Software on Host rule Improved description for DNS Tunneling Activity Detected rule
Default Policy Changes Updated policy for the following rules: | 0.169.4 |
September 18, 2024 | Rule Changes Updated Indicators of Compromise (IoC) rulesets with new findings. Reduced false positives for the following rules: Kernel startup modules changed
Delete or rename shell history
Reverse Shell Detected
DNS Lookup for Dynamic DNS Domain Detected
Junk Data Padding Detected
Suspicious RC Script Modification
Launch Ingress Remote File Copy Tools in Container
Read ssh information
Improved tags for DNS Lookup for Suspicious Domain Detected rule.
| 0.169.2 |
September 18, 2024 | Rule Changes | 0.169.1 | September 17, 2024 | Rule Changes Updated Indicators of Compromise (IoC) rulesets with new findings. Added the following rules: Reverse Shell Detected
DNS Lookup for Reconnaissance Service Detected
DNS Lookup for Dynamic DNS Domain Detected
DNS Tunneling Activity Detected
Junk Data Padding Detected
Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Write below root
Possible Backdoor using BPF
Kernel Module Loaded by Unexpected Program
Default Policy Changes | 0.169.0 |
September 16, 2024 | Rule Changes Updated Indicators of Compromise (IoC) rulesets with new findings. Improved tags for the Kubernetes rules Reduced false positives for the following rules: Write below root
Dump memory for credentials
DNS Lookup for Uncommon TLD Domain Detected
DNS Lookup for Suspicious Domain Detected
| 0.168.4 |
September 13, 2024 | Rule Changes | 0.168.3 |
September 12, 2024 | Rule Changes | 0.168.2 |
September 11, 2024 | Rule Changes | 0.168.1 |
September 10, 2024 | Rule Changes Added the Modification of Udev Rules Detected rule Improved conditions for the following rules: Added eventSource to AWS rules - part 3 Improved tags for Github rules Improved MITRE tags - subtechniques Updated Indicators of Compromise (IoC) rulesets with new findings. Reduced false positives for the following rules: Fileless Malware Detected
DNS Lookup for Uncommon TLD Domain Detected
Modification of pam.d detected
Mount Launched in Privileged Container
Dump memory for credentials
eBPF Program Loaded into Kernel
Default Policy Changes | 0.168.0 |
September 09, 2024 | Rule Changes Updated Indicators of Compromise rulesets with new findings Reduced false positives for the following rules: eBPF Program Loaded into Kernel rule
DNS Lookup for Uncommon TLD Domain Detected rule
Kernel startup modules changed rule
Dump memory for credentials rule
Improved output for Outbound rules
| 0.167.4 |
September 06, 2024 | Rule Changes Default Policy Changes | 0.167.3 |
September 05, 2024 | Rule Changes | 0.167.2 |
September 03, 2024 | Rule Changes Added the following rules: Process memory injection via process_vm_writev
DNS Lookup for Uncommon TLD Domain Detected
Cgroup Filesystem Mounted in Container
Added eventSource to AWS rules Updated Indicators of Compromise rulesets with new findings Standardized output across Workload rules Reduced false positives for the following rules: Kernel startup modules changed
Modification of pam.d detected
Launch Ingress Remote File Copy Tools in Container
Suspicious Process Loading Vault DLL
Default Policy Changes | 0.167.0 |
August 30, 2024 | Rule Changes | 0.166.5 |
August 29, 2024 | Rule Changes | 0.166.4 |
August 29, 2024 | Rule Changes | 0.166.3 |
August 28, 2024 | Rule Changes | 0.166.2 |
August 28, 2024 | Rule Changes | 0.166.1 |
August 27, 2024 | Rule Changes Added the following rules: DNS Lookup for C2 Domain Detected
DNS Lookup for Miner Pool Domain Detected
Ingress NGINX Annotation Validation Potential Bypass
Reduced false positives for the following rules: ibm_trusted_images macro
Mount Launched in Privileged Container
Modification of pam.d detected
Dump memory for credentials
Modify ld.so.preload
DNS Lookup for IPFS Domain Detected
Launch Suspicious Network Tool in Container
Launch Ingress Remote File Copy Tools in Container
Create Symlink Over Sensitive Files
Improved condition for Data Split Activity Detected
Added eventSource to AWS rules Updated the tags for the following: Improved output for the following: Updated Indicators of Compromise rulesets with new findings
Default Policy Changes | 0.166.0 |
August 26, 2024 | Rule Changes | 0.165.1 |
August 20, 2024 | Rule Changes Added the following rules: DNS Lookup for Suspicious Domain Detected
DNS Lookup for IPFS Domain Detected
DNS Lookup for Proxy/VPN Domain Detected
Updated Indicators of Compromise rulesets with new findings Reduced false positives for the following rules: Encoded Powershell Execution
Clear Windows Event Log
Fileless Malware Detected
Reconnaissance attempt to find SUID binaries
Suspicious RC Script Modification
PTRACE anti-debug attempt
Policy Changes Added the following rules: DNS Lookup for Suspicious Domain Detected
DNS Lookup for IPFS Domain Detected
DNS Lookup for Proxy/VPN Domain Detected
| 0.165.0 |
August 13, 2024 | Rule Changes Reduced false positives for the following rules: Launch Sensitive Mount Container
Launch Package Management Process in Container
Create Symlink Over Sensitive Files
Launch Suspicious Network Tool in Container
Mount Launched in Privileged Container
Launch Root User Container
Updated Indicators of Compromise rulesets with new findings Improved condition for Dump memory for credentials rule Added the following rules: GuardDuty High Severity Finding on Container
GuardDuty High Severity Finding on EC2
GuardDuty High Severity Finding on ECS
GuardDuty High Severity Finding on EKS
GuardDuty High Severity Finding on IAM
GuardDuty High Severity Finding on Lambda
GuardDuty High Severity Finding on RDS
GuardDuty High Severity Finding on S3
GuardDuty Medium Severity Finding on Container
GuardDuty Medium Severity Finding on EC2
GuardDuty Medium Severity Finding on ECS
GuardDuty Medium Severity Finding on EKS
GuardDuty Medium Severity Finding on IAM
GuardDuty Medium Severity Finding on Lambda
GuardDuty Medium Severity Finding on RDS
GuardDuty Medium Severity Finding on S3
GuardDuty Low Severity Finding on Container
GuardDuty Low Severity Finding on EC2
GuardDuty Low Severity Finding on ECS
GuardDuty Low Severity Finding on EKS
GuardDuty Low Severity Finding on IAM
GuardDuty Low Severity Finding on Lambda
GuardDuty Low Severity Finding on RDS
GuardDuty Low Severity Finding on S3
Policy Changes | 0.164.0 |
August 06, 2024 | Rule Changes Updated Indicators of Compromise rulesets with new findings Reduced false positives for the following rules: Write below rpm database
Malicious IPs or domains detected on command line
Read sensitive file untrusted
Kernel startup modules changed
Added the following rules:
Default Policy Changes Added the following rules: | 0.163.0 |
August 05, 2024 | Rule Changes | 0.162.4 |
August 02, 2024 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Dump Cached Domain Credentials
Kernel Module Loaded by Unexpected Program
sysdig_commercial_images
Reduced false positives for sysdig_images_endswith macro. Updated Indicators of Compromise (IoC) rulesets with new findings.
| 0.162.3 |
August 01, 2024 | Rule Changes | 0.162.2 |
July 31, 2024 | Rule Changes | 0.162.1 |
July 30, 2024 | Rule Changes Added the following rules: Share EBS Snapshot With Foreign Account
Start EC2 Instances
EC2 Modify Instance Attribute
Share AMI With Foreign Account
Added macro busybox_network_tools. Improved condition for EC2 Add User Data rule. Improved priority tags - Sysdig Runtime Notable Events. Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes | 0.162.0 |
July 29, 2024 | Rule Changes | 0.161.5 |
July 26, 2024 | Rule Changes Reduced false positives for the following rules: Write below etc
eBPF Program Loaded into Kernel
Kernel Module Loaded by Unexpected Program
Contact GCP Instance Metadata Service from Host
azure_trusted_images_launch_root_list
Improved output for Create AWS user rule. Updated Indicators of Compromise (IoC) rulesets with new findings.
| 0.161.4 |
July 24, 2024 | Rule Changes | 0.161.2 |
July 23, 2024 | Rule Changes | 0.161.1 |
July 23, 2024 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
Modification of pam.d detected
Kernel startup modules changed
Potential Application Shimming
Added the IP Forward Configuration Modification rule. Improved macro network_tool_procs Improved conditions for the following rules: Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes Improved condition for PTRACE attached to process rule. Added theh IP Forward Configuration Modification rule. Updated policies for the following rules: Contact EC2 Instance Metadata Service From Container
Contact GCP Instance Metadata Service from Host
Contact Task Metadata Endpoint
Contact Azure Instance Metadata Service from Host
| 0.161.0 |
July 17, 2024 | Rule Changes Reduced false positives for the following rules: Suspicious Access To Kerberos Secrets
Launch Suspicious Network Tool on Host
Non sudo setuid
Possible Backdoor using BPF
Improved tags for Dump memory for credentials rule. Updated Indicators of Compromise (IoC) rulesets with new findings. Marked T1555.002 as not coverable - out of scope.
| 0.160.1 |
July 16, 2024 | Rule Changes Reduced false positives for the following rules: Launch Code Compiler Tool on Host
Create Symlink Over Sensitive Files
Non sudo setuid
Change thread namespace
Read ssh information
Kernel startup modules changed
Added the following rules: Improved condition for Delete or rename shell history rule Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes | 0.160.0 |
July 10, 2024 | Rule Changes Improved tags for Enable Windows Remote Management rule. Updated Indicators of Compromise (IoC) rulesets with new findings. Reduced false positives for the following rules:
| 0.159.1 |
July 09, 2024 | Rule Changes Reduced false positives for the following rules: Redirect STDOUT/STDIN to Network Connection in Container
eBPF Program Loaded into Kernel
PTRACE attached to process
Mount on Container Path Detected
Suspicious RC Script Modification
Create Hardlink Over Sensitive Files
Write below root
Possible Backdoor using BPF
Potential Application Shimming
Improved condition for Delete or rename shell history and nsenter Container Escape rules Improved list container_entrypoints Updated Indicators of Compromise rulesets with new findings
| 0.159.0 |
July 05, 2024 | Rule Changes | 0.158.1 |
July 02, 2024 | Rule Changes Reduced false positives for the following rules: Improved conditions for the following rules: Added the following rules: Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes | 0.158.0 |
June 26, 2024 | Rule Changes | 0.157.2 |
June 26, 2024 | Rule Changes Reduced false positives for the following rules: Malicious IPs or domains detected on command line
Suspicious RC Script Modification
eBPF Program Loaded into Kernel
Kernel startup modules changed
Run shell untrusted
System procs network activityWrite below monitored dir
Improved tags for Gsutil cp used to copy files from/to GCP buckets rule Updated Indicators of Compromise rulesets with new findings
| 0.157.1 |
June 25, 2024 | Rule Changes Reduced false positives for the following rules: Non sudo setuid
Connection to IPFS Network Detected
Kernel startup modules changed
System procs network activity
Contact Azure Instance Metadata Service from Host
Change thread namespace
Added the Mailbox Data Modificationrule Improved condition for GCP Sensitive Role Added to User rule. Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes | 0.157.0 |
June 21, 2024 | Rule Changes | 0.156.2 |
June 20, 2024 | Rule Changes | 0.156.1 |
June 19, 2024 | Rule Changes Improved conditions for the following rules: Added the following rules: Fixed list rfc_1918_addresses Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes | 0.156.0 |
June 14, 2024 | Rule Changes Reduced false positives for the following rules: Redirect STDOUT/STDIN to Network Connection in Host
Set Setuid or Setgid bit
PTRACE anti-debug attempt
eBPF Program Loaded into Kernel
Improved output for Change thread namespace rule. Updated Indicators of Compromise (IoC) rulesets with new findings.
| 0.155.3 |
June 13, 2024 | Rule Changes | 0.155.2 |
June 12, 2024 | Rule Changes | 0.155.1 |
June 11, 2024 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
nsenter Container Escape
Kernel startup modules changed
Mount on Container Path Detected
Non sudo setuid
System procs network activity
Write below etc
Improved conditions for the following rules: Clear Log Activities
Archive or Compression Activity Detected
Dump memory for credentials
Delete or rename shell history
Suspicious RC Script Modification
Improved macro sensitive_vol_mount. Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes | 0.155.0 |
June 10, 2024 | Rule Changes | 0.154.4 |
June 07, 2024 | Rule Changes | 0.154.3 |
June 06, 2024 | Rule Changes Improved output for Connection to IPFS Network Detected rule Updated Indicators of Compromise (IoC) rulesets with new findings. | 0.154.2 |
June 05, 2024 | Rule Changes | 0.154.1 |
June 04, 2024 | Rule Changes | 0.154.0 |
June 03, 2024 | Rule Changes | 0.153.5 |
May 31, 2024 | Rule Changes | 0.153.4 |
May 30, 2024 | Rule Changes | 0.153.3 |
May 29, 2024 | Rule Changes | 0.153.2 |
May 28, 2024 | Rule Changes Reduced false positives for the Archive or Compression Activity Detected and Delete or rename shell history rules | 0.153.1 |
May 28, 2024 | Rule Changes Reduced false positives for the following rules: Updated Indicators of Compromise rulesets with new findings Added the following rules: Leading or Trailing Space Detected in Filename
Archive or Compression Activity Detected
Connection with Suspicious User Agent Detected
Improved condition for the following rules: Launch Suspicious Network Tool in Container
Suspicious network tool downloaded and launched in container
Delete or rename shell history
Disable or Modify Linux Audit System
PTRACE anti-debug attempt
Suspicious Docker Options
Launch Suspicious Network Tool on Host
Default Policy Changes | 0.153.0 |
May 27, 2024 | Rule Changes | 0.152.4 |
May 23, 2024 | Rule Changes Reduced false positives for the eBPF Program Loaded into Kernel rule | 0.152.3 |
May 23, 2024 | Rule Changes | 0.152.2 |
May 22, 2024 | Updated Indicators of Compromise (IoC) rulesets with new findings. Sysdig Falco Rules release announcement 0.152.0. Updated Sysdig Mitre Attack Mapper.
Rule Changes | 0.152.1 |
May 21, 2024 | Rule Changes Reduced false positives for the following rules: Create files below dev
Possible Backdoor using BPF
eBPF Program Loaded into Kernel
Modify Grub Configuration Files
Non sudo setuid
Improved conditions for the following rules: Reconnaissance attempt to find SUID binaries
Reconnaissance attempt to find SETGID binaries
Launch Code Compiler Tool in Container
AWS Suspicious IP Inbound Request
Disable or Modify Linux Audit System
Modify Shell Configuration File
Added the Bedrock Create Provisioned Model Throughput rule. Updated Indicators of Compromise rulesets with new findings
Default Policy Changes | 0.152.0 |
May 20, 2024 | Rule Changes | 0.151.4 |
May 17, 2024 | Rule Changes | 0.151.3 |
May 16, 2024 | Rule Changes Improved exceptions for Detection bypass by symlinked files rule Reduced false positives for the following rules: Possible Backdoor using BPF
Non sudo setuid
eBPF Program Loaded into Kernel
Launch Code Compiler Tool on Host
Create Symlink Over Sensitive Files
Run shell untrusted
Updated Indicators of Compromise (IoC) rulesets with new findings.
| 0.151.2 |
May 15, 2024 | Rule Changes Reduced false positives for the following rules: Launch Code Compiler Tool on Host
Hide Process with Mount
eBPF Program Loaded into Kernel
Possible Backdoor using BPF
Mount Launched in Privileged Container
Kernel Module Loaded by Unexpected Program
System procs network activity
Disable or Modify Linux Audit System
Dump memory for credentials
Updated Indicators of Compromise (IoCs) rulesets with new findings. Updated Sysdig Mitre Attack Mapper.
| 0.151.1 |
May 14, 2024 | Rule Changes Reduced false positives for the following rules: Fileless Malware Detected
Launch Code Compiler Tool on Host
Escape to host via command injection in process
eBPF Program Loaded into Kernel
Possible Backdoor using BPF
Modify Grub Configuration Files
Updated Indicators of Compromise rulesets with new findings 9080306970 Improved tags for the following rules: Added the following rules: Disable or Modify Linux Audit System
Reconnaissance attempt to find SETGID binaries
Launch Code Compiler Tool on Host
Entra Add Guest Member to Administrative Role
Entra Invite External User
Improved conditions for the providing rules Delete or rename shell history
Suspicious Cron Modification
Fileless Malware Detected
Default Policy Changes | 0.151.0 |
May 13, 2024 | Rule Changes | 0.150.4 |
May 10, 2024 | Rule Changes | 0.150.3 |
May 09, 2024 | Rule Changes | 0.150.2 |
May 08, 2024 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
eBPF Program Loaded into Kernel
Non sudo setuid
System procs network activity
Updated Indicators of Compromise rulesets with new findings Sysdig Mitre Attack Mapper update
| 0.150.1 |
May 07, 2024 | Rule Changes Default Policy Changes | 0.150.0 |
May 06, 2024 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Suspicious Device Created in Container
Linux Kernel Module Injection Detected
Possible Backdoor using BPF
Modification of pam.d detected
Suspicious System Service Modification
Updated Indicators of Compromise rulesets with new findings Improved tags for Read sensitive file untrusted rule
| 0.149.3 |
May 03, 2024 | Rule Changes Reduced false positives for the following rules: Redirect STDOUT/STDIN to Network Connection in Container rule
eBPF Program Loaded into Kernel rule
Mount Launched in Privileged Container rule
Improved tags for System Geolocation Discovery rule Improved coverage for T1665 Updated Indicators of Compromise rulesets with new findings Sysdig Mitre Attack Mapper update
| 0.149.2 |
May 02, 2024 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
Write below etc
eBPF Program Loaded into Kernel
Hardware Added to the System
Modification of pam.d detected
Set Setuid or Setgid bit
Launch Remote File Copy Tools in Container
Updated Indicators of Compromise rulesets with new findings Improved output for the following rules: Improved tags for Malicious filenames written rule
| 0.149.1 |
April 30, 2024 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Possible Backdoor using BPF
Kernel Module Loaded by Unexpected Program
Mount Launched in Privileged Container
Read sensitive file untrusted
Improved condition for the following rules: Service Discovery Activity Detected
Password Policy Discovery Activity Detected
Modify Timestamp attribute in File
Active Directory Connection Detected
Updated Indicators of Compromise rulesets with new findings
| 0.149.0 |
April 29, 2024 | Rule Changes | 0.148.3 |
April 26, 2024 | Rule Changes | 0.148.2 |
April 24, 2024 | Rule Changes Reduced false positives for the following rules: Linux Kernel Module Injection Detected
Kernel Module Loaded by Unexpected Program
System procs network activity
Change memory swap options
Mount on Container Path Detected
Possible Backdoor using BPF
Modification of pam.d detected
Escape to host via command injection in process
Launch Suspicious Network Tool in Container
Associate Elastic IP Address to AWS Network Interface
Updated Indicators of Compromise rulesets with new findings Improved coverage for T1562.010 Improved coverage for T1552.003 Improved tags for the following rules: Sysdig Mitre Attack Mapper update
| 0.148.1 |
April 23, 2024 | Rule Changes Reduced false positives for the following rules: Write below root
eBPF Program Loaded into Kernel
Execution from /tmp rule
Launch Sensitive Mount Container
Launch Ingress Remote File Copy Tools in Container
Modification of pam.d detected
Improved conditions for the following rules: Improved tags for the following rules: Added rule Update Paging Cache Updated Indicators of Compromise (IoCs) rulesets with new findings. Updated Sysdig Mitre Attack Mapper.
Default Policy Changes | 0.148.0 |
April 22, 2024 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
System procs network activity
Launch Root User Container
Possible backdoor using BPF
Improved output for the following rules: Improved tags for the following rules: Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.147.4 |
April 19, 2024 | Rule Changes | 0.147.3 |
April 18, 2024 | Rule Changes Reduced false positives for the following rules: System Geolocation Discovery
Service Discovery Activity Detected
Read sensitive file untrusted
Non sudo setuid
Updated Indicators of Compromise (IoCs) rulesets with new findings. Improved TA0004 and TA0003 MITRE tags
| 0.147.2 | April 17, 2024 | Rule Changes Reduced false positives for the following rules: Packet Socket Created on Host
Possible Backdoor using BPF
Create Symlink Over Sensitive Files
Modify binary dirs
Run shell untrusted
Updated Indicators of Compromise (IoCs) rulesets with new findings. Improved output for GitHub rules.
| 0.147.1 |
April 16, 2024 | Rule Changes Reduced false positives for the following rules: Find GCP Credentials
Suspicious device created in container
Reconnaissance attempt to find SUID binaries
Escape to host via command injection in process
Mount Launched in Privileged Container
Modify binary dirs
Improved tags for Azure Access Level for Blob Container Set to Public rule New Falco Cloud Microsoft Entra plugin support Updated Indicators of Compromise (IoCs) rulesets with new findings. Added the following rules: Bedrock Model Recon Activity
Bedrock Invoke Agent
Bedrock Delete Knowledge Base
Bedrock Delete Data Source
Bedrock Delete Agent
Bedrock Delete Provisioned Model Throughput
Bedrock Delete Custom Model
Bedrock Disable Model Invocation Logging
Bedrock Invoke Model
Entra Add Member to Administrative Role
Entra Delete Application
Entra Add Administrative Unit
Entra Add Application
Entra Add Group
Entra Add Member to Group
Entra Add Member to Administrative Unit
Entra Add Owner To Application
Entra Add Owner to Service Principal
Entra Assign User to Application
Entra Change User Password
Entra Create Directory
Entra Delete Administrative Unit
Entra Delete Application Password for User
Entra Delete Group
Entra Disable Access to Application
Entra Hard Delete Application
Entra Remove App Role Assignment from User
Entra Remove Member from Administrative Unit
Entra Remove Member from Role
Entra Remove Verified Domain
Entra Update Application Certificates And Secrets Management
Entra Verify Domain
Entra Suspicious IP Inbound Request
Netcat Remote Code Execution on Host
Packet Socket Created on Host
Default Policy Changes | 0.147.0 |
April 15, 2024 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
eBPF Program Loaded into Kernel
DB program spawned process
Create Hidden Files or Directories
Connection to SMB Server detected
Read sensitive file untrusted
Write below root
Redirect STDOUT/STDIN to Network Connection in Container
Dump memory for credentials
Modification of pam.d detected
Directory traversal monitored file read
Updated Indicators of Compromise (IoCs) rulesets with new findings. Improved output for GitHub rules
| 0.146.4 |
April 12, 2024 | Rule Changes | 0.146.3 |
April 11, 2024 | Rule Changes Improved output for the Modification of pam.d detected rule. Reduced false positives for the following rules: Write below root
Launch Privileged Container
Read sensitive file untrusted
Launch Sensitive Mount Container
Launch Ingress Remote File Copy Tools in Container
Kernel startup modules changed
Improved tags for the QEMU Activity Detected rule. Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.146.2 |
April 10, 2024 | Rule Changes | 0.146.1 |
April 09, 2024 | Rule Changes Added the following rules: Improved description for workload rules Reduced false positives for the following rules: Possible Backdoor using BPF
Write below root
Suspicious Access To Kerberos Secrets
Root Certificate Installed
Suspicious Kernel Parameter Modification
Launch Root User Container
Non sudo setuid
Improved condition the following: Updated Indicators of Compromise (IoCs) rulesets with new findings.
Default Policy Changes | 0.146.0 |
April 08, 2024 | Rule Changes | 0.145.4 |
April 05, 2024 | Rule Changes | 0.145.3 |
April 04, 2024 | Rule Changes Updated Indicators of Compromise rulesets with new findings Improved coverage for T1136.001 Improved tags for Workload rules - T1036.003 Reduced false positives for the following rules: Kernel Module Loaded by Unexpected Program
Dump memory for credentials
Possible Backdoor using BPF
| 0.145.2 |
April 03, 2024 | Rule Changes Reduced false positives for the following rules: System procs network activity
eBPF Program Loaded into Kernel
Linux Kernel Module Injection
Possible Backdoor using BPF
Find GCP Credentials
Root Certificate Installed
Improved tags for Launch Ingress Remote File Copy Tools in Container rule. Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.145.1 |
April 02, 2024 | Rule Changes Reduced false positives for the following rules: Suspicious Operations with Firewalls
Non sudo setuid
Set Setuid or Setgid bit
System procs network activity
Launch Excessively Capable Container
Possible Backdoor using BPF
Modification of pam.d detected
Added the Root Certificate Installedrule Improved tags for Delete or rename shell history rule Improved output for Outbound Connection to C2 Servers rule
Default Policy Changes | 0.145.0 |
March 29, 2024 | Rule Changes Default Policy Changes | 0.144.3 |
March 28, 2024 | Rule Changes Reduced false positives for the following rules: DB program spawned process
Launch Ingress Remote File Copy Tools in Container
eBPF Program Loaded into Kernel
Modification of pam.d detected
Mount Launched in Privileged Container
Malicious IPs or domains detected on command line
Change thread namespace
Linux Kernel Module Injection Detected
Set Setuid or Setgid bit
Updated Indicators of Compromise rulesets with new findings Improved output for Modification of pam.d detected rule Improved tags for the following rules: Steganography Tool Detected
Discovery Security Service Activity Detected
Remove Bulk Data from Disk
| 0.144.2 |
March 27, 2024 | Rule Changes Reduced false positives for the following rules: Contact EC2 Instance Metadata Service From Container
Set Setuid or Setgid bit
Suspicious Home Directory Creation
Possible Backdoor using BPF
Launch Remote File Copy Tools on Host
Malicious IPs or domains detected on command line
Write below etc
Kernel startup modules changed
Modification of pam.d detected
Improved tags for the following rules: Connection to SMB Server detected
Java Process File Class Download
Possible SSH Hijacking Attempt Detected
Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.144.1 |
March 26, 2024 | Rule Changes Reduced false positives for the following rules: Non sudo setuid
Set Setuid or Setgid bit
Malicious IPs or domains detected on command line
Interactive Reconnaissance Activity Detected
Dump memory for credentials
Write below root
Change thread namespace
DB program spawned process
Possible Backdoor using BPF
Added the following rules:Tampering with Security Software on Host and Launch Remote File Copy Tools on Host Updated Indicators of Compromise rulesets with new findings Improved condition for System Geolocation Discovery rule
Default Policy Changes Added the following rules: Tampering with Security Software on Host and Launch Remote File Copy Tools on Host | 0.144.0 |
March 25, 2024 | Rule Changes | 0.143.4 |
March 22, 2024 | Rule Changes | 0.143.3 |
March 21, 2024 | Rule Changes Reduced false positives for the following rules: Container escape via discretionary access control
Non sudo setuid
Kernel Module Loaded by Unexpected Program
Dump memory for credentials
Launch Remote File Copy Tools in Container
Packet socket created in container
Create Hardlink Over Sensitive Files
Change memory swap options
eBPF Program Loaded into Kernel
Improved output for EC2 Instance Connect/SSH Public Key Uploaded Updated Indicators of Compromise rulesets with new findings
| 0.143.2 |
March 20, 2024 | Rule Changes Improved output for the Dump memory for credentials and Possible Backdoor using BPF rules Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Modify ld.so preload
eBPF Program Loaded into Kernel
Modification of pam.d detected
Packet socket created in container
Mount on Container Path Detected
Change thread namespace rule
| 0.143.1 |
March 19, 2024 | Rule Changes Reduced false positives for the following rules: Dump memory for credentials
Mount on Container Path Detected
Create Symlink Over Sensitive Files
Possible Backdoor using BPF
eBPF Program Loaded into Kernel
Added the following rules: Updated Indicators of Compromise (IoCs) rulesets with new findings
Default Policy Changes | 0.143.0 |
March 19, 2024 | Rule Changes | 0.142.8 |
March 15, 2024 | Rule Changes Reduced false positives for the following rules: Write below etc
Connection to IPFS Network Detected
Possible Backdoor using BPF
eBPF Program Loaded into Kernel
Linux Kernel Module Injection Detected
nsenter Container Escape
Execution from Temporary Filesystem
Launch Root User Container rule
Updated Indicators of Compromise rulesets with new findings Improved output for Discovery Security Service Activity Detected rule
| 0.142.7 |
March 14, 2024 | Rule Changes Reduced false positives for the following rules: Linux Kernel Module Injection Detected
Packet socket created in container
Container escape via discretionary access control
Possible Backdoor using BPF
Suspicious Cron Modification
Suspicious Access To Kerberos Secrets
Redirect STDOUT/STDIN to Network Connection in Host
Updated Indicators of Compromise (IoCs) rulesets with new findings/ Improved output for Reconnaissance attempt to find SUID binaries and Dump memory for credentials rules
| 0.142.6 |
March 13, 2024 | Rule Changes | 0.142.5 |
March 13, 2024 | Rule Changes | 0.142.4 |
March 13, 2024 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
Suspicious Access To Kerberos Secrets
Redirect STDOUT/STDIN to Network Connection in Host
Improved conditions for the following rules: Improved output for AWS rules - Event Summary Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.142.3 |
March 12, 2024 | Rule Changes Added Execute Process from Masqueraded Directory to managed policies. Improved output for Kernel startup modules changed rule. Reduced false positives for the following rules: Redirect STDOUT/STDIN to Network Connection in Host
Linux Kernel Module Injection Detected
Suspicious Cron Modification
Suspicious Access To Kerberos Secrets
Default Policy Changes | 0.142.2 |
March 12, 2024 | Rule Changes Default Policy Changes | 0.142.1 |
March 12, 2024 | Rule Changes Reduced false positives for the following rules: Non sudo setuid
Suspicious Operations with Firewalls
Possible Backdoor using BPF
Packet socket created in container
Mount on Container Path Detected
Improved condition for the following rules: Dump memory for credentials
Suspicious Access To Kerberos Secrets
Linux Kernel Module Injection Detected
Redirect STDOUT/STDIN to Network Connection in Host
Suspicious Cron Modification
Clear Log Activities
Modification of pam.d detected
Added the following rules: Python HTTP Server Started
Execute Process from Masquerated Directory
Shared Libraries Reconnaissance Activity Detected
EC2 Instance Create User
Terminate EC2 Instances
Improved description and tags for Change memory swap options rule. Improved tags for AWS EC2 ruleset. Updated Indicators of Compromise (IoCs) rulesets with new findings.
Default Policy Changes Added the following rules: Python HTTP Server Started
Execute Process from Masquerated Directory
Shared Libraries Reconnaissance Activity Detected
EC2 Instance Create User
Terminate EC2 Instances
| 0.142.0 |
March 11, 2024 | Rule Changes Reduced false positives for the following rules: Mount on Container Path Detected
Mount Launched in Privileged Container
Possible Backdoor using BPF
Packet socket created in container
eBPF Program Loaded into Kernel
System procs network activity
Improved condition for Suspicious Cron Modification rule. Improved output for AWS rules - Event Summary Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.141.4 |
March 08, 2024 | Rule Changes Default Policy Changes | 0.141.3 |
March 07, 2024 | Rule Changes Improved tags for Suspicious Domain Contacted rule Improved condition for macro network_tool_procs Updated Indicators of Compromise rulesets with new findings Reduced false positives for the following rules: Launch Suspicious Network Tool in Container
Suspicious Cron Modification
Execution from /tmp
Launch Sensitive Mount Container
Non sudo setuid
| 0.141.2 |
March 06, 2024 | Rule Changes Updated Indicators of Compromise (IoCs) rulesets with new findings Improved condition for Kernel Module Loaded by Unexpected Program rule Reduced false positives for the following rules: Suspicious Cron Modification
Possible Backdoor using BPF
Escape to host via command injection in process
Mount on Container Path Detected
Launch Privileged Container
Container escape via discretionary access control
Set Setuid or Setgid bit
Execution from /tmp
Suspicious Domain Contacted
| 0.141.1 |
March 05, 2024 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Suspicious Domain Contacted
Launch Suspicious Network Tool in Container
Modify Grub Configuration Files
Launch Root User Container
Fileless Malware Detected
Container escape via discretionary access control
Mount on Container Path Detected
Find GCP credentials
Suspicious Cron Modification
Updated Indicators of Compromise rulesets with new findings Improved tags for Suspicious Domain Contacted rule Improved output for AWS rules - Event Summary Added the Data Split Activity Detected and Contact EC2 Instance Metadata Service From Host rules
Default Policy Changes Added the following rules: | 0.141.0 |
March 01, 2024 | Rule Changes Reduced false positives for the following rules: Execution from /tmp
Mount on Container Path Detected
Possible Backdoor using BPF
Kernel Module Loaded by Unexpected Program
Packet socket created in container
Suspicious Cron Modification
Updated Indicators of Compromise rulesets with new findings Improved condition for the Describe Instances rule Improved tags for the GCP Create Cloud Function rule
| 0.140.3 |
February 29, 2024 | Rule Changes | 0.140.2 |
February 28, 2024 | Rule Changes Improved condition for Kernel Module Loaded by Unexpected Program rule Reduced false positives for the following rules: Suspicious Cron Modification
Possible Backdoor using BPF
Suspicious RC Script Modification
Launch Root User Container
Find Authentication Certificates
Updated Indicators of Compromise rulesets with new findings
| 0.140.1 |
February 27, 2024 | Rule Changes Reduced false positives for the following rules: Ransomware Filenames Detected
Suspicious Cron Modification
Mount Launched in Privileged Container
Modification of pam.d detected
eBPF Program Loaded into Kernel
Kernel startup modules changed
Suspicious RC Script Modification
Possible Backdoor using BPF
Improved conditions for the following rules: Suspicious network tool downloaded and launched in container
Launch Suspicious Network Tool on Host
Find GCP Credentials
Launch Suspicious Network Tool in Container
Updated Indicators of Compromise (IoCs) rulesets with new findings Improved output for Kernel Module Loaded by Unexpected Program rule Improve output for AWS rules - Event Summary Added the following rules: Find Authentication Certificates
Contact GCP Instance Metadata Service from Host
Contact Azure Instance Metadata Service from Host
Execution from Temporary Filesystem
Improve MITRE tags for AWS S3 ruleset
Default Policy Changes | 0.140.0 |
February 26, 2024 | Rule Changes Reduced false positive for Possible Backdoor using BPF and Change thread namespace rules Improve condition for the Update Package Repository rule Updated Indicators of Compromise rulesets with new findings
| 0.139.5 |
February 23, 2024 | Rule Changes Reduced false positives for the following rules: Write below root
Malicious binary detected
Launch Suspicious Network Tool in Container
Escape to host via command injection in process
Kernel Module Loaded by Unexpected Program
Possible Backdoor using BPF
Suspicious RC Script Modification
Improved output for the following rules: Improved condition for Non sudo setuid rule Updated Indicators of Compromise (IoCs) rulesets with new findings
| 0.139.4 |
February 22, 2024 | Rule Changes | 0.139.3 |
February 21, 2024 | Rule Changes Reduced false positives for the following rules: Launch Sensitive Mount Container
Create Symlink Over Sensitive Files
Reconnaissance attempt to find SUID binaries
Suspicious Cron Modification
Privileged Shell Spawned Inside Container
Set Setuid or Setgid bit
Suspicious RC Script Modification
Updated Indicators of Compromise rulesets with new findings Improved output for the Suspicious Docker Options rule Improved output for AWS rules - Event Summary Improved tags for the Suspicious Docker Options rule
| 0.139.2 |
February 21, 2024 | Rule Changes | 0.139.1 |
February 20, 2024 | Rule Changes Reduced false positives for the following rules: Kernel startup modules changed
Suspicious Cron Modification
eBPF Program Loaded into Kernel
Mount Launched in Privileged Container
Find AWS Credentials
Launch Root User Container
Change thread namespace
Non sudo setuid
Updated Indicators of Compromise rulesets with new findings Improved output for AWS rules - Event Summary Improved condition for for the following rules: Suspicious System Service Modification
Discovery Security Service Activity Detected
Mount Launched in Privileged Container
Update Package Repository
Added the following rules: RDS Delete DB Instance
RDS Create DB Instance
Peripheral Device Discovery Activity Detected
Interactive Reconnaissance Activity Detected
Suspicious Docker Options
Possible SSH Hijacking Attempt Detected
Default Policy Changes | 0.139.0 |
February 19, 2024 | Rule Changes Improved output for the Attach to cluster-admin Role rule Reduced false positives for the following rules: Set Setuid or Setgid bit
System procs network activity
Container escape via discretionary access control
Possible Backdoor using BPF
Create Symlink Over Sensitive Files
eBPF Program Loaded into Kernel
Updated Indicators of Compromise (IoCs) rulesets with new findings
| 0.138.3 |
February 15, 2024 | Rule Changes | 0.138.2 |
February 14, 2024 | Rule Changes Reduced false positive for the following rules: Find AWS Credentials
System procs network activity
Launch Root User Container
Suspicious Cron Modification
System Geolocation Discovery
Launch Ingress Remote File Copy Tools in Container
Fixed tags for the ld.so.preloadcode> rule Improved performance of the Modify binary dirs rule Fixed description for the Discovery Security Service Activity Detected rule Updated Indicators of Compromise (IoCs) rulesets with new findings Updated Sysdig Mitre Attack Mapper
Default Policy Changes | 0.138.1 |
February 13, 2024 | Rule Changes Reduced false positive for the following rules: Suspicious Cron Modification
Search Private Keys or Passwords
Kernel startup modules changed
Kernel Module Loaded by Unexpected Program
Added the following rules Exfiltrating Artifacts via Kubernetes Control Plane
Discovery Security Service Activity Detected
Suspicious RC Script Modification
Azure Read Service SAS Token for a Storage Account
CloudShell Download File
Create Support Case
Improved condition for the following: Improve coverage for T1025, T1092, and T1129 IoCs update
Default Policy Changes Added the following rules: Exfiltrating Artifacts via Kubernetes Control Plane
Discovery Security Service Activity Detected
Suspicious RC Script Modification
Azure Read Service SAS Token for a Storage Account
CloudShell Download File
Create Support Case
| 0.138.0 |
February 12, 2024 | Rule Changes Reduced false positives for the following rules: Launch Root User Container
Find AWS Credentials
Suspicious Cron Modification
eBPF Program Loaded into Kernel
Possible Backdoor using BPF
Improved condition for Hide Process with Mount rule Improved coverage for T1554 Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.137.4 |
February 09, 2024 | Rule Changes Improved tag T113 for the Workload rules Reduced false positives for the following rules: Fixed condition for the Possible Backdoor using BPF rule IoCs update
| 0.137.3 |
February 08, 2024 | Rule Changes Improved condition for the following macros: inbound_outbound
inbound
device_mounted_exists
ImprovedHide Process with Mountrule. Improve output for Kernel Module Loaded by Unexpected Program rule Reduced false positive for the following rules: eBPF Program Loaded into Kernel
Suspicious device created in container
Suspicious Cron Modification
Mount Launched in Privileged Container
Modify ld.so.preload
Kernel Module Loaded by Unexpected Program
Improved the rfc_1918_addresses list Updated IoCs
| 0.137.2 |
February 07, 2024 | Rule Changes | 0.137.1 |
February 06, 2024 | Rule Changes IoCs update Reduced false positives for the following rules: Possible Backdoor using BPF
Suspicious Cron Modification
Kernel startup modules changed
eBPF Program Loaded into Kernel
eBPF Program Loaded into Kernel
Possible Backdoor using BPF
Packet socket created in container
Suspicious Cron Modification
Terminal Shell in Container
Possible Backdoor using BPF
Kernel startup modules changed
Suspicious Cron Modification
Suspicious System Service Modification
Write below etc
Suspicious Cron Modification
Possible Backdoor using BPF
Launch Root User Container
Suspicious Domain Contacted
Non sudo setuid
Suspicious Cron Modification
Possible Backdoor using BPF
Malicious IPs or domains detected on command line
nsenter Container Escape
Kernel startup modules changed
Suspicious Cron Modification
Improved condition for the following rules: Suspicious device created in container
Suspicious Java Child Processes
Run shell untrusted
Create Hidden Files or Directories
Improved output for Workload rules - Event Summary Improved tags for Workload rules - MITRE T1555 Added the following rules: Suspicious Chdir Event Detected
Kernel Module Loaded by Unexpected Program
System Geolocation Discovery
Miner Filename Pushed to Repository
Mount on Container Path Detected
Hardware Added to the System
Abuse Sudo for Privilege Escalation
Suspicious Connection to K8S API Server From Container
Default Policy Changes Added the following rules: Suspicious Chdir Event Detected
Kernel Module Loaded by Unexpected Program
System Geolocation Discovery
Miner Filename Pushed to Repository
Mount on Container Path Detected
Hardware Added to the System
Abuse Sudo for Privilege Escalation
Suspicious Connection to K8S API Server From Container
| 0.137.0 |
February 05, 2024 | What's Changed Rule Changes Reduced false positive for the following rules: | 0.136.8 |
February 02, 2024 | Rule Changes Reduced false positives for the following: Suspicious Cron ModificationPacket socket created in containerPossible Backdoor using BPFeBPF Program Loaded into Kernel
| 0.136.7 |
February 01, 2024 | Rule Changes Reduced false positives for the following: Suspicious System Service Modification
Suspicious Cron Modification
Kernel startup modules changed
Possible Backdoor using BPF
Terminal Shell in Container
| 0.136.6 |
January 31, 2024 | Rule Changes Reduced false positives for the following: | 0.136.5 |
January 29, 2024 | Rule Changes Added macro internal_domains_connection_data Improved MITRE ATTCK tags for T1016 Reduced false positives for the following rules: Write below etc
eBPF Program Loaded into Kernel
Possible Backdoor using BPF
Possible Backdoor using BPF
Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.136.4 |
January 26, 2024 | Rule Changes | 0.136.3 |
January 25, 2024 | Rule Changes | 0.136.2 |
January 24, 2024 | Rule Changes | 0.136.1 |
January 23, 2024 | Rule Changes Reduced false positives for the following rules: Modify Shell Configuration File
Launch Ingress Remote File Copy Tools in Container
Possible Backdoor using BPF
Write below etc
Added the following rules: Query to Window Management System Detected
Access to Clipboard Data Detected
Service Discovery Activity Detected
Suspicious Access To Kerberos Secrets
SES Delete Identity Policy
SES Update Identity Policy
SES Attach Policy to Identity
Improved condition for the following rules: Updated Indicators of Compromise (IoCs) rulesets with new findings. Default Policy Changes Added the following rules: Query to Window Management System Detected
Access to Clipboard Data Detected
Service Discovery Activity Detected
Suspicious Access To Kerberos Secrets
SES Delete Identity Policy
SES Update Identity Policy
SES Attach Policy to Identity
| 0.136.0 |
January 22, 2024 | Rule Changes | 0.135.5 |
January 19, 2024 | Rule Changes | 0.135.4 |
January 18, 2024 | Rule Changes | 0.135.3 |
January 18, 2024 | Rule Changes Reduced false positives for the following rules: Improved descriptions for Hide Process with Mount rule. Improved output for Workload rules - Event Summary Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.135.2 |
January 17, 2024 | Rule Changes | 0.135.1 |
January 16, 2024 | Rule Changes Reduced false positives for the following rules: Mount Launched in Privileged Container
nsenter Container Escape
Possible Backdoor using BPF
eFileless Malware Detected (memfd)
Added the following rules: Updated IoCs Updated tags for Contact K8S API Server From Container rule. Improved conditions for cContact K8S API Server From Container rule. Improved list package_mgmt_binaries and macro package_listing Improved condition for Container image built on host rule. Improved tags for Workload rules - MITRE T1550 list. Improved iptables_similar list. Improved iptables_similar list. Improved iptables_similar list. Deprecated the following rules: Malicious process detected
Creation attempt Azure Secure Transfer Required Set to Disabled
Azure Access Level creation attempt for Blob Container Set to Publicrule.
Azure Blob Created
Azure Blob Deleted
Azure Create/Update a Storage Account
Azure Delete a Storage Account
Azure Delete Function Key
Azure Create/Update a Storage Account
Azure Create/Update a Storage Account
Default Policy Changes Added the following rules: Updated the policy for Ransomware Filenames Detectedrule. Improved condition for Contact K8S API Server From Containerrule.
| 0.135.0 |
January 15, 2024 | Rule Changes | 0.134.4 |
January 12, 2024 | Rule Changes Reduced false positives for the following rules: Improved tags for Workload Rules - Financial Theft. Improve output for Workload Rules - Event Summary - End of Enabled rules.
| 0.134.3 |
January 11, 2024 | Rule Changes Reduced false positives for the following rules: Kernel startup modules changed
Possible Backdoor using BPF
Suspicious Cron Modification
Fileless Malware Detected (memfd)
Improved tags for Suspicious Operations with Firewalls rule. Improved output for Workload Rules - Event Summary. Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.134.2 |
January 10, 2024 | Rule Changes Reduced false positives for the following rules: Kernel startup modules changed
Possible backdoor using BPF
Launch Root User Container
Packet socket created in container
Suspicious Operations with Firewalls
Improved tags for Workload Rules. Updated Indicators of Compromise (IoCs).
Default Policy Changes | 0.134.1 |
January 09, 2024 | Rule Changes Improved output for Workload Rules - Event Summary. Imoroved condition for the following rules: Get Federation Token with Admin PolicyRansomware Filenames Detected
Detect malicious cmdlines
nsenter Container Escape
Mount Launched in Privileged Container
Put Bucket ACL for AllUsers
Default Policy Changes Updated policies for the following rules: AWS CLI used with endpoint url parameter rule
Ransomware Filenames Detected
Azure Blob Created, Azure Blob Deleted
| 0.134.0 |
January 08, 2024 | Rule Changes | 0.133.14 |
January 05, 2024 | Rule Changes Reduced for the following rules: Modification of pam.d detected
Possible Backdoor using BPF
Suspicious Cron Modification
PTRACE attached to process
Updated the IoCs Ruleset with new findings. Improved condition for the Ransomware Filenames Detectedrule.
| 0.133.13 |
January 04, 2024 | Rule Changes Reduced false positives for the following rules: Modification of pam.d detected
Non sudo setuid
Execution from /tmp
Suspicious Cron Modification
Suspicious Cron Modification
Set Setuid or Setgid bit
Read sensitive file untrusted
Updated the IoCs Ruleset with new findings. Added the Ransomware Filenames Detectedrule.
Default Policy Changes | 0.133.12 |
January 03, 2024 | | 0.133.11 |
December 22, 2023 | Rule Changes Reduced false positives for the following rules: Change memory swap options
Packet socket created in container
eBPF Program Loaded into Kernel
| 0.133.10 |
December 21, 2023 | Rule Changes Reduced false positives for the following rules: Improved condition for the Detect outbound connections to Proxy/VPN rule. Updated the IoCs Ruleset with new findings.
| 0.133.9 |
December 20, 2023 | Rule Changes Reduced false positives for the following rules: Improved condition for the Detect outbound connections to TOR Entry Nodes rule. Updated the IoCs Ruleset with new findings.
| 0.133.8 |
December 19, 2023 | Rule Changes Reduced false positives for the following rules: Create Hidden Files or Directories
Suspicious Cron Modification
eBPF Program Loaded into Kernel
Write below etc
Launch Sensitive Mount Container
Launch Root User Container
Improved condition for the following rule:Connection to IPFS Network Detected Updated the IoCs Ruleset with new findings.
| 0.133.7 |
December 18, 2023 | Rule Changes Reduced false positives for the following rules: Improved condition for the following rules: Improved output for the Connection to IPFS Network Detectedrule. Updated the IoCs Ruleset with new findings.
| 0.133.6 |
December 15, 2023 | Rule Changes Reduced false postives for the following rules: Improved output for the following rules: Detect outbound connections to TOR Entry Nodes
Detect crypto miners using the Stratum protocol
Connection to IPFS Network Detected
Updated the IoCs Ruleset with new findings. Improved coverage for the Inhibit System Recoverytechnique.
| 0.133.5 |
December 14, 2023 | Rule Changes | 0.133.4 |
December 11, 2023 | Rule Changes | 0.133.1 |
December 04, 2023 | Rule Changes Improved condition for the following rules: Improved output for the following rules: Added the following rules: New GitHub Action Workflow Deployed
Okta Multiple Application Requests with Invalid Credentials
Push on Github Actions Detected
Okta MFA Bypass Attempt
Remove macro from the Detect outbound connections to common miner pool ports rule. Updated the IoCs Ruleset with new findings.
Default Policy Changes Added the following rules: New GitHub Action Workflow Deployed
Okta Multiple Application Requests with Invalid Credentials
Push on Github Actions Detected
Okta MFA Bypass Attempt
| 0.133.0 |
December 03, 2023 | Rule Changes | 0.132.5 |
November 30, 2023 | Rule Changes | 0.132.4 |
November 30, 2023 | Rule Changes | 0.132.2 |
November 29, 2023 | Rule Changes | 0.132.1 |
November 28, 2023 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
eBPF Program Loaded into Kernel
Fileless Malware Detected (memfd)
Modification of pam.d detected
Suspicious Cron Modification
Added the following rules: Update Secret in Secrets Manager
Delete Secret in Secrets Manager
Create Secret in Secrets Manager
Cancel Secret Rotation in Secrets Manager
Azure Create/Update User Managed Identity
Azure Create/Update a Public IP Address
Azure Create/Update a Key Vault
Azure Delete a Public IP Address
Azure Delete a Key Vault
Azure Delete User Managed Identity
CODEOWNERS file modified
Okta One-Time Token Reused
Improved the network_tool_binaries list. Updated the IoCs Ruleset with new findings.
Default Policy Changes | 0.132.0 |
November 27, 2023 | Rule Changes Default Policy Changes | 0.131.7 |
November 25, 2023 | Rule Changes Default Policy Changes | 0.131.5 |
November 24, 2023 | Rule Changes Reduced false positives for the following rules: Launch Sensitive Mount Container
Create Symlink Over Sensitive Files
Kernel startup modules changed
Execution from /tmp
Changed rule name Azure Terminate the Virtual Machine to Azure Stop a Virtual Machine Updated the IoCs Ruleset with new findings. Updated MITRE tags.
Default Policy Changes | 0.131.4 |
November 23, 2023 | Rule Changes Default Policy Changes Updated policy for the Azure Terminate the Virtual Machine rule. | 0.131.3 |
November 22, 2023 | Rule Changes | 0.131.2 |
November 21, 2023 | Default Policy Changes | 0.131.1 |
November 21, 2023 | Rule Changes Reduced false positive for the following rules: eBPF program loaded into kernel
Suspicious Cron Modification
Set Setuid or Setgid bit
Write below root
Detect outbound connections to common miner pool ports
Added the following rules: Updated the policy for the Contact K8S API Server From Container rule. Updated the IoCs Ruleset with new findings.
Default Policy Changes | 0.131.0 |
November 20, 2023 | Rule Changes Default Policy Changes | 0.130.8 |
November 17, 2023 | Rule Changes Reduced false positives for the following rules: Modification of pam.d detected
Possible Backdoor using BPF
Packet socket created in container
Dump memory for credentials
Launch Remote File Copy Tools in Container
Suspicious cron modification
Base64-encoded Shell Script Execution
Fileless Malware Detected (memfd)
Fixed exception in Share RDS Snapshot with Foreign Account rule. Improved output for the Github Webhook Connected rule. Updated the indicators of compromise (IoC) Ruleset with new findings.
| 0.130.7 |
November 16, 2023 | Rule Changes | 0.130.6 |
November 15, 2023 | Rule Changes Reduced false positives for the following rules: Launch root user container
eBPF program loaded into kernel
Possible Backdoor using BPF
Non sudo setuid
Modification of pam.d detected
Improved output Okta ruleset. Improved tags for the AWS RDS Master Password Update. Updated the IoCs Ruleset with new findings.
| 0.130.5 |
November 14, 2023 | Rule Changes Reduced false positives for the following rules: Removed Sysdig images from the Terminal shell in container rule. Improve description for the Okta Admin Console Access Velocity Behavior rule. Updated policy for the SSM Get Parameter rule. Updated the IoCs Ruleset with new findings.
Default Policy Changes | 0.130.4 |
November 13, 2023 | Rule Changes | 0.130.3 |
November 10, 2023 | Rule Changes | 0.130.2 |
November 08, 2023 | Rule Changes | 0.130.1 |
November 07, 2023 | Rule Changes Reduced false positives for the following rules: Suspicious Cron Modification
Mount Launched in Privileged Container
eBPF Program Loaded into Kernel
Modification of pam.d detected
Added the following rules: Improved condition for the following rules: System procs network activity
Potential UAC Bypass Using Registry Manipulation
ump memory for credentials
Improved the Windows suspicious_network_binaries list. Updated description for the Malicious C2 IPs or domains exploiting log4j rule. Updated the IoCs Ruleset with new findings.
Default Policy Changes | 0.130.0 |
November 06, 2023 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Write below etc
Read Environment Variable from /proc files in Container
Modification of pam.d detected
Non sudo setuid
| 0.129.4 |
November 04, 2023 | Rule Changes Reduced false positives for the following rules: Search Private Keys or Passwords
Fileless Malware Detected (memfd)
Mount Launched in Privileged Container
Modification of pam.d detected
SSH keys added to authorized_keys
Non sudo setuid
Possible backdoor using BPF
Change memory swap options
Kernel startup modules changed
Improved output for the Shutdown or Reboot detected rule. Updated MITRE tags. Improved condition for the Execution of binary using ld-linux rule.
| 0.129.3 |
November 02, 2023 | Default Policy Changes | 0.129.2 |
October 31, 2023 | Rule Changes Added the following rules: Shutdown or Reboot detected
Get Federation Token with Admin Policy
Full Visibility on Federated Sessions
GCP CloudRun Service Started
Create Key Pair
Stop EC2 Instances
Get Lambda Function
Attach IAM Policy to Group
Escape to host via command injection in process
Updated the IoCs Ruleset with new findings. Improved the network_tool_binarieslist. Improved condition for the following rules: GLIBC "Looney Tunables" Local Privilege Escalation
CVE-2023-4911 Potential IRC connection detected
Put Object in Watched Bucket
Default Policy Changes | 0.129.0 |
October 30, 2023 | Rule Changes Reduced false positives for the following rules: Suspicious cron modification
Packet socket created in container
Fileless Malware Detected (memfd)
Modification of pam.d detected
Write below etc
Read SSH information
docker client is executed in a container
eBPF Program Loaded into Kernel
Write below rpm databasec
Updated the IoCs Ruleset with new findings. Updated MITRE tags. Improved output for the following:
| 0.128.7 |
October 26, 2023 | Added Windows support. | 0.128.6 |
October 24, 2023 | Rule Changes Reduced false positives for the following rules: Suspicious Cron Modification
Possible backdoor using BPF
Modification of pam.d detected
SSH keys added to authorized_keys
Kernel startup modules changed
Updated the IoCs Ruleset with new findings. Updated MITRE tags. Improved the condition for the Modification of pam.d detected rule.
| 0.128.4 |
October 23, 2023 | Rule Changes | 0.128.3 |
October 18, 2023 | Rule Changes Reduced false positives for the following rules: Mount launched in privileged container
Kernel startup modules changed
Read SSH information
Possible Backdoor using BPF
| 0.128.2 |
October 17, 2023 | Rule Changes | 0.128.1 |
October 06, 2023 | Rule Changes Reduced false positives for the following rules: Improved condition for the GLIBC "Looney Tunables" Local Privilege Escalation (CVE-2023-4911) rule. Updated the IoCs Ruleset with new findings.
| 0.127.7 |
October 04, 2023 | Rule Changes Added the following rules: CodeBuild Create Project with Miner
CodeBuild Start Build with Miner
CodeCommit Create Repository
CodeCommit Git Push
CodeBuild Create Project
CloudFormation Create Stack
SSH keys added to authorized_keys
SageMaker Create Notebook Instance Lifecycle Configuration
Image Builder Create Component
Amplify Create App
EC2 Create Auto Scaling Group
Potential IRC connection detected
CodeBuild Start Build
ECS Create Cluster
EC2 Create Launch Template
Change memory swap options
Azure Update a Web App's configuration settings
Azure Function App Create/Update a Connection
Azure Create/Update Web Apps Hostname Bindings
Azure Cosmos DB Delete MongoDB Database
Azure Cosmos DB Delete SQL DB Container
Azure Cosmos DB Delete Postgres Firewall Rule
Azure Cosmos DB Delete Postgres Cluster
Azure Cosmos DB Delete Service
Azure Cosmos DB Delete MongoDB Role Definition
Azure Cosmos DB Delete MongoDB User Definition
Azure Cosmos DB Delete MongoDB Database Collection
Azure Cosmos DB Delete Gramlin Database
Azure Cosmos DB Delete Gremlin Database Graphs
Azure Cosmos DB Delete Cassandra Keyspace
Azure Cosmos DB Delete Cassandra Table
Azure Cosmos DB Delete Database Account
Azure Cosmos DB Delete Table
Azure Cosmos DB Delete Postgres Role
Azure Cosmos DB Delete SQL Assignment
Azure Cosmos DB Delete SQL Database
Azure Cosmos DB Delete SQL User Defined Function
Azure Cosmos DB Delete SQL Trigger
Azure Cosmos DB Delete SQL Stored Procedure
Azure Cosmos DB Create SQL Assignment
Azure Cosmos DB Create Postgres Role
Azure Cosmos DB Create SQL Definition
Azure Cosmos DB Create SQL Database
Azure Cosmos DB Create SQL User Defined Function
Azure Cosmos DB Create SQL Trigger
Azure Cosmos DB Create SQL Stored Procedure
Azure Cosmos DB Create SQL DB Container
Azure Cosmos DB Create Postgres Firewall Rule
Azure Cosmos DB Create MongoDB Database
Azure Cosmos DB Create Postgres Cluster
Azure Cosmos DB Create MongoDB Role Definition
Azure Cosmos DB Create MongoDB User Definition
Azure Cosmos DB Create MongoDB Database Collection
Azure Cosmos DB Create Gramlin Database
Azure Cosmos DB Create Gremlin Database Graphs
Azure Cosmos DB Create Cassandra Keyspace
Azure Cosmos DB Create Cassandra Table
Azure Cosmos DB Create Database Account
Azure Cosmos DB Create Table
Azure Cosmos DB Create Service
Reduced false positivess for the following rules: Read Environment Variable from /proc files in Container
Set Setuid or Setgid bit
Launch Suspicious Network Tool in Container
Non sudo setuid
Clear log activities
eBPF Program Loaded into Kernel
Search Private Keys or Passwords
Improved condition for the following rules: Updated MITRE tags. Updated policy for the Modification of pam.d detected rule. Improved log_files list. Updated the IoCs Ruleset with new findings.
Default Policy Changes Added the following rules: CodeBuild Create Project with Miner
CodeBuild Start Build with Miner
CodeCommit Create Repository
CodeCommit Git Push
CodeBuild Create Project
CloudFormation Create Stack
SSH keys added to authorized_keys
SageMaker Create Notebook Instance Lifecycle Configuration
Image Builder Create Component
Amplify Create App
EC2 Create Auto Scaling Group
Potential IRC connection detected
CodeBuild Start Build
ECS Create Cluster
EC2 Create Launch Template
Change memory swap options
Updated policy for the following rules: Added Simple Systems Manager (SSM) rules to awscloudtrail policy.
| 0.128.0 |
October 04, 2023 | Rule Changes Added the GLIBC "Looney Tunables" Local Privilege Escalation (CVE-2023-4911) rule. Default Policy Changes Added the GLIBC "Looney Tunables" Local Privilege Escalation (CVE-2023-4911) rule. | 0.127.6 |
October 04, 2023 | Rule Changes | 0.127.5 |
October 03, 2023 | Rule Changes | 0.127.4 |
September 29, 2023 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
AWS CLI used with endpoint url parameter
eBPF Program Loaded into Kernel
Non sudo setuid
Updated the MITRE tags. Added thedns_traffic macro. Improved the Okta rules. Updated the IoCs Ruleset with new findings.
| 0.127.3 |
September 28, 2023 | Rule Changes Reduced false positives for the following rules: Set Setuid or Setgid bit
Non sudo setuid
Launch root user container
Packet socket created in container
Redirect STDOUT/STDIN to Network Connection in Container
Fileless Malware Detected (memfd)
Updated MITRE tags. Added exception for the Suspicious Domain Contacted rule. Updated the IoCs Ruleset with new findings.
| 0.127.2 |
September 27, 2023 | Rule Changes Reduced false positives for the following rules: Set Setuid or Setgid bit
Launch excessively capable container
Possible backdoor using BPF
Launch privileged container
Improved output for the Fileless Malware Detected (memfd) rule. Updated the IoCs Ruleset with new findings.
| 0.127.1 |
September 26, 2023 | Rule Changes Added the following rules: GCP VPC Add Peering
Okta Suspicious User Activity Report
Okta Admin Console Access via New Device
Okta FastPass Phishing Attempt
Modification of pam.d detected
GCP Modified VPC Network
GCP Create VPC Network
GCP VPC Remove Peering
Okta Admin Console Access Velocity Behavior
GCP Create Role
GCP Delete Route
Suspicious device created in container
GCP Update CloudSQL
Okta Admin Console Access with New Behaviors
GCP Create Route
Okta Sign-in via Proxy
Okta Create Identity Provider
K8s Pod Deleted
GCP Update Role
GCP Modify Audit Policy
SSM Start Session
Okta Admin Console Access Failure
Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Set Setuid or Setgid bit
Mount Launched in Privileged Container
Suspicious Cron Modification
Possible Backdoor using BPF
Improved condition for the following rules: Updated MITRE tags. Improved output for the Packet socket created in container rule. Updated the IoCs Ruleset with new findings.
Default Policy Changes | 0.127.0 |
September 22, 2023 | Rule Changes Reduced false positives for the following rules: Kernel startup module changed
Launch root user container
Read shell configuration file
Write below etc
Improved output for the SSM Send Command rule. Updated the IoCs Ruleset with new findings. Updated MITRE tag.
| 0.126.3 |
September 21, 2023 | Rule Changes | 0.126.2 |
September 20, 2023 | Rule Changes Default Policy Changes Updated policy for the following rules: | 0.126.1 |
September 19, 2023 | Rule Changes Reduced false positives for the following rules: Redirect STDOUT/STDIN to Network Connection in Container
Launch Root User Container
Suspicious Operations with Firewalls
Non sudo setuid
Fileless Malware Detected (memfd)
Non Sudo Setuid
Added the following rules: Improved condition for the Packet socket created in container rule.
Default Policy Changes Added the following files: Updated the policy for Container escape via discretionary access control. Added the Sysdig Azure Threat Intelligencepolicy.
| 0.126.0 |
September 14, 2023 | Rule Changes Reduced false positives for the following rule: | 0.125.3 |
September 13, 2023 | Rule Changes | 0.125.1 |
September 12, 2023 | Rule Changes Added the following files: Unexpected Unshare event in Container
Disallowed SSH Connection Non Standard Port
Azure Suspicious IP Inbound Request
GCP Change Owner
Container escape via discretionary access control
Improved condition for the following: Launch Privileged Container
Write below etc
Suspicious Operations with Firewalls
Launch Remote File Copy Tools in Container
Improved the sysdig_commercial_images list. Improved the performance of the renamemacro. Updated the IoCs Ruleset with new findings.
Default Policy Changes Added the following files: Unexpected Unshare event in Container
Disallowed SSH Connection Non Standard Port
Azure Suspicious IP Inbound Request
GCP Change Owner
Container escape via discretionary access control
| 0.125.0 |
September 08, 2023 | Rule Changes Reduced false positives for the following rules: Launch Ingress Remote File Copy Tools in Container
Launch Root User Container
Possible Backdoor using BPF
Fileless Malware Detected (memfd)
Packet socket created in container
Change thread namespace
Improved host and container tags. Updated the IoCs Ruleset with new findings.
| 0.124.3 |
September 06, 2023 | Rule Changes Reduced false positives for the following rules: PTRACE attached to process
Mount Launched in Privileged Container
Launch Root User Container
Launch Sensitive Mount Container
Launch Privileged Container
Added the azure_trusted_images_launch_root_list list. Updated the IoCs Ruleset with new findings.
| 0.124.1 |
September 05, 2023 | Rule Changes Default Policy Changes | 0.124.0 |
September 04, 2023 | Rule Changes Reduced false positives for the following rules: The docker client is executed in a container
Possible Backdoor using BPF
Fileless Malware Detected (memfd)
Improved host and container tags. Updated the IoCs Ruleset with new findings.
| 0.123.3 |
September 02, 2023 | Rule Changes Reduced false positives for the following rules: The docker client is executed in a container
Mount Launched in Privileged Container
Packet Socket Created in Container
Launch Root User Container
Launch Privileged Container
Improved condition for the following rule: Updated the IoCs Ruleset with new findings. Improved the host and container tags.
| 0.123.2 |
August 30, 2023 | Rule Changes | 0.123.1 |
August 29, 2023 | Rule Changes Reduced false positives for the following rules: Improved condition for the following rules: Improved output for the following rules: Updated the IoCs Ruleset with new findings. Improved the miner_portslist.
| 0.123.0 |
August 28, 2023 | Rule Changes Default Policy Changes Reduced false positives for Put Object in Watched Bucket. | 0.122.5 |
August 18, 2023 | Rule Changes Reduced false positives for the following rules: Default Policy Changes Downgraded AWS rules. | 0.122.4 |
August 05, 2023 | Rule Changes | 0.122.3 |
August 03, 2023 | Rule Changes Reduced false positives for the following rules: Updated the IoCs Ruleset with new findings. Improved output for the Fileless Malware Detected (memfd) rule.
Default Policy Changes Removed Packet socket created in container from the Sysdig Runtime Notable Events policy. | 0.122.2 |
August 02, 2023 | Rule Changes Default Policy Changes Remove the AWS IAM Credential Report Request rule from policy. | 0.122.1 |
August 01, 2023 | Rule Changes Reduced false positives for the Launch Root User Container rule. Added the following rules: AWS ECS Create Task Definition
AWS RDS Master Password Update
AWS IAM Credential Report Request
Updated the IoCs Ruleset with new findings. Improved the network_tool_binaries list. Added support for accept4 syscall.
Default Policy Changes Added the following rules: AWS ECS Create Task Definition
AWS RDS Master Password Update
AWS IAM Credential Report Request
| 0.122.0 |
July 28, 2023 | Rule Changes | 0.121.4 |
July 27, 2023 | Rule Changes Reduced false positives for the following rules: Fileless Malware Detected (memfd)
Redirect STDOUT/STDIN to Network Connection in Container
Write below root
Packet socket created in container
Execution from /tmp
Increased the async limit to speed up validation times. Updated the IoCs Ruleset with new findings.
| 0.121.3 |
July 26, 2023 | Rule Changes Reduced false positives for the following rules: Improved performance for Contact Task Metadata Endpoint Updated the IoCs Ruleset with new findings.
| 0.121.2 |
July 25, 2023 | Rule Changes | 0.121.1 |
July 25, 2023 | Rule Changes Reduced false positives for the following rules: Added the following rules: Fileless Malware Detected (memfd)
Contact Azure Instance Metadata Service from Container
Contact GCP Instance Metadata Service from Container
Updated the IoCs Ruleset with new findings.
Default Policy Changes | 0.121.0 |
July 24, 2023 | Rule Changes | 0.120.4 |
July 22, 2023 | Rule Changes Reduced false positives for the following rules: Change thread namespacer
Launch Privileged Container
Mount Launched in Privileged Container
Possible Backdoor using BPF
Improved outputs for the following rules: Suspicious Domain Contacted
Suspicious Domain Contacted
non_system_user
Connection to IPFS Network Detected
Added the following macros to Threat Intel: Updated the IoCs Ruleset with new findings.
| 0.120.0 |
July 21, 2023 | Rule Changes Reduced false positives for the following rules: Suspicious Domain Contacted
The docker client is executed in a container
eBPF Program Loaded into Kernel
Packet socket created in container
Updated the IoCs Ruleset with new findings. Tuned thePotential IRC connection detected preview rule.
| 0.120.3 |
July 20, 2023 | Rule Changes | 0.120.2 |
July 18, 2023 | Rule Changes Reduced false positives for the following rules: Read Shell Configuration File
Read sensitive file untrusted
Read ssh information
Write below monitored dir
Added exception for the following rules: Improved performance for Write below monitored dir Updated the IoCs Ruleset with new findings.
| 0.120.1 |
July 17, 2023 | Rule Changes | 0.119.4 |
July 13, 2023 | Rule Changes Reduced false positives for the following rules: Improved performance for the following rules: Updated the IoCs Ruleset with new findings.
| 0.119.3 |
July 12, 2023 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
Packet socket created in container
Change thread namespace
Terminal shell in container
eBPF Program Loaded into Kernel
Write below root
Improved performance for the following rules: Updated the IoCs Ruleset with new findings. Introduced retries for intermittent HTTP errors and improved logs.
| 0.119.2 |
July 11, 2023 | Rule Changes Reduced false positives for the following rules: Improved performance for the following rules: Unprivileged Delegation of Page Faults Handling to a Userspace Process
Write below rpm database
DB program spawned process
Delete or rename shell history
Updated the IoCs Ruleset with new findings.
| 0.119.1 |
July 10, 2023 | Rule Changes Reduced false positives for the following rules: Excluded local IPv6 from macros. Improved performance for the following rules: Read sensitive file trusted after startup
Write below etc
System procs network activity
Read sensitive file untrusted
AWS SSM Agent Activity
Added the following rules: EC2 Instance Connect System Access
AWS SSM Agent File Write
Removing MFA from Admin in Okta
Download and launch remote file copy tools in container
Find GCP Credentials
Find Azure Credentials
Updated the IoCs Ruleset with new findings. Improved condition for the following rule: Default Policy Changes Added the following rules: EC2 Instance Connect System Access
AWS SSM Agent File Write
Removing MFA from Admin in Okta
Download and launch remote file copy tools in container
Find GCP Credentials
Find Azure Credentials
| 0.119.0 |
July 07, 2023 | Rule Changes Reduced false positives for the following rules: Updated the IoCs Ruleset with new findings. Improved the network_tool_binaries list.
| 0.118.3 |
July 06, 2023 | Rule Changes | 0.118.2 |
July 05, 2023 | Rule Changes Reduced false positives for the following rules: Launch Remote File Copy Tools in Container
Packet socket created in container
eBPF Program Loaded into Kernel
Launch Sensitive Mount Containe
Updated the IoCs Ruleset with new findings. Fix exceptions for the AWS SSM Agent Activity rule.
| 0.118.1 |
June 30, 2023 | Rule Changes | 0.117.8 |
June 28, 2023 | Rule Changes Reduced false positives for the following rules: DB program spawned process
Launch Sensitive Mount Container
Launch Root User Container
Updated the IoCs Ruleset with new findings. Improved the falco_sensitive_mount_imageslist. Added preview structure for rules.
Default Policy Changes | 0.117.7 |
June 26, 2023 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Redirect STDOUT/STDIN to Network Connection in Host
Launch Sensitive Mount Containe
DB program spawned processt
Read ssh information
Non sudo Setuid
Updated the IoCs Ruleset with new findings. Improved the process_name_exists macro.
| 0.117.6 |
June 23, 2023 | Rule Changes | 0.117.5 |
June 22, 2023 | Rule Changes Reduced false positives for the following rules: Updated the IoCs Ruleset with new findings. Improved performance for the Contact EC2 Instance Metadata Service From Container and Write below binary dir rules.
| 0.117.4 |
June 21, 2023 | Rule Changes | 0.117.3 |
June 19, 2023 | Rule Changes Reduced false positives for the following rules: Updated the IoCs Ruleset with new findings. Improved the falco_privileged_images list.
| 0.117.2 |
June 20, 2023 | Rule Changes Reduced false positives for the following rules: Updated the IoCs Ruleset with new findings. Fixed exception value. Removed append fields from rules and macros.
| 0.117.1 |
June 09, 2023 | Rule Changes | 0.116.5 |
June 09, 2023 | Rule Changes | 0.116.4 |
June 08, 2023 | Rule Changes Reduced false positives for the following rules: Improved output for The docker client is executed in a container rule. Updated the IoCs Ruleset with new findings.
| 0.116.3 |
June 07, 2023 | Rule Changes Default Policy Changes | 0.116.2 |
May 31, 2023 | Rule Changes | 0.115.1 |
May 30, 2023 | Rule Changes Reduced false positives for the Execution from /tm rule. Added the following rules: K8s Ingress Deleted
K8s Ingress Created/Modified
AWS EC2 Instance Connect/SSH Public Key Uploaded Admin permission has been assigned to a group in Okta
Updated the IoCs Ruleset with new findings. Improved condition for the following rules: Default Policy Changes Added the following rules: K8s Ingress Deleted
K8s Ingress Created/Modified
AWS EC2 Instance Connect/SSH Public Key Uploaded Admin permission has been assigned to a group in Okta
| 0.115.0 |
May 18, 2023 | Rule Changes Added the Okta CAPTCHA Settings Updated rule. Reduced false positives for the following rules: Read ssh information
Write below root
Run shell untrusted
Updated the IoCs Ruleset with new findings. Default Policy Changes Added the Okta CAPTCHA Settings Updated rule.
| 0.114.1 |
May 17, 2023 | Rule Changes Reduced false positives for the following rules: Launch Privileged Container
Read sensitive file untrusted
Read Shell Configuration File
eBPF Program Loaded into Kernel
Write below etc
Launch Root User Container
Create files below dev
Non sudo setuid
Added the following rules: Drop and execute new binary in container
GCP Cloud SQL Data Exfiltration
GCP Create Service Account
GCP Create or Modify Compute SSH Key
GCP Default Service Account Activity
Directory traversal monitored file read
Detection bypass by symlinked files
Updated the IoCs Ruleset with new findings. Introduced v16 ruleset. Improved condition for the OpenSSL File Read or Write rule. Improved detection for the Suspicious System Service Modification rule.
Default Policy Changes Added the following rules: Drop and execute new binary in container
GCP Cloud SQL Data Exfiltration
GCP Create Service Account
GCP Create or Modify Compute SSH Key
GCP Default Service Account Activity
Directory traversal monitored file read
Detection bypass by symlinked files
| 0.114.0 |
May 10, 2023 | Rule Changes | 0.113.2 |
May 09, 2023 | Rule Changes | 0.113.1 |
May 08, 2023 | Rule Changes Reduced false positives for the following rules: Launch Remote File Copy Tools in Container
Read Shell Configuration File
Write below etc
Set Setuid or Setgid bit
Change thread namespace
Write below rpm database
Launch Privileged Container
eBPF Program Loaded into Kernel
Set Setuid or Setgid bit
Updated the IoCs Ruleset with new findings. Improved condition for the following rules: Added the following rules: Added exceptions for the Ingress Object without TLS Certificate Created rule.
Default Policy Changes Added the following rules: | 0.113.0 |
May 05, 2023 | Rule Changes Reduced false positives for the following rules: Set Setuid or Setgid bit
Non sudo setuid
Updated the Sysdig Mitre Attack mapper. Updated the IoCs Ruleset with new findings.
| 0.112.3 |
May 04, 2023 | Rule Changes | 0.112.2 |
May 01, 2023 | Rule Changes Reduced false positives for the following rules: Write below etc
Read sensitive file untrusted
Kernel startup modules changed
Launch Privileged Container
Mount Launched in Privileged Container
Launch Ingress Remote File Copy Tools in Container
Non sudo setuid
Updated the IoCs Ruleset with new findings. Enable theJava Process Class File Download rule by default.
Default Policy Changes Enable the following rules by default: | 0.112.0 |
April 26, 2023 | Rule Changes Reduced false positives for the following rules: Run shell untrusted
eBPF Program Loaded into Kernel
Launch Sensitive Mount Container
Launch Package Management Process in Container
Launch Root User Container
Updated the following tags: AWS MITRE ATT&CK
Azure MITRE ATT&CK
GCP MITRE ATT&CK
Updated the IoCs Ruleset with new findings. Improved the MITRE ATT&CK tags. Improved the sysdig_commercial_images list.
Default Policy Changes Updated policy for the following rules: | 0.111.0 |
April 17, 2023 | Rule Changes Reduced false positives for the following rules: Non sudo setuid
Write below etc
Redirect STDOUT/STDIN to Network Connection in Container
Read ssh information
Clear Log Activities
Modify Shell Configuration File
System ClusterRole Modified/Deleted
Updated policy for the following rules: Updated IoCs Ruleset with new findings. Improved output for the Launch Excessively Capable Container rule. Added the Kernel startup modules changed rule.
Default Policy Changes | 0.110.0 |
April 11, 2023 | Rule Changes Reduced false positives for the following rules: Launch Package Management Process in Container
Read sensitive file untrusted
Write below etc
Netcat Remote Code Execution in Container
Container Run as Root User
Set Setuid or Setgid bit
Mount Launched in Privileged Container
Launch Root User Container
Non sudo setuid
Added tags for the following rules: Detect release_agent File Container Escapes
Unprivileged Delegation of Page Faults Handling to a Userspace Process
Launch Excessively Capable Container
Updated IoCs Ruleset with new findings. Moved malicious_download_tools in Suspicious Network tools rules Improved list network_tool_binaries rule. Fixed Set Setuid or Setgid bit tag.
Default Policy Changes Updated policy for the following rules: Security Hub Disassociate From Master Account
Security Hub Delete Members
Security Hub Disassociate Members
| 0.109.0 |
April 07, 2023 | Rule Changes Reduced false positives for the following rules: Set Setuid or Setgid bit
Suspicious Cron Modification
Disallowed K8s User
The docker client is executed in a container
Launch Package Management Process in Container
Clear Log Activities
Launch Package Management Process in Container
Write below etc
Read sensitive file untrusted
PTRACE attached to process
Launch Excessively Capable Container
eBPF Program Loaded into Kernel
Read sensitive file untrusted
Non sudo setuid
Write below root
Read sensitive file untrusted
Write below rpm database
Launch Sensitive Mount Container
Launch Root User in Container
Added the following rules: Detect release_agent File Container Escapes
Java Process Class File Download
Launch Excessively Capable Container
Unprivileged Delegation of Page Faults Handling to a Userspace Process
Updated IoCs Ruleset with new findings. Added Falco rules versioning support. Added an exception for the Outbound Connection to C2 Servers rule.
Default Policy Changes Added the following rules: Detect release_agent File Container Escapes
Java Process Class File Download
Launch Excessively Capable Container
Unprivileged Delegation of Page Faults Handling to a Userspace Process
Updated policy for the following rules: Guard Duty Disassociate Members
Guard Duty Disassociate from Master Account
Guard Duty Delete Members
Added Falco rules versioning support. Removed the following rules from policies: Launch Disallowed Container
Interpreted procs inbound network activity
Interpreted procs outbound network activity
| 0.108.0 |
March 13, 2023 | Rule Changes Reduced false positives for the following rules: Clear Log Activities
Launch Package Management Process in Container
Container Run as Root User
Launch Remote File Copy Tools in Container
Launch Root User Container
Improved condition for the following rules: Updated IoCs Ruleset with new findings.
Default Policy Changes Updated policy for the following rules: | 0.106.0 |
March 07, 2023 | Rule Changes Added the following rules: Create Bucket
Delete Bucket
Improved the output for the following rules: Updated the MITRE, GCP MITRE, and AWS MITRE tags. Improved condition for the Tampering with Security Software in Container rule. Reduced false positives for the following rules: The docker client is executed in a container
Launch Privileged Container
Write below root
Schedule Cron Jobs
Suspicious Cron Modification
Launch Remote File Copy Tools in Container
Launch Suspicious Network Tool on Host
System procs activity
Modify Shell Configuration File
Write below etc
Launch Sensitive Mount Container
Mount Launched in Privileged Container
PTRACE attached to process
Updated Kubernetes image registry domains. Improved the falco_privileged_imageslist. Updated IoCs Ruleset with new findings.
Default Policy Changes | 0.105.0 |
February 28, 2023 | Rule Changes Added the following rules: Create Hardlink Over Sensitive Files
Azure Storage Account Created
Azure Storage Account Deleted
GCP Create Project
GCP Create Compute VM Instance
GCP Enable API
Reduced false positives for the following rules: Suspicious Operations with Firewalls
Linux Kernel Module Injection Detected
PTRACE attached to process
Read sensitive file untrusted
Improved condition for the following rules: Updated IoCs Ruleset with new findings.
Default Policy Changes Added the following rules: Create Hardlink Over Sensitive Files
Azure Storage Account Created
Azure Storage Account Deleted
GCP Create Project
GCP Create Compute VM Instance
GCP Enable API
| 0.104.1 |
February 24, 2023 | Rule Changes | 0.103.1 |
February 23, 2023 | Rule Changes Added the following rules: Modify Timestamp attribute in File
Launch Code Compiler Tool in Container
Put Bucket ACL for AllUsers
Reduced false positives for the following rules: Improved condition for the following rule: Put Bucket Lifecycle Updated IoCs Ruleset with new findings.
Default Policy Changes | 0.103.0 |
February 14, 2023 | Rule Changes Added the following rules: User Management Event Detected
Users Group Management Event Detected
OpenSSL File Read or Write
Reduced false positives for the following rules: Improved condition for the following rules: Improved the sensitive_kernel_parameter_fileslist. Updated IoCs Ruleset with new findings. Added an exception for the OpenSSL File Read or Write rule.
Default Policy Changes | 0.102.1 |
February 08, 2023 | Rule Changes Added the following list: Add list security_processes Improved the following list: network_tool_binaries Reduced false positives for the following rules: Contact EC2 Instance Metadata Service From Container
Run shell untrusted
System procs network activity
Set Setuid or Setgid bit
eBPF Program Loaded into Kernel
Improved the condition for the following rule: Detect reconnaissance scripts Updated IoCs Ruleset with new findings.
| 0.101.1 |
January 26, 2023 | Rule Changes Added the following rules: K8s CronJob Deleted
K8s CronJob Created/Modified
Read Environment Variable from /proc files in Container
Suspicious OpenSSL Shared Object Loaded
Reduced false positives for the following rules: Improved condition for the following rule: GPG Key Reconnaissance Updated IoCs Ruleset with new findings.
Default Policy Changes Added the following rules: K8s CronJob Deleted
K8s CronJob Created/Modified
Read Environment Variable from /proc files in Container
Suspicious OpenSSL Shared Object Loaded
| 0.100.2 |
January 20, 2023 | Rule Changes Added the following rules: Improved condition for the following rules: Create Security Group Rule Allowing Ingress Open to the World
Create a Network ACL Entry Allowing Ingress Open to the World
Detect reconnaissance scripts
Lastlog Files Cleared
Launch Remote File Copy Tools in Container
Put Bucket Lifecycle
Delete or rename shell history
Added exception for the following rules: Updated IoCs Ruleset with new findings. Reduced false positives for the following rule Find AWS Credentials rule. Default Policy Changes Added the following rules:
| 0.99.0 |
January 09, 2023 | Rule Changes Reduced false positives for the Container Run as Root User rule. Improved condition for the Suspicious Operations with Firewalls rule. Added the following rules: Added tags to the K8s Networkpolicy Deleted rule. Added exceptions for the following: Delete Organization Config Rule
Delete Cluster
Elasticsearch Domain Creation without Encryption at Rest
ECR Image Pushed
Put Remediation Configurations
Delete Configuration Aggregator
Put Organization Config Rule
Put Organization Conformance Pack
Stop Configuration Recorder
Delete Organization Conformance Pack
ECS Service Created
ECS Service Deleted
Terminal Shell in ECS Container
ECS Task Run or Started
ECS Service Task Definition Updated
ECS Task Stopped
Create HTTP Target Group without SSL
Elasticsearch Domain Creation without VPC
Run Instances
CloudTrail Trail Created
Create Security Group Rule Allowing SSH Ingress
Guard Duty Disassociate from Master Account
Guard Duty Delete Members
Disable GuardDuty
Delete Detector
Create Access Key for Root User
Guard Duty Disassociate Members
Stop Monitoring Members
Password Recovery Requested
Deactivate Hardware MFA for Root User
Add AWS User to Group
Attach Administrator Policy
Attach IAM Policy to User
Deactivate MFA for Root User
Create Group
Create IAM Policy that Allows All
Create Access Key for User
Deactivate Virtual MFA for Root User
Delete Virtual MFA for Root User
Create AWS user (SSO)
Create AWS user
Delete AWS user (SSO)
Deactivate MFA for User Access
Delete Group
Put IAM Inline Policy to User
Delete AWS user
Remove AWS User from Group
Update Account Password Policy Not Expiring
Update Account Password Policy Expiring in More Than 90 Days
Update Account Password Policy Not Preventing Reuse of Last 24 Passwords
Update Account Password Policy Not Preventing Reuse of Last 4 Passwords
Update Account Password Policy Not Requiring 14 Characters
Update Account Password Policy Not Requiring 7 Characters
Update Account Password Policy Not Requiring Lowercase
Update Account Password Policy Not Requiring Number
Update Account Password Policy Not Requiring Symbol
Update Account Password Policy Not Requiring Uppercase
Replace Route
Modify Image Attribute
Modify Snapshot Attribute
Revoke Security Group Egress
Revoke Security Group Igress
Run Instances in Non-approved Region
Create Internet-facing AWS Public Facing Load Balancer
Delete Listener
Modify Listener
Disable EBS Encryption by Default
Contact EC2 Instance Metadata Service From Container
EC2 Serial Console Access Enabled
Make EBS Snapshot Public
Get Password Data
Default Policy Changes Added the following rules: | 0.98.2 |
January 04, 2023 | Rule Changes Reduced false positives for the following rules: Updated IoCs Ruleset with new findings. Added exception for the DB program spawned process rule. Improved output for the Suspicious System Service Modification rule.
| 0.98.0 |
December 04, 2022 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Non sudo setuid
Read SSH information
Read Shell Configuration File
Write below etc
Reconnaissance attempt to find SUID binaries
Suspicious Domain Contacted
Updated IoCs Ruleset with new findings. Improved detection for the Non sudo setuid rule. Added the following rule: Detect cloned process by PRoot Default Policy Changes Added the Detect cloned process by PRoot rule.
| 0.96.0 |
December 01, 2022 | Rule Changes Disabled the Create Hidden Files or Directories rule. | 0.94.2 |
November 29, 2022 | Rule Changes Improved output for the Suspicious Cron Modification rule. Reduced false positive for the Read SSH information rule. Updated IoCs Ruleset with new findings. Enabled the Create Hidden Files or Directoriesrule. Added the Create/modify EKS serviceaccount boundrule to the AWS Identity and Access Management (IAM) role. Added the Suspicious Domain Contactedrule.
Default Policy Changes | 0.94.0 |
November 22, 2022 | Rule Changes Reduced false positives for the following rules: Privileged Shell Spawned Inside Container
Clear Log Activities
Read ssh information
Search Private Keys or Passwords
Launch Suspicious Network Tool in Container
Container Run as Root User
Change Thread Namespace
Read Shell Configuration File
Improved tags for the eBPF Program Loaded into Kernelrule. Updated IoCs Ruleset with new findings. Improved detection for the Non sudo setuid rule. Added the following rules: Default Policy Changes
| 0.93.0 |
November 10, 2022 | Rule Changes Reduced false positives for the following rules: Suspicious Kernel Parameter Modification
The docker client is executed in a container
Mount Launched in Privileged Container
Reconnaissance attempt to find SUID binaries
PTRACE attached to process
Linux Kernel Module Injection Detected
Updated IoCs Ruleset with new findings. Improved detection for the Non sudo setuid rule. Added the following rules: Default Policy Changes
| 0.92.0 |
October 19, 2022 | Rule Changes Renamed lists, macros, and rules for Falco Cloud. Added the Unexpected Connection from legitimate Process/Port rule. Updated IoCs Ruleset with new findings. Edited the output for the Reconnaissance attempt to find SUID binaries rule.
Default Policy Changes Renamed lists, macros, and rules for Falco Cloud. Added the Unexpected Connection from legitimate Process/Port rule.
| 0.91.0 |
October 14, 2022 | Rule Changes Updated the sensitive_kernel_parameter_files list to detect changes on the ptrace_scope file. Added the Diamorphine Rootkit Activity rule. Updated IoCs Ruleset with new findings. Reduced false positives in the Dump memory for credentials rule.
Default Policy Changes | 0.90.0 |
October 07, 2022 | Rule Changes Tuning the Dump memory for credentials on rule. Added the following rules: kill malicious processdetect dump memory for credentials
Updated IoCs Ruleset with new findings. Updated Cloud Mitre tags. Reduced false positives in Falco Rules. Added new ruless: Dump memory for credentialsKill known malicious process
Use glob in the user_ssh_directory macro and remove openat2 from conditions. Added an exception to the AWS Command Executed by Untrusted User rule. Changed exception in the Change Resource Record Sets rule. Changed the allowed_k8s_users list.
Default Policy Changes | 0.89.0 |
September 27, 2022 | Rule Changes Default Policy Changes Disabled S3 versioning | 0.88.0 |
September 23, 2022 | Rule Changes Increased IoCs and added additional exceptions. Added exclusions to reduce false positives. Adding additional parameters to sensitive_kernel_parameter_files list.
| 0.87.0 |
September 09, 2022 | Rule Changes | 0.86.0 |
September 08, 2022 | Rule Changes Default Policy Changes Removed the following rules from default policies:Scripting Language Execution below dev. | 0.85.0 |
August 24, 2022 | Rule Changes New rules:Share RDS Snapshot with Foreign Account Rule tuning for the following: PTRACE anti-debug attempt
Suspicious Cron Modification
Suspicious Java Child Processes
Create Symlink Over Sensitive Files
Netcat Remote Code Execution in Container
eBPF Program Loaded into Kernel
Updated IoCs Ruleset with new findings.
| 0.83.0 | August 19, 2022 | Rule Changes Fixed the output for two PTRACE rules. Added additional conditions to improve detections for Delete/rename Bash History. Enable the do_unexpected_udp_checkmacro. Added the new rule: GCP Firewall Remote Access from Internet. It detects remote access ports allowed through the firewall from the public internet (0.0.0.0/0).
Auto-Tuner Exception Updates Added additional exceptions for
Privileged Shell Inside Container. Added Azure core image to the exception, Suspicious Cron Modification.
| 0.82.0 |
Aug 11, 2022 | Rule Changes Added Azure rule: Azure RDP Access Is Allowed from The Internet Updated auto-tuner exceptions to reduce excessive noise: Change Resource Record Sets (AWS)
Create Hidden Files or Directories
Describe Instances (AWS)
GCP Delete Compute VM Instance
GCP Operation by a Non-corporate Account
List Buckets (AWS)
Non sudo setuid
Root User Executing AWS Command
Run shell untrusted
The docker client is executed in a container
User mgmt binaries
Updated IoCs Ruleset with new findings. Default Policy Changes Added new rules: Azure RDP Access Is Allowed from The Internet
| 0.81.2 |
Aug 05, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Linux Kernel Module Injection Detected
eBPF Program Loaded into Kernel
Privileged Shell Spawned Inside Container
Added the following new rules: Extended the condition of the following rules: Updated IoCs Ruleset with new findings. Default Policy Changes Added new rules to default policies.
| 0.80.1 |
July 26, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Added the following new rules: PTRACE anti-debug attempt
PTRACE attached to process
Detect reconnaissance scripts
Detect malicious cmdlines
GCP Create DNS Record
GCP Create DNS Zone
GCP Delete DNS Record
GCP Update DNS Record
GCP Update DNS Zone
GCP Cloud Armor Blocked Connection
GCP Cloud IDS Alert
Delete AWS user (SSO)
Updated the following rule: Reconnaissance attempt to find SUID binaries Updated the following lists: falco_privileged_images Updated IoCs Ruleset with new findings. Default Policy Changes Added new rules to default policies.
| 0.79.2 |
July 15, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Added the following new rules: Detect curl Using Socks Proxy
Create AWS user (SSO)
GCP Delete VPN
GCP App Engine Firewall Rule Created
GCP Compute Firewall Rule Created
GCP Create VPN
GCP Sensitive Role Added to User
Added additional exceptions to: Read sensitive file untrusted
Run shell untrusted
Non sudo setuid
Clear Log Activities
Execution of binary using ld-linux
eBPF Program Loaded into Kernel
Terminal shell in container
The docker client is executed in a container
Added the Detect curl Using Socks Proxy rule to IoCs Malware Activity and Sysdig Runtime Threat Detection policies Added Create AWS user (SSO) to the Sysdig AWS Activity Logs policy. Added GCP Delete VPN and GCP Sensitive Role Added to the User rules to Sysdig GCP Notable Events policy. Added the GCP App Engine Firewall Rule Created, GCP Compute Firewall Rule Created, and GCP Create VPN rules to the Sysdig GCP Activity Logs policy. Split AWS rules into individual files and moved lists out of individual files and into its own file at the top of the output aws_cloudtrail.yaml. Fixed tag in the Delete Cluster rule. Updated IoCs Ruleset with new findings.
| 0.78.0 |
July 08, 2022 | Rule Changes Restored the following missing rule: nsenter Container Escape Cleaned up the following duplicate macro: falco_sensitive_mount_containers Adjusted the following eBPF rule: eBPF Program Loaded into Kernel Updated IoCs Ruleset with new findings. Updated all the Cloudtrail rules to add ARNs to output.
Default Policy Changes Modified to work with both old default_policies and managed default_policies. | 0.77.0 |
July 01, 2022 | Rule Changes Added Miner IP Pool Threat Intelligence: Detect outbound connections to common miner pool ports | 0.76.1 |
June 30, 2022 | Rule Changes Added additional exceptions : Linux Kernel Module Injection Detected Created the following new rules: GCP App Engine Firewall Rule Deleted
GCP App Engine Firewall Rule Updated
GCP Create Cloud Function v2 Not Using Latest Runtime
GCP Create Cloud Function v2
GCP Compute Firewall Rule Deleted
GCP Compute Firewall Rule Updated
GCP Delete Compute VM Instance
GCP Update Cloud Function v2
Malicious Environment Variable in Spawned Process
nsenter Container Escape
Updated the following GCP rules: GCP Create Cloud Function Not Using Latest Runtime
GCP Create Cloud Function
GCP Create DLP Job
GCP Delete DLP Job
GCP Paused DLP Job
GCP Suspicious IP Inbound Request
GCP Update Cloud Function
GCP Updated DLP Job
Added CIS tag to the rules related to Center for Internet Security (CIS) Docker Security Benchmark controls: Container Run as Root User
Disallowed SSH Connection
Launch Privileged Container
Launch Root User Container
Launch Sensitive Mount Container
Mount Launched in Privileged Container
Privileged Shell Spawned Inside Container
Reconnaissance attempt to find SUID binaries
The docker client is executed in a container
Write below root
Updated IoCs Ruleset with new findings.
Default Policy Changes Added the following rules to the default policy: GCP App Engine Firewall Rule Deleted
GCP Compute Firewall Rule Deleted
Malicious Environment Variable in Spawned Process
nsenter Container Escape
| 0.76.0 |
June 24, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Modified the following macros: truncate_shell_history
modify_shell_history
Extended the condition of the rule, Detect crypto miners using the Stratum protocol, to improve detection capabilites. New rules created: Launch malicious container image
GCP Suspicious IP Inbound Request
GCP Allow Public Access to Bucket
GCP KMS Schedule Key Deletion
GCP Create DLP Job
GCP Delete DLP Job
GCP Update DLP Job
GCP Paused DLP Job
Updated IoCs Ruleset with new findings.
Default Policy Changes Added the following rule to the default policy, IoCs Malware Activity: Launch malicious container image Added the following rules to the default policy, Sysdig GCP Best Practices: GCP Suspicious IP Inbound Request
GCP Allow Public Access to Bucket
GCP KMS Schedule Key Deletion
GCP Delete DLP Job
GCP Paused DLP Job
| 0.75.0 |
June 17, 2022 | Rule Changes Added the following new rules: Modified the following rules: Updated the macro: sysdig_commercial_images. It now contains two new Kubernetes Security Posture Management (KSPM) images. Added the new macro ti_anon_ips for Tor source IP addresses. Updated IoCs Ruleset with new findings.
Default Policy Changes Added the new rule, AWS Suspicious IP Inbound Request to the Sysdig AWS Best Practices policy. Added the new rule, eBPF Program Loaded into Kernel to the Suspicious Container Activity policy.
| 0.74.3 |
June 03, 2022 | Rule Changes Added a new rule: Suspicious Java Child Processes Updated the package_mgmt_procs macro to detect package management processes with Python. Updated some exceptions in the rule,Change thread namespace Updated IoCs Ruleset with new findings.
Default Policy Changes Added the new rule, Suspicious Java Child Processes,to the IoCs Malware Activity | 0.72.0 |
May 26, 2022 | Rule Changes Added the following new rules: Modified exceptions to reduce noise: Change thread namespace
Contact cloud metadata service from container
DB program spawned process
K8s ConfigMap Created
K8s ConfigMap Deleted
K8s Serviceaccount Created
Netcat Remote Code Execution in Container
Privileged Shell Spawned Inside Container
Set Setuid or Setgid bit
System ClusterRole Modified/Deleted
Write below monitored dir
Write below root
Updated IoCs Ruleset with new findings.
Default Policy Changes | 0.70.3 |
May 20, 2022 | Rule Changes Added additional exceptions to the following rules to aid in addressing false positives: Set Setuid or Setgid bit
Execution from /tmp
Fixed the condition of the following rules: Execution from /tmp
Execution from /dev/shm
Updated IoCs Ruleset with new findings.
| 0.69.0 |
May 13, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Run shell untrusted
Launch Privileged Container
Container Run as Root User
Write below root
Write below rpm database
DB program spawned process
Privileged Shell Spawned Inside Container
Launch Suspicious Network Tool in Container
Remove Bulk Data from Disk
Set Setuid or Setgid bit
Packet socket created in container
Execution from /tmp
Created the new rule, Possible Backdoor using BPF. This rule triggers if a process was seen attaching a Berkeley Packet Filter (BPF) filter on a network socket. This could indicate packet sniffing for use in a backdoor such as BPFDoor. Network diagnostic tools may also trigger this rule. Created the new rule, Execution of binary using ld-linux. This method can be used to execute programs that do not have the exec bit set and may possibly evade detection measures. Fixed the condition of the following rules: Write below binary dir
Set Setuid or Setgid bit
Updated IoCs Ruleset with new findings
Default Policy Changes Added the Possible Backdoor using BPF rule to the Notable Network Activity policy. Added the new rule, Execution of binary using ld-linux to the IoCs Malware Activity policy.
| 0.68.1 |
May 6, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Created the new rule Tampering with Security Software in Container. This rule detects common techniques by
threat actors to disable runtime security software. Created the new rule Detect outbound connections to TOR Entry Nodes. This rule detects when clients reach the Tor network through its entry nodes. Note that this is an experimental rule and only contains a subset of Tor entry nodes. It will be improved upon in the future. Fixed the condition of the following rule: Execution from /tmp Updated IoCs Ruleset with new findings.
Default Policy Changes Moved the Redirect STDOUT/STDIN to Network Connection in Container rule to the Notable Container Activity default policy. Added the Tampering with Security Software in Container rule to the Suspicious Container Activity default policy. Added the Detect outbound connections to TOR Entry Nodes rule to the IoCs Malware Activity default policy.
| 0.67.1 |
April 28, 2022 | Rule Changes Added a new rule file, threat_intelligence_feed.yaml
, with lists and macros directly updated by theSysdig Threat Research Team. Updated the following list: sysdig_commercial_images Updated IoCs Ruleset with new findings. Updated Falco rules conditions: Added additional exceptions to aid in addressing false positives: Execution from /tmp
Create Symlink Over Sensitive Files
Change thread namespace
DB program spawned process
Suspicious Cron Modification
| 0.66.1 |
April 21, 2022 | Rule Changes Added a new AWS Cloudtrail rule:
Create RDS DB Instance with Public Access Added the following Falco rules: Base64-encoded Shell Script ExecutionExecution from /dev/shm
Added additional exceptions to aid in addressing false positives: Service Account Created in Kube NamespaceK8s Serviceaccount Created
Modified to add a list of malicious IPs:
Outbound Connection to C2 Servers Updated IoCs Ruleset with new findings
Default Policy Changes | 0. 65.1 |
April 18, 2022 | Rule Changes Added additional exceptions to the following rules to aid in addressing false positives: Change thread namespace
Create Symlink Over Sensitive Files
Container Run as Root User
DB program spawned process
Privileged Shell Spawned Inside Container
Run shell untrusted
Set Setuid or Setgid bit
Write below etc
| 0.65.0 |
April 17, 2022 | Rule Changes Added additional exceptions to the following rules to aid in addressing false positives: Privileged Shell Spawned Inside Container | 0.64.1 |
April 15, 2022 | Rule Changes Added additional exceptions to the following rules to aid in addressing false positives: Created the new rule Base64-encoded Python Script Execution. This rule detects base64-encoded Python scripts on command line arguments. Base64 can be used to encode binary data for transfer to ASCII-only command lines. Attackers can leverage this technique in various exploits to load shellcode and evade detection. Fixed the output of the following rules: Updated IoCs Ruleset with new findings
Rule Changes Added the Base64-encoded Python Script Execution rule to the IoCs Malware Activity default policy Added the Launch Ingress Remote File Copy Tools in Container rule to the Notable Container Activity default policy Created the new default policy, Known Exploit Detection. This policy embeds the rules that can identify potential exploits of well-known CVEs.
| 0.64.0 |
April 12, 2022 | Rule Changes Added additional exceptions to the following rules to aid in addressing false positives: Disabled the Unprivileged Delegation of Page Faults Handling to a Userspace Process rule removing its condition.
| 0.63.0 |
April 09, 2022 | Rule Changes Default Policy Changes Policy: Notable Filesystem Changes Policy: Suspicious Container Activity Policy: Suspicious Lateral Movement Activity to Cloud Policy: Unexpected Spawned Processes
| 0.62.1 |
April 06, 2022 | Rule Changes Reduced noise for the rulesWrite below monitored dir and write below etc by adding additional exceptions. | 0.62.0 |
March 25, 2022 | Rule Changes Added the following new rules: Updated auto-tuner exceptions for the following: Updated IoCs Ruleset with new findings.
Default Policy Changes | 0.60.0 |
March 18, 2022 | Rule Changes Updated the Launch Root User Container condition
rule. Updated the following lists to address false positive: miner_domains
allowed_k8s_users
Updated some exceptions in the Schedule Cron Jobs rule. Created the sssd_writing_krb macro from the new release of OSS Falco. Updated IoCs Ruleset with new findings. Updated the following macros based on the changes in Falco OS: modify_shell_history
truncate_shell_history
write_etc_common
Default Policy Changes Updated the IoCs Malware Activity policy. Removed some rules from Notable Filesystem Changes policy: Write below etc
Write below root
Write below rpm database
Write below binary dir
Removed one rule from the Notable Container Activity policy: Change thread namespace
| 0.59.2 |
March 10, 2022 | Rule Changes Excluded ptp and dp from the Change thread namespacerule. Excluded self from the K8s Serviceaccount Created rule. Excluded known cron writers from the Schedule Cron Jobs rule. Updated the IoCs Ruleset with new findings.
| 0.58.1 |
March 06, 2022 | Rule Changes Added additional exceptions to aid in addressing false positive for rules: Updated the following macros baed on the changes in Falco OS:aws_eks_core_images Updated IoCs Ruleset with new findings.
| 0.57.2 |
March 03, 2022 | Rule Changes Fixed exception to aid in addressing false positives for rules:
Contact K8S API Server From Container | 0.56.5 |
March 01, 2022 | Rule Changes | 0.56.4 |
February 18, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positive for rules: Modify Shell Configuration File
Modify Shell Configuration File
Write below etc
Write below rpm database
DB program spawned process
Clear Log Activities
Launch Root User Container
Updated the following macros based on the changes in Falco OS: Updated the following lists to address false positives: Updated IoCs Ruleset with new findings.
| 0.55.2 |
February 10, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positive for rules: Updated the following macros based on the changes in Falco OS: Updated the following lists based on the changes in Falco OS: Updated IoCs Ruleset with new findings.
| 0.54.3 |
February 07, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positive for rules: Launch Root User Container
| 0.53.4 |
February 04, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positive for rules: Modify Shell Configuration File
Write below etc
Write below root
Read sensitive file trusted after startup
Change thread namespace
Launch Suspicious Network Tool in Container
Redirect STDOUT/STDIN to Network Connection in Container
Updated the following macros based on the changes in Falco OS: spawned_process
sensitive_mount
Updated the following lists based on the changes in Falco OS: Updated the following lists to address false positives: Updated IoCs Ruleset with new findings.
| 0.53.3 |
January 29, 2022 | Rule Changes | 0.52.0 |
January 21, 2022 | Rule Changes Updated IoCs Ruleset with new findings. | 0.51.1 |
January 14, 2022 | Rule Changes Created a new AWS Rule: Read Object through AWSSupportServiceRolePolicy Assumed Role. Updated tags for AWS Rule:AWS Command Executed on Unused Region. Updated tags for the following Google Cloud Platform (GCP) Rules: GCP Invitation Sent to Non-corporate Account
GCP Create User-managed Service Account Key
GCP Create GCP-managed Service Account Key
GCP Create Cloud Function Not Using Latest Runtime
GCP Set Bucket IAM Policy
GCP Create Bucket
| 0.50.5 |