January 20, 2023 | Rule Changes Added the following rules: Improved condition for the following rules: Create Security Group Rule Allowing Ingress Open to the World
Create a Network ACL Entry Allowing Ingress Open to the World
Detect reconnaissance scripts
Lastlog Files Cleared
Launch Remote File Copy Tools in Container
Put Bucket Lifecycle
Delete or rename shell history
Added exception for the following rules: Updated IoCs Ruleset with new findings. Reduced false positives for the following rule Find AWS Credentials rule. Default Policy Changes Added the following rules:
| 0.99.0 |
January 09, 2023 | Rule Changes Reduced false positives for the Container Run as Root User rule. Improve condition for the Suspicious Operations with Firewalls rule. Added the following rules: Added tags to the K8s Networkpolicy Deleted rule. Added exceptions for the following: Delete Organization Config Rule
Delete Cluster
Elasticsearch Domain Creation without Encryption at Rest
ECR Image Pushed
Put Remediation Configurations
Delete Configuration Aggregator
Put Organization Config Rule
Put Organization Conformance Pack
Stop Configuration Recorder
Delete Organization Conformance Pack
ECS Service Created
ECS Service Deleted
Terminal Shell in ECS Container
ECS Task Run or Started
ECS Service Task Definition Updated
ECS Task Stopped
Create HTTP Target Group without SSL
Elasticsearch Domain Creation without VPC
Run Instances
CloudTrail Trail Created
Create Security Group Rule Allowing SSH Ingress
Guard Duty Disassociate from Master Account
Guard Duty Delete Members
Disable GuardDuty
Delete Detector
Create Access Key for Root User
Guard Duty Disassociate Members
Stop Monitoring Members
Password Recovery Requested
Deactivate Hardware MFA for Root User
Add AWS User to Group
Attach Administrator Policy
Attach IAM Policy to User
Deactivate MFA for Root User
Create Group
Create IAM Policy that Allows All
Create Access Key for User
Deactivate Virtual MFA for Root User
Delete Virtual MFA for Root User
Create AWS user (SSO)
Create AWS user
Delete AWS user (SSO)
Deactivate MFA for User Access
Delete Group
Put IAM Inline Policy to User
Delete AWS user
Remove AWS User from Group
Update Account Password Policy Not Expiring
Update Account Password Policy Expiring in More Than 90 Days
Update Account Password Policy Not Preventing Reuse of Last 24 Passwords
Update Account Password Policy Not Preventing Reuse of Last 4 Passwords
Update Account Password Policy Not Requiring 14 Characters
Update Account Password Policy Not Requiring 7 Characters
Update Account Password Policy Not Requiring Lowercase
Update Account Password Policy Not Requiring Number
Update Account Password Policy Not Requiring Symbol
Update Account Password Policy Not Requiring Uppercase
Replace Route
Modify Image Attribute
Modify Snapshot Attribute
Revoke Security Group Egress
Revoke Security Group Igress
Run Instances in Non-approved Region
Create Internet-facing AWS Public Facing Load Balancer
Delete Listener
Modify Listener
Disable EBS Encryption by Default
Contact EC2 Instance Metadata Service From Container
EC2 Serial Console Access Enabled
Make EBS Snapshot Public
Get Password Data
Default Policy Changes Added the following rules: | 0.98.2 |
January 04, 2023 | Rule Changes Reduced false positives for the following rules: Updated IoCs Ruleset with new findings. Added exception for the DB program spawned process rule. Improve output for the Suspicious System Service Modification rule.
| 0.98.0 |
December 04, 2022 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Non sudo setuid
Read SSH information
Read Shell Configuration File
Write below etc
Reconnaissance attempt to find SUID binaries
Suspicious Domain Contacted
Updated IoCs Ruleset with new findings. Improved detection for the Non sudo setuid rule. Added the following rule: Detect cloned process by PRoot Default Policy Changes Added the Detect cloned process by PRoot rule.
| 0.96.0 |
December 01, 2022 | Rule Changes Disable the Create Hidden Files or Directories rule. | 0.94.2 |
November 29, 2022 | Rule Changes Improved output for the Suspicious Cron Modification rule. Reduced false positive for the Read SSH information rule. Updated IoCs Ruleset with new findings. Enabled the Create Hidden Files or Directoriesrule. Added the Create/modify EKS serviceaccount boundrule to the AWS IAM role. Add the Suspicious Domain Contactedrule.
Default Policy Changes | 0.94.0 |
November 22, 2022 | Rule Changes Reduced false positives for the following rules: Privileged Shell Spawned Inside Container
Clear Log Activities
Read ssh information
Search Private Keys or Passwords
Launch Suspicious Network Tool in Container
Container Run as Root User
Change Thread Namespace
Read Shell Configuration File
Improve tags for the eBPF Program Loaded into Kernelrule. Updated IoCs Ruleset with new findings. Improved detection for the Non sudo setuid rule. Added the following rules: Default Policy Changes
| 0.93.0 |
November 10, 2022 | Rule Changes Reduced false positives for the following rules: Suspicious Kernel Parameter Modification
The docker client is executed in a container
Mount Launched in Privileged Container
Reconnaissance attempt to find SUID binaries
PTRACE attached to process
Linux Kernel Module Injection Detected
Updated IoCs Ruleset with new findings. Improved detection for the Non sudo setuid rule. Added the following rules: Default Policy Changes
| 0.92.0 |
October 19, 2022 | Rule Changes Rename lists, macros, and rules for Falco Cloud. Add the Unexpected Connection from legitimate Process/Port rule. Updated IoCs Ruleset with new findings. Edit the output for the Reconnaissance attempt to find SUID binaries rule.
Default Policy Changes Rename lists, macros, and rules for Falco Cloud. Add the Unexpected Connection from legitimate Process/Port rule.
| 0.91.0 |
October 14, 2022 | Rule Changes Update the sensitive_kernel_parameter_files list to detect changes on the ptrace_scope file. Added the Diamorphine Rootkit Activity rule. Updated IoCs Ruleset with new findings. Reduced false positives in the Dump memory for credentials rule.
Default Policy Changes | 0.90.0 |
October 07, 2022 | Rule Changes Tuning the Dump memory for credentials on rule. Add the kill malicious process and detect dump memory for credentials rule. Updated IoCs Ruleset with new findings. Updated Cloud Mitre tags. Reduced false positives in Falco Rules. Added news rules: Dump memory for credentials Kill known malicious process Use glob in the user_ssh_directory macro and remove openat2 from conditions. Added exception to the AWS Command Executed by Untrusted User rule. Changed exception in the Change Resource Record Sets rule. Changed the allowed_k8s_users list.
Default Policy Changes | 0.89.0 |
September 23, 2022 | Rule Changes Increased IoCs and added additional exceptions. Added exclusions to reduce false Positives. Adding additional parameters to sensitive_kernel_parameter_files list.
| 0.87.0 |
September 08, 2022 | Rule Changes Default Policy Changes Removed the following rules from default policies:Scripting Language Execution below dev. | 0.85.0 |
August 24, 2022 | Rule Changes New rules:Share RDS Snapshot with Foreign Account Rule tuning for the following: PTRACE anti-debug attempt
Suspicious Cron Modification
Suspicious Java Child Processes
Create Symlink Over Sensitive Files
Netcat Remote Code Execution in Container
eBPF Program Loaded into Kernel
Updated IoCs Ruleset with new findings.
| 0.83.0 | August 19, 2022 | Rule Changes Fixed the output for two PTRACE rules. Added additional conditions to improve detections for Delete/rename Bash History. Enable the do_unexpected_udp_checkmacro. Added the new rule: GCP Firewall Remote Access from Internet. It detects remote access ports allowed through the firewall from the public internet (0.0.0.0/0).
Auto-Tuner Exception Updates Added additional exceptions for
Privileged Shell Inside Container. Added Azure core image to the exception, Suspicious Cron Modification.
| 0.82.0 |
Aug 11, 2022 | Rule Changes Added Azure rule: Azure RDP Access Is Allowed from The Internet Updated auto-tuner exceptions to reduce excessive noise: Change Resource Record Sets (AWS)
Create Hidden Files or Directories
Describe Instances (AWS)
GCP Delete Compute VM Instance
GCP Operation by a Non-corporate Account
List Buckets (AWS)
Non sudo setuid
Root User Executing AWS Command
Run shell untrusted
The docker client is executed in a container
User mgmt binaries
Updated IoCs Ruleset with new findings. Default Policy Changes Added new rules: Azure RDP Access Is Allowed from The Internet
| 0.81.2 |
Aug 05, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Linux Kernel Module Injection Detected
eBPF Program Loaded into Kernel
Privileged Shell Spawned Inside Container
Added the following new rules: Extended the condition of the following rules: Updated IoCs Ruleset with new findings. Default Policy Changes Added new rules to default policies.
| 0.80.1 |
July 26, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Added the following new rules: PTRACE anti-debug attempt
PTRACE attached to process
Detect reconnaissance scripts
Detect malicious cmdlines
GCP Create DNS Record
GCP Create DNS Zone
GCP Delete DNS Record
GCP Update DNS Record
GCP Update DNS Zone
GCP Cloud Armor Blocked Connection
GCP Cloud IDS Alert
Delete AWS user (SSO)
Updated the following rule: Reconnaissance attempt to find SUID binaries Updated the following lists: falco_privileged_images Updated IoCs Ruleset with new findings. Default Policy Changes Added new rules to default policies.
| 0.79.2 |
July 15, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Added the following new rules: Detect curl Using Socks Proxy
Create AWS user (SSO)
GCP Delete VPN
GCP App Engine Firewall Rule Created
GCP Compute Firewall Rule Created
GCP Create VPN
GCP Sensitive Role Added to User
Added additional exceptions to: Read sensitive file untrusted
Run shell untrusted
Non sudo setuid
Clear Log Activities
Execution of binary using ld-linux
eBPF Program Loaded into Kernel
Terminal shell in container
The docker client is executed in a container
Added the Detect curl Using Socks Proxy rule to IoCs Malware Activity and Sysdig Runtime Threat Detection policies Added Create AWS user (SSO) to the Sysdig AWS Activity Logs policy. Added GCP Delete VPN and GCP Sensitive Role Added to the User rules to Sysdig GCP Notable Events policy. Added the GCP App Engine Firewall Rule Created, GCP Compute Firewall Rule Created, and GCP Create VPN rules to the Sysdig GCP Activity Logs policy. Split AWS rules into individual files and moved lists out of individual files and into its own file at the top of the output aws_cloudtrail.yaml. Fixed tag in the Delete Cluster rule. Updated IoCs Ruleset with new findings.
| 0.78.0 |
July 08, 2022 | Rule Changes Restored the following missing rule: nsenter Container Escape Cleaned up the following duplicate macro: falco_sensitive_mount_containers Adjusted the following eBPF rule: eBPF Program Loaded into Kernel Updated IoCs Ruleset with new findings. Updated all the Cloudtrail rules to add ARNs to output.
Default Policy Changes Modified to work with both old default_policies and managed default_policies. | 0.77.0 |
July 01, 2022 | Rule Changes Added Miner IP Pool Threat Intelligence: Detect outbound connections to common miner pool ports | 0.76.1 |
June 30, 2022 | Rule Changes Added additional exceptions : Linux Kernel Module Injection Detected Created the following new rules: GCP App Engine Firewall Rule Deleted
GCP App Engine Firewall Rule Updated
GCP Create Cloud Function v2 Not Using Latest Runtime
GCP Create Cloud Function v2
GCP Compute Firewall Rule Deleted
GCP Compute Firewall Rule Updated
GCP Delete Compute VM Instance
GCP Update Cloud Function v2
Malicious Environment Variable in Spawned Process
nsenter Container Escape
Updated the following GCP rules: GCP Create Cloud Function Not Using Latest Runtime
GCP Create Cloud Function
GCP Create DLP Job
GCP Delete DLP Job
GCP Paused DLP Job
GCP Suspicious IP Inbound Request
GCP Update Cloud Function
GCP Updated DLP Job
Added CIS tag to rules related to CIS Docker Security Benchmark controls: Container Run as Root User
Disallowed SSH Connection
Launch Privileged Container
Launch Root User Container
Launch Sensitive Mount Container
Mount Launched in Privileged Container
Privileged Shell Spawned Inside Container
Reconnaissance attempt to find SUID binaries
The docker client is executed in a container
Write below root
Updated IoCs Ruleset with new findings.
Default Policy Changes Added the following rules to the default policy: GCP App Engine Firewall Rule Deleted
GCP Compute Firewall Rule Deleted
Malicious Environment Variable in Spawned Process
nsenter Container Escape
| 0.76.0 |
June 24, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Modified the following macros: truncate_shell_history
modify_shell_history
Extended the condition of the rule, Detect crypto miners using the Stratum protocol , to improve detection capabilites New rules created: Launch malicious container image
GCP Suspicious IP Inbound Request
GCP Allow Public Access to Bucket
GCP KMS Schedule Key Deletion
GCP Create DLP Job
GCP Delete DLP Job
GCP Update DLP Job
GCP Paused DLP Job
Updated IoCs Ruleset with new findings.
Default Policy Changes Added the following rule to the default policy, IoCs Malware Activity: Launch malicious container image Added the following rules to the default policy, Sysdig GCP Best Practices: GCP Suspicious IP Inbound Request
GCP Allow Public Access to Bucket
GCP KMS Schedule Key Deletion
GCP Delete DLP Job
GCP Paused DLP Job
| 0.75.0 |
June 17, 2022 | Rule Changes Added the following new rules: Modified the following rules: Updated the macro: sysdig_commercial_images. It now contains two new KSPM images. Add the new macro ti_anon_ips for Tor source IPs. Updated IoCs Ruleset with new findings.
Default Policy Changes Added the new rule, AWS Suspicious IP Inbound Request to the Sysdig AWS Best Practices policy. Added the new rule, eBPF Program Loaded into Kernel to the Suspicious Container Activity policy.
| 0.74.3 |
June 03, 2022 | Rule Changes Added a new rule: Suspicious Java Child Processes Updated the package_mgmt_procs macro to detect package management process with python Updated some exceptions in the rule,Change thread namespace Updated IoCs Ruleset with new findings.
Default Policy Changes Added the new rule, Suspicious Java Child Processes,to the IoCs Malware Activity | 0.72.0 |
May 26, 2022 | Rule Changes Added the following new rules: Modified exceptions to reduce noise: Change thread namespace
Contact cloud metadata service from container
DB program spawned process
K8s ConfigMap Created
K8s ConfigMap Deleted
K8s Serviceaccount Created
Netcat Remote Code Execution in Container
Privileged Shell Spawned Inside Container
Set Setuid or Setgid bit
System ClusterRole Modified/Deleted
Write below monitored dir
Write below root
Updated IoCs Ruleset with new findings.
Default Policy Changes | 0.70.3 |
May 20, 2022 | Rule Changes Added additional exceptions to the following rules to aid in addressing false positives: Set Setuid or Setgid bit
Execution from /tmp
Fixed the condition of the following rules: Execution from /tmp
Execution from /dev/shm
Updated IoCs Ruleset with new findings.
| 0.69.0 |
May 13, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Run shell untrusted
Launch Privileged Container
Container Run as Root User
Write below root
Write below rpm database
DB program spawned process
Privileged Shell Spawned Inside Container
Launch Suspicious Network Tool in Container
Remove Bulk Data from Disk
Set Setuid or Setgid bit
Packet socket created in container
Execution from /tmp
Created the new rule, Possible Backdoor using BPF. This rule triggers if process was seen attaching a BPF filter on a network socket, this could indicate packet sniffing for use in a backdoor such as BPFDoor. Network diagnostic tools may also trigger this rule. Created the new rule, Execution of binary using ld-linux. This method can be used to execute programs that do not have the exec bit set and may possibly evade detection measures. Fixed the condition of the following rules: Write below binary dir
Set Setuid or Setgid bit
Updated IoCs Ruleset with new findings
Default Policy Changes Added the new rule, Possible Backdoor using BPF to the Notable Network Activity policy.
Write below binary dir Added the new rule, Execution of binary using ld-linux to the IoCs Malware Activity policy.
| 0.68.1 |
May 6, 2022 | Rule Changes Added additional exceptions to older agent versions to aid in addressing false positives: Created the new rule Tampering with Security Software in Container. This rule detects common techniques by
threat actors to disable runtime security software. Created the new rule Detect outbound connections to TOR Entry Nodes. This rule detects when clients reach the
TOR network through its entry nodes. NOTE: This is an EXPERIMENTAL rule and only contains a subset of TOR entry
nodes. It will be improved upon in the future. Fixed the condition of the following rule: Execution from /tmp Updated IoCs Ruleset with new findings.
Default Policy Changes Moved the rule Redirect STDOUT/STDIN to Network Connection in Container to the Notable Container Activity default policy Added the new rule Tampering with Security Software in Container to the Suspicious Container Activity default policy Added the new rule Detect outbound connections to TOR Entry Nodes to the IoCs Malware Activity default policy
| 0.67.1 |
April 28, 2022 | Rule Changes Added new rule file, threat_intelligence_feed.yaml
, with lists and macros directly updated by Sysdig Threat Research Team. Updated the following list: sysdig_commercial_images Updated IoCs Ruleset with new findings. Updated Falco rules conditions: Added additional exceptions to aid in addressing false positives: Execution from /tmp
Create Symlink Over Sensitive Files
Change thread namespace
DB program spawned process
Suspicious Cron Modification
| 0.66.1 |
April 21, 2022 | Rule Changes Added a new AWS Cloudtrail rule:
Create RDS DB Instance with Public Access Added the following Falco rules: Base64-encoded Shell Script ExecutionExecution from /dev/shm
Added additional exceptions to aid in addressing false positives: Service Account Created in Kube NamespaceK8s Serviceaccount Created
Modified to add a list of malicious IPs:
Outbound Connection to C2 Servers Updated IoCs Ruleset with new findings
Default Policy Changes | 0. 65.1 |
April 18, 2022 | Rule Changes Added additional exceptions to the following rules to aid in addressing false positives: Change thread namespace
Create Symlink Over Sensitive Files
Container Run as Root User
DB program spawned process
Privileged Shell Spawned Inside Container
Run shell untrusted
Set Setuid or Setgid bit
Write below etc
| 0.65.0 |
April 17, 2022 | Rule Changes Added additional exceptions to the following rules to aid in addressing false positives: Privileged Shell Spawned Inside Container | 0.64.1 |
April 15, 2022 | Rule Changes Added additional exceptions to the following rules to aid in addressing false positives: Created the new rule Base64-encoded Python Script Execution. This rule detects base64-encoded Python scripts on command line arguments. Base64 can be used to encode binary data for transfer to ASCII-only command lines. Attackers can leverage this technique in various exploits to load shellcode and evade detection. Fixed the output of the following rules: K8s Serviceaccount Created
K8s Serviceaccount Deleted
Updated IoCs Ruleset with new findings
Rule Changes Added the Base64-encoded Python Script Execution rule to the IoCs Malware Activity default policy Added the Launch Ingress Remote File Copy Tools in Container rule to the Notable Container Activity default policy Created the new default policy, Known Exploit Detection. This policy embedes the rules that can identify potential exploits of well-known CVEs.
| 0.64.0 |
April 12, 2022 | Rule Changes | 0.63.0 |
April 09, 2022 | Rule Changes Default Policy Changes Policy: Notable Filesystem Changes Policy: Suspicious Container Activity Policy: Suspicious Lateral Movement Activity to Cloud Policy: Unexpected Spawned Processes
| 0.62.1 |
April 06, 2022 | Rule Changes Reduce noise for the rulesWrite below monitored dir and write below etc by adding additional exceptions. | 0.62.0 |
March 25, 2022 | Rule Changes Added the following new rules: Updated auto-tuner exceptions for the following: Updated IoCs Ruleset with new findings.
Default Policy Changes | 0.60.0 |
March 18, 2022 | Rule Changes Updated the Launch Root User Container condition rule. Updated the following lists to address false positive : miner_domains
allowed_k8s_users
Updated some exceptions in the Schedule Cron Jobs rule. Created the sssd_writing_krb macro from the new release of OSS Falco. Updated IoCs Ruleset with new findings. Updated the following macros based on the changes in Falco OS: modify_shell_history
truncate_shell_history
write_etc_common
Default Policy Changes TheIoCs Malware Activity policy has been updated. Removed some rules from Notable Filesystem Changes policy: Write below etc
Write below root
Write below rpm database
Write below binary dir
Removed one rule from the Notable Container Activity policy: Change thread namespace
| 0.59.2 |
March 10, 2022 | Rule Changes Exclude ptp and dp from the Change thread namespacerule. Exclude self from the K8s Serviceaccount Created rule. Exclude known cron writers from the Schedule Cron Jobs rule. Updated the IoCs Ruleset with new findings.
| 0.58.1 |
March 06, 2022 | Rule Changes Add additional exceptions to aid in addressing false positive for rules: Updated the following macros baed on the changes in Falco OS:aws_eks_core_images Updated IoCs Ruleset with new findings.
| 0.57.2 |
March 03, 2022 | Rule Changes Fixed exception to aid in addressing false positives for rules:
Contact K8S API Server From Container | 0.56.5 |
March 01, 2022 | Rule Changes | 0.56.4 |
February 18, 2022 | Rule Changes Add additional exceptions to older agent versions to aid in addressing false positive for rules: Modify Shell Configuration File
Modify Shell Configuration File
Write below etc
Write below rpm database
DB program spawned process
Clear Log Activities
Launch Root User Container
Updated the following macros based on the changes in Falco OS: Updated the following lists to address false positives: Updated IoCs Ruleset with new findings.
| 0.55.2 |
February 10, 2022 | Rule Changes Add additional exceptions to older agent versions to aid in addressing false positive for rules: Updated the following macros based on the changes in Falco OS: Updated the following lists based on the changes in Falco OS: Updated IoCs Ruleset with new findings.
| 0.54.3 |
February 07, 2022 | Rule Changes Add additional exceptions to older agent versions to aid in addressing false positive for rules: Launch Root User Container
| 0.53.4 |
February 04, 2022 | Rule Changes Add additional exceptions to older agent versions to aid in addressing false positive for rules: Modify Shell Configuration File
Write below etc
Write below root
Read sensitive file trusted after startup
Change thread namespace
Launch Suspicious Network Tool in Container
Redirect STDOUT/STDIN to Network Connection in Container
Updated the following macros based on the changes in Falco OS: spawned_process
sensitive_mount
Updated the following lists based on the changes in Falco OS: Updated the following lists to address false positives: Updated IoCs Ruleset with new findings.
| 0.53.3 |
January 29, 2022 | Rule Changes | 0.52.0 |
January 21, 2022 | Rule Changes Updated IoCs Ruleset with new findings. | 0.51.1 |
January 14, 2022 | Rule Changes Created a new AWS Rule: Read Object through AWSSupportServiceRolePolicy Assumed Role. Updated tags for AWS Rule:AWS Command Executed on Unused Region. Updated tags for the following GCP Rules: GCP Invitation Sent to Non-corporate Account
GCP Create User-managed Service Account Key
GCP Create GCP-managed Service Account Key
GCP Create Cloud Function Not Using Latest Runtime
GCP Set Bucket IAM Policy
GCP Create Bucket
| 0.50.5 |