Falco Rules Changelog

Falco rules are used in the Sysdig Secure Policy Editor. On this page, you can read the most recent changes to Falco Rules.

Subscribe to the RSS feed to stay updated with the latest Falco rules.

Commit Date

Rule Notes

Version of the Falco Rules Installer (On-Prem)

June 13, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Non sudo setuid

    • Suspicious Access To Kerberos Secrets

    • Write below root

    • Write below rpm database

    • Contact Task Metadata Endpoint

  • Updated Indicators of Compromise (IoC rulesets with new findings/

0.155.2

June 12, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Suspicious Home Directory Creation

    • Kernel startup modules changed

    • Mount Launched in Privileged Container

    • Modify Grub Configuration Files

    • Download and launch remote file copy tools in container

    • PTRACE anti-debug attempt

    • Malicious IPs or domains detected on command line

    • Suspicious RC Script Modification

    • Archive or Compression Activity Detected

    • Clear Log Activities

    • Write below rpm database

    Updated Indicators of Compromise (IoC) rulesets with new findings.

0.155.1

June 11, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Possible Backdoor using BPF

    • nsenter Container Escape

    • Kernel startup modules changed

    • Mount on Container Path Detected

    • Non sudo setuid

    • System procs network activity

    • Write below etc

  • Improved conditions for the following rules:

    • Clear Log Activities

    • Archive or Compression Activity Detected

    • Dump memory for credentials

    • Delete or rename shell history

    • Suspicious RC Script Modification

  • Improved macro sensitive_vol_mount.

  • Updated Indicators of Compromise (IoC) rulesets with new findings.

Default Policy Changes

  • Improved condition for Suspicious RC Script Modification rule.

0.155.0

June 10, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Linux Kernel Module Injection Detected

    • Find GCP Credentials

    • Non sudo setuid

    • Find Authentication Certificates

    • Launch Excessively Capable Container

    • Possible Backdoor using BPF

    • CloudWatch Delete Log Stream

  • Updated Indicators of Compromise rulesets with new findings

0.154.4

June 07, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Create Sensitive Mount Pod

    • Kernel startup modules changed rule

    • Change thread namespace rule

    • Possible Backdoor using BPF rule

    • Kernel Module Loaded by Unexpected Program rule.

    • PTRACE anti-debug attempt rule

    • Escape to host via command injection in process

  • Updated Indicators of Compromise (IoC) rulesets with new findings.

0.154.3

June 06, 2024

Rule Changes

  • Reduced false positives for the following rules:

    • Archive or Compression Activity Detected

    • Write below etc

    • Kernel startup modules changed

    • Dump memory for credentials

    • Create Symlink Over Sensitive Files

    • Modification of pam.d detected

  • Redirect STDOUT/STDIN to Network Connection in Container

  • Improved output for Connection to IPFS Network Detected rule

  • Updated Indicators of Compromise (IoC) rulesets with new findings.

  • 0.154.2

    June 05, 2024

    Rule Changes

    • Reduced false positives for Kernel startup modules changed rule

    • Updated Indicators of Compromise rulesets with new findings

    • Reduced false positives for Dump memory for credentials rule

    0.154.1

    June 04, 2024

    Rule Changes

    • Updated Indicators of Compromise (IoC) rulesets with new findings.

    • Improved conditions for the following rules:

      • System Geolocation Discovery

      • Dump memory for credentials

      • Kernel startup modules changed

    0.154.0

    June 03, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Password Policy Discovery Detected

      • AWS Suspicious IP Inbound Request

      • Linux Kernel Module Injection Detected rule

    • Updated Indicators of Compromise rulesets with new findings

    0.153.5

    May 31, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Mount on Container Path Detected

      • Possible Backdoor using BPF

      • Suspicious device created in container

    • Updated Indicators of Compromise rulesets with new findings

    0.153.4

    May 30, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Kernel Module Loaded by Unexpected Program

      • eBPF Program Loaded into Kernel

      • Possible Backdoor using BPF

    • Updated Indicators of Compromise (IoC) rulesets with new findings.

    0.153.3

    May 29, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • PTRACE anti-debug attempt

      • Create Symlink Over Sensitive Files

      • eBPF Program Loaded into Kernel

      • Possible Backdoor using BPF

      • Archive or Compression Activity Detected

    • Updated Indicators of Compromise rulesets with new findings

    0.153.2

    May 28, 2024

    Rule Changes

    Reduced false positives for the Archive or Compression Activity Detected and Delete or rename shell history rules

    0.153.1

    May 28, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • eBPF Program Loaded into Kernel

    • Updated Indicators of Compromise rulesets with new findings

    • Added the following rules:

      • Leading or Trailing Space Detected in Filename

      • Archive or Compression Activity Detected

      • Connection with Suspicious User Agent Detected

    • Improved condition for the following rules:

      • Launch Suspicious Network Tool in Container

      • Suspicious network tool downloaded and launched in container

      • Delete or rename shell history

      • Disable or Modify Linux Audit System

      • PTRACE anti-debug attempt

      • Suspicious Docker Options

      • Launch Suspicious Network Tool on Host

    Default Policy Changes

    • Added the following rules:

      • Leading or Trailing Space Detected in Filename

      • Archive or Compression Activity Detected

      • Connection with Suspicious User Agent Detected

    • Removed Program run with disallowed http proxy env rule from managed policies

    0.153.0

    May 27, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • System procs network activity

      • Possible Backdoor using BPF

      • eBPF Program Loaded into Kernel

      • Change thread namespace

    • Updated Indicators of Compromise (IoC) rulesets with new findings.

    0.152.4

    May 23, 2024

    Rule Changes

    Reduced false positives for the eBPF Program Loaded into Kernel rule

    0.152.3

    May 23, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Launch Root User Container

      • Mount Launched in Privileged Container

      • Updated Indicators of Compromise (IoC) rulesets with new findings.

    0.152.2

    May 22, 2024

    • Updated Indicators of Compromise (IoC) rulesets with new findings.

    • Sysdig Falco Rules release announcement 0.152.0.

    • Updated Sysdig Mitre Attack Mapper.

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • eBPF Program Loaded into Kernel

      • Escape to host via command injection in process

    0.152.1

    May 21, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Create files below dev

      • Possible Backdoor using BPF

      • eBPF Program Loaded into Kernel

      • Modify Grub Configuration Files

      • Non sudo setuid

    • Improved conditions for the following rules:

      • Reconnaissance attempt to find SUID binaries

      • Reconnaissance attempt to find SETGID binaries

      • Launch Code Compiler Tool in Container

      • AWS Suspicious IP Inbound Request

      • Disable or Modify Linux Audit System

      • Modify Shell Configuration File

    • Added the Bedrock Create Provisioned Model Throughput rule.

    • Updated Indicators of Compromise rulesets with new findings

    Default Policy Changes

    • Added the Bedrock Create Provisioned Model Throughput rule.

    0.152.0

    May 20, 2024

    Rule Changes

    • Reduced false positives for the eBPF Program Loaded into Kernel rule.

    0.151.4

    May 17, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • Non sudo setuid

      • eBPF Program Loaded into Kernel

    • Updated Indicators of Compromise rulesets with new findings

    0.151.3

    May 16, 2024

    Rule Changes

    • Improved exceptions for Detection bypass by symlinked files rule

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • Non sudo setuid

      • eBPF Program Loaded into Kernel

      • Launch Code Compiler Tool on Host

      • Create Symlink Over Sensitive Files

      • Run shell untrusted

    • Updated Indicators of Compromise (IoC) rulesets with new findings.

    0.151.2

    May 15, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Code Compiler Tool on Host

      • Hide Process with Mount

      • eBPF Program Loaded into Kernel

      • Possible Backdoor using BPF

      • Mount Launched in Privileged Container

      • Kernel Module Loaded by Unexpected Program

      • System procs network activity

      • Disable or Modify Linux Audit System

      • Dump memory for credentials

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    • Updated Sysdig Mitre Attack Mapper.

    0.151.1

    May 14, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Fileless Malware Detected

      • Launch Code Compiler Tool on Host

      • Escape to host via command injection in process

      • eBPF Program Loaded into Kernel

      • Possible Backdoor using BPF

      • Modify Grub Configuration Files

    • Updated Indicators of Compromise rulesets with new findings 9080306970

    • Improved tags for the following rules:

      • Connection to SMB Server detected

      • Hardware Added to the System

    • Added the following rules:

      • Disable or Modify Linux Audit System

      • Reconnaissance attempt to find SETGID binaries

      • Launch Code Compiler Tool on Host

      • Entra Add Guest Member to Administrative Role

      • Entra Invite External User

    • Improved conditions for the providing rules

      • Delete or rename shell history

      • Suspicious Cron Modification

      • Fileless Malware Detected

    Default Policy Changes

    • Added the following rules:

      • Disable or Modify Linux Audit System

      • Reconnaissance attempt to find SETGID binaries

      • Launch Code Compiler Tool on Host

      • Entra Add Guest Member to Administrative Role

      • Entra Invite External User

    • Improved condition for Delete or rename shell history rule.

    0.151.0

    May 13, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Possible Backdoor using BPF

      • Mount Launched in Privileged Container

    • Updated Indicators of Compromise (IoC) rulesets with new findings.

    0.150.4

    May 10, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Hide Process with Mount

      • eBPF Program Loaded into Kernel

      • Non sudo setuid

      • Possible Backdoor using BPF

      • Change thread namespace

    • Updated Indicators of Compromise rulesets with new findings 9033246476

    0.150.3

    May 09, 2024

    Rule Changes

    • Reduced false positives for eBPF Program Loaded into Kernel rule.

    0.150.2

    May 08, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • eBPF Program Loaded into Kernel

      • Non sudo setuid

      • System procs network activity

    • Updated Indicators of Compromise rulesets with new findings

    • Sysdig Mitre Attack Mapper update

    0.150.1

    May 07, 2024

    • Sysdig Mitre Attack Mapper update

    Rule Changes

    • Improved conditions for the following rules:

      • Launch Code Compiler Tool in Container

      • Root Certificate Installed

      • System Geolocation Discovery

      • Modify Shell Configuration File

      • Discovery Security Service Activity Detected

    • Reduced false positives for the following rules:

      • System procs network activity

      • Modify Grub Configuration Files

      • Possible Backdoor using BPF

      • Suspicious Home Directory Creation

      • eBPF Program Loaded into Kernel

    Default Policy Changes

    • Improved condition for Root Certificate Installed rule.

    0.150.0

    May 06, 2024

    • Sysdig Mitre Attack Mapper update

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Suspicious Device Created in Container

      • Linux Kernel Module Injection Detected

      • Possible Backdoor using BPF

      • Modification of pam.d detected

      • Suspicious System Service Modification

    • Updated Indicators of Compromise rulesets with new findings

    • Improved tags for Read sensitive file untrusted rule

    0.149.3

    May 03, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Redirect STDOUT/STDIN to Network Connection in Container rule

      • eBPF Program Loaded into Kernel rule

      • Mount Launched in Privileged Container rule

    • Improved tags for System Geolocation Discovery rule

    • Improved coverage for T1665

    • Updated Indicators of Compromise rulesets with new findings

    • Sysdig Mitre Attack Mapper update

    0.149.2

    May 02, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • Write below etc

      • eBPF Program Loaded into Kernel

      • Hardware Added to the System

      • Modification of pam.d detected

      • Set Setuid or Setgid bit

      • Launch Remote File Copy Tools in Container

    • Updated Indicators of Compromise rulesets with new findings

    • Improved output for the following rules:

      • Search Private Keys or Passwords

      • System Geolocation Discovery

    • Improved tags for Malicious filenames written rule

    0.149.1

    April 30, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Possible Backdoor using BPF

      • Kernel Module Loaded by Unexpected Program

      • Mount Launched in Privileged Container

      • Read sensitive file untrusted

    • Improved condition for the following rules:

      • Service Discovery Activity Detected

      • Password Policy Discovery Activity Detected

      • Modify Timestamp attribute in File

      • Active Directory Connection Detected

    • Updated Indicators of Compromise rulesets with new findings

    0.149.0

    April 29, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Root User Container

      • Read sensitive file untrusted

      • Possible Backdoor using BPF

      • eBPF Program Loaded into Kernel

      • Redirect STDOUT/STDIN to Network Connection in Container

      • System procs network activity

      • Schedule Cron Jobs

    • Updated Indicators of Compromise rulesets with new findings

    0.148.3

    April 26, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • Modification of pam.d detected

      • System procs network activity

      • Non sudo setuid

    • Updated Indicators of Compromise rulesets with new findings

    0.148.2

    April 24, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Linux Kernel Module Injection Detected

      • Kernel Module Loaded by Unexpected Program

      • System procs network activity

      • Change memory swap options

      • Mount on Container Path Detected

      • Possible Backdoor using BPF

      • Modification of pam.d detected

      • Escape to host via command injection in process

      • Launch Suspicious Network Tool in Container

      • Associate Elastic IP Address to AWS Network Interface

    • Updated Indicators of Compromise rulesets with new findings

    • Improved coverage for T1562.010

    • Improved coverage for T1552.003

    • Improved tags for the following rules:

      • Modification of pam.d detected

      • Malicious filenames written

      • QEMU Activity Detected

    • Sysdig Mitre Attack Mapper update

    0.148.1

    April 23, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below root

      • eBPF Program Loaded into Kernel

      • Execution from /tmp rule

      • Launch Sensitive Mount Container

      • Launch Ingress Remote File Copy Tools in Container

      • Modification of pam.d detected

    • Improved conditions for the following rules:

      • Schedule Cron Jobs

      • Delete or rename shell history

    • Improved tags for the following rules:

      • Active Directory Connection Detected

      • Hardware Added to the System

    • Added rule Update Paging Cache

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    • Updated Sysdig Mitre Attack Mapper.

    Default Policy Changes

    • Updated policies the following rules:

      • Launch Remote File Copy Tools on Host

      • QEMU Activity Detected

    • Added rule Update Paging Cache

    0.148.0

    April 22, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • System procs network activity

      • Launch Root User Container

      • Possible backdoor using BPF

    • Improved output for the following rules:

      • Linux Kernel Module Injection Detected

      • Contact EC2 Instance Metadata Service From Container

    • Improved tags for the following rules:

      • T1016.001

      • DB program spawned process

      • Active Directory Connection Detected

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.147.4

    April 19, 2024

    Rule Changes

    • Reduced false positives for the Dump memory for credentials rule.

    0.147.3

    April 18, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • System Geolocation Discovery

      • Service Discovery Activity Detected

      • Read sensitive file untrusted

      • Non sudo setuid

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    • Improved TA0004 and TA0003 MITRE tags

    0.147.2

    April 17, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Packet Socket Created on Host

      • Possible Backdoor using BPF

      • Create Symlink Over Sensitive Files

      • Modify binary dirs

      • Run shell untrusted

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    • Improved output for GitHub rules.

    0.147.1

    April 16, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Find GCP Credentials

      • Suspicious device created in container

      • Reconnaissance attempt to find SUID binaries

      • Escape to host via command injection in process

      • Mount Launched in Privileged Container

      • Modify binary dirs

    • Improved tags for Azure Access Level for Blob Container Set to Public rule

    • New Falco Cloud Microsoft Entra plugin support

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    • Added the following rules:

      • Bedrock Model Recon Activity

      • Bedrock Invoke Agent

      • Bedrock Delete Knowledge Base

      • Bedrock Delete Data Source

      • Bedrock Delete Agent

      • Bedrock Delete Provisioned Model Throughput

      • Bedrock Delete Custom Model

      • Bedrock Disable Model Invocation Logging

      • Bedrock Invoke Model

      • Entra Add Member to Administrative Role

      • Entra Delete Application

      • Entra Add Administrative Unit

      • Entra Add Application

      • Entra Add Group

      • Entra Add Member to Group

      • Entra Add Member to Administrative Unit

      • Entra Add Owner To Application

      • Entra Add Owner to Service Principal

      • Entra Assign User to Application

      • Entra Change User Password

      • Entra Create Directory

      • Entra Delete Administrative Unit

      • Entra Delete Application Password for User

      • Entra Delete Group

      • Entra Disable Access to Application

      • Entra Hard Delete Application

      • Entra Remove App Role Assignment from User

      • Entra Remove Member from Administrative Unit

      • Entra Remove Member from Role

      • Entra Remove Verified Domain

      • Entra Update Application Certificates And Secrets Management

      • Entra Verify Domain

      • Entra Suspicious IP Inbound Request

      • Netcat Remote Code Execution on Host

      • Packet Socket Created on Host

    Default Policy Changes

    • Added the following rules:

      • Packet Socket Created on Host

      • Netcat Remote Code Execution on Host

      • Bedrock Model Recon Activity

      • Bedrock Invoke Agent

      • Bedrock Delete Knowledge Base

      • Bedrock Delete Data Source

      • Bedrock Delete Agent

      • Bedrock Delete Provisioned Model Throughput

      • Bedrock Delete Custom Model

      • Bedrock Disable Model Invocation Logging

      • Bedrock Invoke Model

      • Entra Add Member to Administrative Role

      • Entra Delete Application

      • Entra Add Administrative Unit

      • Entra Add Application

      • Entra Add Group

      • Entra Add Member to Group

      • Entra Add Member to Administrative Unit

      • Entra Add Owner To Application

      • Entra Add Owner to Service Principal

      • Entra Assign User to Application

      • Entra Change User Password

      • Entra Create Directory

      • Entra Delete Administrative Unit

      • Entra Delete Application Password for User

      • Entra Delete Group

      • Entra Disable Access to Application

      • Entra Hard Delete Application

      • Entra Remove App Role Assignment from User

      • Entra Remove Member from Administrative Unit

      • Entra Remove Member from Role

      • Entra Remove Verified Domain

      • Entra Update Application Certificates And Secrets Management

      • Entra Verify Domain

      • Entra Suspicious IP Inbound Request

    • New Falco Cloud Microsoft Entra plugin support

    0.147.0

    April 15, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • eBPF Program Loaded into Kernel

      • DB program spawned process

      • Create Hidden Files or Directories

      • Connection to SMB Server detected

      • Read sensitive file untrusted

      • Write below root

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Dump memory for credentials

      • Modification of pam.d detected

      • Directory traversal monitored file read

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    • Improved output for GitHub rules

    0.146.4

    April 12, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Non sudo setuid

      • Run shell untrusted

      • DB program spawned process

      • Set Setuid or Setgid bit

      • Improved tags for the Non sudo setuid rule.

      • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.146.3

    April 11, 2024

    Rule Changes

    • Improved output for the Modification of pam.d detected rule.

    • Reduced false positives for the following rules:

      • Write below root

      • Launch Privileged Container

      • Read sensitive file untrusted

      • Launch Sensitive Mount Container

      • Launch Ingress Remote File Copy Tools in Container

      • Kernel startup modules changed

    • Improved tags for the QEMU Activity Detected rule.

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.146.2

    April 10, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below root

      • Launch Sensitive Mount Container

      • Possible Backdoor using BPF

      • Launch Privileged Container

      • eBPF Program Loaded into Kernel

    • Updated Indicators of Compromise rulesets with new findings

    • Improved tags for T1136

    0.146.1

    April 09, 2024

    Rule Changes

    • Added the following rules:

      • QEMU Activity Detected

      • Active Directory Connection Detected

    • Improved description for workload rules

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • Write below root

      • Suspicious Access To Kerberos Secrets

      • Root Certificate Installed

      • Suspicious Kernel Parameter Modification

      • Launch Root User Container

      • Non sudo setuid

    • Improved condition the following:

      • Backdoored library loaded into SSHD rule

      • network_tool_procs macro

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    Default Policy Changes

    • Added the following rules:

      • QEMU Activity Detected

      • Active Directory Connection Detected

    • Updated policy for the following rules:

      • Container image built on host

      • Root Certificate Installed

      • Potential IRC connection detected

    0.146.0

    April 08, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Non sudo setuid

      • Change thread namespace

      • Launch Suspicious Network Tool in Container

      • Launch Privileged Container

      • Possible Backdoor using BPF

      • Container escape via discretionary access control

    • Updated Indicators of Compromise rulesets with new findings

    0.145.4

    April 05, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Read Shell Configuration File

      • eBPF Program Loaded into Kernel

      • Netcat Remote Code Execution in Container

      • Dump memory for credentials

      • Write below root

      • Mount on Container Path Detected

      • System procs network activity

      • Non sudo setuid

    • Updated Indicators of Compromise rulesets with new findings

    0.145.3

    April 04, 2024

    Rule Changes

    • Updated Indicators of Compromise rulesets with new findings

    • Improved coverage for T1136.001

    • Improved tags for Workload rules - T1036.003

    • Reduced false positives for the following rules:

      • Kernel Module Loaded by Unexpected Program

      • Dump memory for credentials

      • Possible Backdoor using BPF

    0.145.2

    April 03, 2024

    • Sysdig Mitre Attack Mapper update

    Rule Changes

    • Reduced false positives for the following rules:

      • System procs network activity

      • eBPF Program Loaded into Kernel

      • Linux Kernel Module Injection

      • Possible Backdoor using BPF

      • Find GCP Credentials

      • Root Certificate Installed

    • Improved tags for Launch Ingress Remote File Copy Tools in Container rule.

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.145.1

    April 02, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious Operations with Firewalls

      • Non sudo setuid

      • Set Setuid or Setgid bit

      • System procs network activity

      • Launch Excessively Capable Container

      • Possible Backdoor using BPF

      • Modification of pam.d detected

    • Added the Root Certificate Installedrule

    • Improved tags for Delete or rename shell history rule

    • Improved output for Outbound Connection to C2 Servers rule

    Default Policy Changes

    • Added the Root Certificate Installedrule

    • Updated policy for the Steganography Tool Detected rule

    0.145.0

    March 29, 2024

    Rule Changes

    • Added the Backdoored library loaded into SSHD rule

    • Reduced false positives for the Detection bypass by symlinked files rule

    Default Policy Changes

    • Added theBackdoored library loaded into SSHD rule

    0.144.3

    March 28, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • DB program spawned process

      • Launch Ingress Remote File Copy Tools in Container

      • eBPF Program Loaded into Kernel

      • Modification of pam.d detected

      • Mount Launched in Privileged Container

      • Malicious IPs or domains detected on command line

      • Change thread namespace

      • Linux Kernel Module Injection Detected

      • Set Setuid or Setgid bit

    • Updated Indicators of Compromise rulesets with new findings

    • Improved output for Modification of pam.d detected rule

    • Improved tags for the following rules:

      • Steganography Tool Detected

      • Discovery Security Service Activity Detected

      • Remove Bulk Data from Disk

    0.144.2

    March 27, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Contact EC2 Instance Metadata Service From Container

      • Set Setuid or Setgid bit

      • Suspicious Home Directory Creation

      • Possible Backdoor using BPF

      • Launch Remote File Copy Tools on Host

      • Malicious IPs or domains detected on command line

      • Write below etc

      • Kernel startup modules changed

      • Modification of pam.d detected

    • Improved tags for the following rules:

      • Connection to SMB Server detected

      • Java Process File Class Download

      • Possible SSH Hijacking Attempt Detected

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.144.1

    March 26, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Non sudo setuid

      • Set Setuid or Setgid bit

      • Malicious IPs or domains detected on command line

      • Interactive Reconnaissance Activity Detected

      • Dump memory for credentials

      • Write below root

      • Change thread namespace

      • DB program spawned process

      • Possible Backdoor using BPF

    • Added the following rules:Tampering with Security Software on Host and Launch Remote File Copy Tools on Host

    • Updated Indicators of Compromise rulesets with new findings

    • Improved condition for System Geolocation Discovery rule

    Default Policy Changes

    Added the following rules: Tampering with Security Software on Host and Launch Remote File Copy Tools on Host

    0.144.0

    March 25, 2024

    Rule Changes

    • Updated Indicators of Compromise rulesets with new findings

    • Reduced false positives for the following rules:

      • Launch Root User Container

      • eBPF Program Loaded into Kernel

      • Non sudo setuid

      • Write below etc

      • Container escape via discretionary access control

      • Kernel startup modules changed

      • Mount Launched in Privileged Container

    0.143.4

    March 22, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Register Domain

      • Escape to host via command injection in process

      • Kernel startup modules changed

      • Modify Shell Configuration File

      • Launch Sensitive Mount Container

      • Execution from /tmp

      • Possible Backdoor using BPF

      • Suspicious Home Directory Creation

      • Detect outbound connections to Proxy/VPN

      • Dump memory for credentials

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.143.3

    March 21, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Container escape via discretionary access control

      • Non sudo setuid

      • Kernel Module Loaded by Unexpected Program

      • Dump memory for credentials

      • Launch Remote File Copy Tools in Container

      • Packet socket created in container

      • Create Hardlink Over Sensitive Files

      • Change memory swap options

      • eBPF Program Loaded into Kernel

    • Improved output for EC2 Instance Connect/SSH Public Key Uploaded

    • Updated Indicators of Compromise rulesets with new findings

    0.143.2

    March 20, 2024

    Rule Changes

    • Improved output for the Dump memory for credentials and Possible Backdoor using BPF rules

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    • Reduced false positives for the following rules:

      • Modify ld.so preload

      • eBPF Program Loaded into Kernel

      • Modification of pam.d detected

      • Packet socket created in container

      • Mount on Container Path Detected

      • Change thread namespace rule

    0.143.1

    March 19, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Dump memory for credentials

      • Mount on Container Path Detected

      • Create Symlink Over Sensitive Files

      • Possible Backdoor using BPF

      • eBPF Program Loaded into Kernel

    • Added the following rules:

      • Connection to SMB Server detected

      • Steganography Tool Detected

    • Updated Indicators of Compromise (IoCs) rulesets with new findings

    Default Policy Changes

    • Added rule Connection to SMB Server detected

    • Added rule Steganography Tool Detected

    0.143.0

    March 19, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • Modification of pam.d detected

      • Launch Ingress Remote File Copy Tools in Container

      • Suspicious Cron Modification

      • Linux Kernel Module Injection Detected

      • Suspicious RC Script Modification

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.142.8

    March 15, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below etc

      • Connection to IPFS Network Detected

      • Possible Backdoor using BPF

      • eBPF Program Loaded into Kernel

      • Linux Kernel Module Injection Detected

      • nsenter Container Escape

      • Execution from Temporary Filesystem

      • Launch Root User Container rule

    • Updated Indicators of Compromise rulesets with new findings

    • Improved output for Discovery Security Service Activity Detected rule

    0.142.7

    March 14, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Linux Kernel Module Injection Detected

      • Packet socket created in container

      • Container escape via discretionary access control

      • Possible Backdoor using BPF

      • Suspicious Cron Modification

      • Suspicious Access To Kerberos Secrets

      • Redirect STDOUT/STDIN to Network Connection in Host

    • Updated Indicators of Compromise (IoCs) rulesets with new findings/

    • Improved output for Reconnaissance attempt to find SUID binaries and Dump memory for credentials rules

    0.142.6

    March 13, 2024

    Rule Changes

    • Reduced false positives for the Linux Kernel Module Injection Detected rule.

    0.142.5

    March 13, 2024

    Rule Changes

      Improved condition for Kernel Module Injection Detected rule.

    0.142.4

    March 13, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • Suspicious Access To Kerberos Secrets

      • Redirect STDOUT/STDIN to Network Connection in Host

    • Improved conditions for the following rules:

      • Linux Kernel Module Injection Detected

      • Suspicious Cron Modification

    • Improved output for AWS rules - Event Summary

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.142.3

    March 12, 2024

    Rule Changes

    • Added Execute Process from Masqueraded Directory to managed policies.

    • Improved output for Kernel startup modules changed rule.

    • Reduced false positives for the following rules:

      • Redirect STDOUT/STDIN to Network Connection in Host

      • Linux Kernel Module Injection Detected

      • Suspicious Cron Modification

      • Suspicious Access To Kerberos Secrets

    Default Policy Changes

    • Added Execute Process from Masqueraded Directory to managed policies.

    0.142.2

    March 12, 2024

    Rule Changes

    • Removed the Execute Process from Masquerated Directory rule from managed policies.

    Default Policy Changes

    • Removed the Execute Process from Masquerated Directory rule from managed policies.

    0.142.1

    March 12, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Non sudo setuid

      • Suspicious Operations with Firewalls

      • Possible Backdoor using BPF

      • Packet socket created in container

      • Mount on Container Path Detected

    • Improved condition for the following rules:

      • Dump memory for credentials

      • Suspicious Access To Kerberos Secrets

      • Linux Kernel Module Injection Detected

      • Redirect STDOUT/STDIN to Network Connection in Host

      • Suspicious Cron Modification

      • Clear Log Activities

      • Modification of pam.d detected

    • Added the following rules:

      • Python HTTP Server Started

      • Execute Process from Masquerated Directory

      • Shared Libraries Reconnaissance Activity Detected

      • EC2 Instance Create User

      • Terminate EC2 Instances

    • Improved description and tags for Change memory swap options rule.

    • Improved tags for AWS EC2 ruleset.

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    Default Policy Changes

    Added the following rules:

    • Python HTTP Server Started

    • Execute Process from Masquerated Directory

    • Shared Libraries Reconnaissance Activity Detected

    • EC2 Instance Create User

    • Terminate EC2 Instances

    0.142.0

    March 11, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Mount on Container Path Detected

      • Mount Launched in Privileged Container

      • Possible Backdoor using BPF

      • Packet socket created in container

      • eBPF Program Loaded into Kernel

      • System procs network activity

    • Improved condition for Suspicious Cron Modification rule.

    • Improved output for AWS rules - Event Summary

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.141.4

    March 08, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Privileged Container

      • Suspicious Cron Modification

      • Suspicious Domain Contacted

      • eBPF Program Loaded into Kernel

      • Kernel startup modules changed

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    Default Policy Changes

    • Updated policy for Java Process Class File Download rule.

    0.141.3

    March 07, 2024

    Rule Changes

    • Improved tags for Suspicious Domain Contacted rule

    • Improved condition for macro network_tool_procs

    • Updated Indicators of Compromise rulesets with new findings

    • Reduced false positives for the following rules:

      • Launch Suspicious Network Tool in Container

      • Suspicious Cron Modification

      • Execution from /tmp

      • Launch Sensitive Mount Container

      • Non sudo setuid

    0.141.2

    March 06, 2024

    Rule Changes

    • Updated Indicators of Compromise (IoCs) rulesets with new findings

    • Improved condition for Kernel Module Loaded by Unexpected Program rule

    • Reduced false positives for the following rules:

      • Suspicious Cron Modification

      • Possible Backdoor using BPF

      • Escape to host via command injection in process

      • Mount on Container Path Detected

      • Launch Privileged Container

      • Container escape via discretionary access control

      • Set Setuid or Setgid bit

      • Execution from /tmp

      • Suspicious Domain Contacted

    0.141.1

    March 05, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Suspicious Domain Contacted

      • Launch Suspicious Network Tool in Container

      • Modify Grub Configuration Files

      • Launch Root User Container

      • Fileless Malware Detected

      • Container escape via discretionary access control

      • Mount on Container Path Detected

      • Find GCP credentials

      • Suspicious Cron Modification

    • Updated Indicators of Compromise rulesets with new findings

    • Improved tags for Suspicious Domain Contacted rule

    • Improved output for AWS rules - Event Summary

    • Added the Data Split Activity Detected and Contact EC2 Instance Metadata Service From Host rules

    Default Policy Changes

    Added the following rules:

    • Data Split Activity Detected

    • Contact EC2 Instance Metadata Service From Host

    0.141.0

    March 01, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Execution from /tmp

      • Mount on Container Path Detected

      • Possible Backdoor using BPF

      • Kernel Module Loaded by Unexpected Program

      • Packet socket created in container

      • Suspicious Cron Modification

    • Updated Indicators of Compromise rulesets with new findings

    • Improved condition for the Describe Instances rule

    • Improved tags for the GCP Create Cloud Function rule

    0.140.3

    February 29, 2024

    Rule Changes

    • Updated Indicators of Compromise rulesets with new findings

    • Reduced false positives for the following rules:

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Suspicious Cron Modification

      • eBPF Program Loaded into Kernel

      • Non sudo setuid

      • Suspicious Operations with Firewalls

      • Suspicious RC Script Modification

      • Possible Backdoor using BPF

    0.140.2

    February 28, 2024

    Rule Changes

    • Improved condition for Kernel Module Loaded by Unexpected Program rule

    • Reduced false positives for the following rules:

      • Suspicious Cron Modification

      • Possible Backdoor using BPF

      • Suspicious RC Script Modification

      • Launch Root User Container

      • Find Authentication Certificates

    • Updated Indicators of Compromise rulesets with new findings

    0.140.1

    February 27, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Ransomware Filenames Detected

      • Suspicious Cron Modification

      • Mount Launched in Privileged Container

      • Modification of pam.d detected

      • eBPF Program Loaded into Kernel

      • Kernel startup modules changed

      • Suspicious RC Script Modification

      • Possible Backdoor using BPF

    • Improved conditions for the following rules:

      • Suspicious network tool downloaded and launched in container

      • Launch Suspicious Network Tool on Host

      • Find GCP Credentials

      • Launch Suspicious Network Tool in Container

    • Updated Indicators of Compromise (IoCs) rulesets with new findings

    • Improved output for Kernel Module Loaded by Unexpected Program rule

    • Improve output for AWS rules - Event Summary

    • Added the following rules:

      • Find Authentication Certificates

      • Contact GCP Instance Metadata Service from Host

      • Contact Azure Instance Metadata Service from Host

      • Execution from Temporary Filesystem

    • Improve MITRE tags for AWS S3 ruleset

    Default Policy Changes

    • Added the following rules:

      • Find Authentication Certificates

      • Contact GCP Instance Metadata Service from Host

      • Contact Azure Instance Metadata Service from Host

      • Execution from Temporary Filesystem

    • Updated policies for the following rules:

      • Mount on Container Path Detected

      • Modify Grub Configuration Files rule

      • Escape to host via command injection in process

      • Discovery Security Service Activity Detected

    0.140.0

    February 26, 2024

    Rule Changes

    • Reduced false positive for Possible Backdoor using BPF and Change thread namespace rules

    • Improve condition for the Update Package Repository rule

    • Updated Indicators of Compromise rulesets with new findings

    0.139.5

    February 23, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below root

      • Malicious binary detected

      • Launch Suspicious Network Tool in Container

      • Escape to host via command injection in process

      • Kernel Module Loaded by Unexpected Program

      • Possible Backdoor using BPF

      • Suspicious RC Script Modification

    • Improved output for the following rules:

      • Update Package Repository

      • Hardware Added to the System

    • Improved condition for Non sudo setuid rule

    • Updated Indicators of Compromise (IoCs) rulesets with new findings

    0.139.4

    February 22, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Execution from /tmp

      • Suspicious Cron Modification

      • Service Discovery Activity Detected

      • Packet socket created in container

      • eBPF Program Loaded into Kernel

      • Update Package Repository

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.139.3

    February 21, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Sensitive Mount Container

      • Create Symlink Over Sensitive Files

      • Reconnaissance attempt to find SUID binaries

      • Suspicious Cron Modification

      • Privileged Shell Spawned Inside Container

      • Set Setuid or Setgid bit

      • Suspicious RC Script Modification

    • Updated Indicators of Compromise rulesets with new findings

    • Improved output for the Suspicious Docker Options rule

    • Improved output for AWS rules - Event Summary

    • Improved tags for the Suspicious Docker Options rule

    0.139.2

    February 21, 2024

    Rule Changes

    • Reduced false positive for the Suspicious System Service Modificationrule

    0.139.1

    February 20, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Kernel startup modules changed

      • Suspicious Cron Modification

      • eBPF Program Loaded into Kernel

      • Mount Launched in Privileged Container

      • Find AWS Credentials

      • Launch Root User Container

      • Change thread namespace

      • Non sudo setuid

    • Updated Indicators of Compromise rulesets with new findings

    • Improved output for AWS rules - Event Summary

    • Improved condition for for the following rules:

      • Suspicious System Service Modification

      • Discovery Security Service Activity Detected

      • Mount Launched in Privileged Container

      • Update Package Repository

    • Added the following rules:

      • RDS Delete DB Instance

      • RDS Create DB Instance

      • Peripheral Device Discovery Activity Detected

      • Interactive Reconnaissance Activity Detected

      • Suspicious Docker Options

      • Possible SSH Hijacking Attempt Detected

    Default Policy Changes

    • Added the following rules:

      • RDS Delete DB Instance

      • RDS Create DB Instance

      • Peripheral Device Discovery Activity Detected

      • Interactive Reconnaissance Activity Detected

      • Suspicious Docker Options

      • Possible SSH Hijacking Attempt Detected

    • Update policy for the following rules:

      • Suspicious RC Script Modification

      • Hardware Added to the System

      • Suspicious Chdir Event Detected

    0.139.0

    February 19, 2024

    Rule Changes

    • Improved output for the Attach to cluster-admin Role rule

    • Reduced false positives for the following rules:

      • Set Setuid or Setgid bit

      • System procs network activity

      • Container escape via discretionary access control

      • Possible Backdoor using BPF

      • Create Symlink Over Sensitive Files

      • eBPF Program Loaded into Kernel

    • Updated Indicators of Compromise (IoCs) rulesets with new findings

    0.138.3

    February 15, 2024

    Rule Changes

    • Reduced false positive for the following rules:

      • Mount Launched in Privileged Container

      • Possible Backdoor using BPF

      • Modification of pam.d detected

      • eBPF Program Loaded into Kernel

    • Updated Indicators of Compromise (IoCs) rulesets with new findings

    0.138.2

    February 14, 2024

    Rule Changes

    • Reduced false positive for the following rules:

      • Find AWS Credentials

      • System procs network activity

      • Launch Root User Container

      • Suspicious Cron Modification

      • System Geolocation Discovery

      • Launch Ingress Remote File Copy Tools in Container

    • Fixed tags for the ld.so.preloadcode> rule

    • Improved performance of the Modify binary dirs rule

    • Fixed description for the Discovery Security Service Activity Detected rule

    • Updated Indicators of Compromise (IoCs) rulesets with new findings

    • Updated Sysdig Mitre Attack Mapper

    Default Policy Changes

    • Updated policy for the System Geolocation Discovery rule

    0.138.1

    February 13, 2024

    Rule Changes

    • Reduced false positive for the following rules:

      • Suspicious Cron Modification

      • Search Private Keys or Passwords

      • Kernel startup modules changed

      • Kernel Module Loaded by Unexpected Program

    • Added the following rules

      • Exfiltrating Artifacts via Kubernetes Control Plane

      • Discovery Security Service Activity Detected

      • Suspicious RC Script Modification

      • Azure Read Service SAS Token for a Storage Account

      • CloudShell Download File

      • Create Support Case

    • Improved condition for the following:

      • AWS reconnaissance rules

      • Hide Process with Mount rule

      • Suspicious Home Directory Creation rule

      • inbound_outbound macro

      • inbound macro

    • Improve coverage for T1025, T1092, and T1129

    • IoCs update

    Default Policy Changes

    Added the following rules:

    • Exfiltrating Artifacts via Kubernetes Control Plane

    • Discovery Security Service Activity Detected

    • Suspicious RC Script Modification

    • Azure Read Service SAS Token for a Storage Account

    • CloudShell Download File

    • Create Support Case

    0.138.0

    February 12, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Root User Container

      • Find AWS Credentials

      • Suspicious Cron Modification

      • eBPF Program Loaded into Kernel

      • Possible Backdoor using BPF

    • Improved condition for Hide Process with Mount rule

    • Improved coverage for T1554

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.137.4

    February 09, 2024

    Rule Changes

    • Improved tag T113 for the Workload rules

    • Reduced false positives for the following rules:

      • Modify ld.so.preload

      • Possible Backdoor using BPF

      • nsenter Container Escape

      • Find AWS Credentials

    • Fixed condition for the Possible Backdoor using BPF rule

    • IoCs update

    0.137.3

    February 08, 2024

    Rule Changes

    • Improved condition for the following macros:

      • inbound_outbound

      • inbound

      • device_mounted_exists

    • ImprovedHide Process with Mountrule.

    • Improve output for Kernel Module Loaded by Unexpected Program rule

    • Reduced false positive for the following rules:

      • eBPF Program Loaded into Kernel

      • Suspicious device created in container

      • Suspicious Cron Modification

      • Mount Launched in Privileged Container

      • Modify ld.so.preload

      • Kernel Module Loaded by Unexpected Program

    • Improved the rfc_1918_addresses list

    • Updated IoCs

    0.137.2

    February 07, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious Cron Modification

      • Mount Launched in Privileged Container

      • Change thread namespace

      • Non sudo setuid

      • Find GCP Credentials

      • Kernel Module Loaded by Unexpected Program

      • eBPF Program Loaded into Kernel

    • IoCs update

    • Improved coverage for T1052 and T1102

    0.137.1

    February 06, 2024

    Rule Changes

    • IoCs update

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • Suspicious Cron Modification

      • Kernel startup modules changed

      • eBPF Program Loaded into Kernel

      • eBPF Program Loaded into Kernel

      • Possible Backdoor using BPF

      • Packet socket created in container

      • Suspicious Cron Modification

      • Terminal Shell in Container

      • Possible Backdoor using BPF

      • Kernel startup modules changed

      • Suspicious Cron Modification

      • Suspicious System Service Modification

      • Write below etc

      • Suspicious Cron Modification

      • Possible Backdoor using BPF

      • Launch Root User Container

      • Suspicious Domain Contacted

      • Non sudo setuid

      • Suspicious Cron Modification

      • Possible Backdoor using BPF

      • Malicious IPs or domains detected on command line

      • nsenter Container Escape

      • Kernel startup modules changed

      • Suspicious Cron Modification

    • Improved condition for the following rules:

      • Suspicious device created in container

      • Suspicious Java Child Processes

      • Run shell untrusted

      • Create Hidden Files or Directories

    • Improved output for Workload rules - Event Summary

    • Improved tags for Workload rules - MITRE T1555

    • Added the following rules:

      • Suspicious Chdir Event Detected

      • Kernel Module Loaded by Unexpected Program

      • System Geolocation Discovery

      • Miner Filename Pushed to Repository

      • Mount on Container Path Detected

      • Hardware Added to the System

      • Abuse Sudo for Privilege Escalation

      • Suspicious Connection to K8S API Server From Container

    Default Policy Changes

    Added the following rules:

    • Suspicious Chdir Event Detected

    • Kernel Module Loaded by Unexpected Program

    • System Geolocation Discovery

    • Miner Filename Pushed to Repository

    • Mount on Container Path Detected

    • Hardware Added to the System

    • Abuse Sudo for Privilege Escalation

    • Suspicious Connection to K8S API Server From Container

    0.137.0

    February 05, 2024

    What's Changed

    Rule Changes

    Reduced false positive for the following rules:

    • Kernel startup modules changed

    • Suspicious Cron Modification

    0.136.8

    February 02, 2024

    Rule Changes

    Reduced false positives for the following:

    • Suspicious Cron Modification
    • Packet socket created in container
    • Possible Backdoor using BPF
    • eBPF Program Loaded into Kernel

    0.136.7

    February 01, 2024

    Rule Changes

    Reduced false positives for the following:

    • Suspicious System Service Modification

    • Suspicious Cron Modification

    • Kernel startup modules changed

    • Possible Backdoor using BPF

    • Terminal Shell in Container

    0.136.6

    January 31, 2024

    Rule Changes

    Reduced false positives for the following:

    • Launch Root User Container

    • Suspicious Domain Contacted

    • Non sudo setuid

    • Suspicious Cron Modification

    • Possible Backdoor using BPF

    • Write below etc

    0.136.5

    January 29, 2024

    Rule Changes

    • Added macro internal_domains_connection_data

    • Improved MITRE ATTCK tags for T1016

    • Reduced false positives for the following rules:

      • Write below etc

      • eBPF Program Loaded into Kernel

      • Possible Backdoor using BPF

      • Possible Backdoor using BPF

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.136.4

    January 26, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious Domain Contacted

      • Write below etc

      • Fileless Malware Detected

      • Possible Backdoor using BPF

      • Improved output for Workload Rules - Event Summary

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.136.3

    January 25, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Non sudo setuid

      • Contact K8S API Server From Container

      • Container escape via discretionary access control

      • Possible Backdoor using BPF

      • Launch Root User Container

      • Write below etc

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.136.2

    January 24, 2024

    Rule Changes

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    • Reduced false positives for the following rules:

      • Service Discovery Activity Detected

      • Write below root

      • Write below etc

      • Possible Backdoor using BPF

      • Find GCP Credentials

      • Create Privileged Pod

    0.136.1

    January 23, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Modify Shell Configuration File

      • Launch Ingress Remote File Copy Tools in Container

      • Possible Backdoor using BPF

      • Write below etc

    • Added the following rules:

      • Query to Window Management System Detected

      • Access to Clipboard Data Detected

      • Service Discovery Activity Detected

      • Suspicious Access To Kerberos Secrets

      • SES Delete Identity Policy

      • SES Update Identity Policy

      • SES Attach Policy to Identity

    • Improved condition for the following rules:

      • Suspicious Home Directory Creation

      • Find GCP Credentials

      • Get Secret Value

      • Create Lambda Function Not Using Latest Runtime

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    • Default Policy Changes

    • Added the following rules:

      • Query to Window Management System Detected

      • Access to Clipboard Data Detected

      • Service Discovery Activity Detected

      • Suspicious Access To Kerberos Secrets

      • SES Delete Identity Policy

      • SES Update Identity Policy

      • SES Attach Policy to Identity

    0.136.0

    January 22, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Change thread namespace

      • Write below root

      • Contact K8S API Server From Container

      • Possible Backdoor using BPF

      • Mount Launched in Privileged Container

      • Non sudo setuid

      • Write below etc

      • Modification of pam.d detected

      • Launch Ingress Remote File Copy Tools in Container

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.135.5

    January 19, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • nsenter Container Escape

      • Write below etc

      • Modification of pam.d detected

      • Write below root

      • Possible Backdoor using BPF

      • Contact K8S API Server From Container

      • Connection to IPFS Network Detected

      • Launch Root User Container

      • Create Symlink Over Sensitive Files

      • Non sudo setuid

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.135.4

    January 18, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Contact K8S API Server From Container

      • Launch Sensitive Mount Container

      • Launch Root User Container

      • Write below root

    0.135.3

    January 18, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Non sudo setuid

      • Launch Privileged Container

      • Suspicious Cron Modification

    • Improved descriptions for Hide Process with Mount rule.

    • Improved output for Workload rules - Event Summary

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.135.2

    January 17, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • Mount Launched in Privileged Container

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.135.1

    January 16, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Mount Launched in Privileged Container

      • nsenter Container Escape

      • Possible Backdoor using BPF

      • eFileless Malware Detected (memfd)

    • Added the following rules:

      • Password Policy Discovery Activity Detected

      • Hide Process with Mount

      • Modify Grub Configuration Files

    • Updated IoCs

    • Updated tags for Contact K8S API Server From Container rule.

    • Improved conditions for cContact K8S API Server From Container rule.

    • Improved list package_mgmt_binaries and macro package_listing

    • Improved condition for Container image built on host rule.

    • Improved tags for Workload rules - MITRE T1550 list.

    • Improved iptables_similar list.

    • Improved iptables_similar list.

    • Improved iptables_similar list.

    • Deprecated the following rules:

      • Malicious process detected

      • Creation attempt Azure Secure Transfer Required Set to Disabled

      • Azure Access Level creation attempt for Blob Container Set to Publicrule.

      • Azure Blob Created

      • Azure Blob Deleted

      • Azure Create/Update a Storage Account

      • Azure Delete a Storage Account

      • Azure Delete Function Key

      • Azure Create/Update a Storage Account

      • Azure Create/Update a Storage Account

      Default Policy Changes

    • Added the following rules:

      • Password Policy Discovery Activity Detected

      • Hide Process with Mount

      • Modify Grub Configuration Files

    • Updated the policy for Ransomware Filenames Detectedrule.

    • Improved condition for Contact K8S API Server From Containerrule.

    0.135.0

    January 15, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Mount Launched in Privileged Container

      • Kernel startup modules changed

      • Possible Backdoor using BPF

      • eBPF Program Loaded into Kernel

      • Write below root

    • Improvedfalco_privileged_images and falco_sensitive_mount_images lists.

    • Updated IoCs

    0.134.4

    January 12, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below etc

      • PTRACE attached to process

      • Launch Sensitive Mount Container

    • Improved tags for Workload Rules - Financial Theft.

    • Improve output for Workload Rules - Event Summary - End of Enabled rules.

    0.134.3

    January 11, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Kernel startup modules changed

      • Possible Backdoor using BPF

      • Suspicious Cron Modification

      • Fileless Malware Detected (memfd)

    • Improved tags for Suspicious Operations with Firewalls rule.

    • Improved output for Workload Rules - Event Summary.

    • Updated Indicators of Compromise (IoCs) rulesets with new findings.

    0.134.2

    January 10, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Kernel startup modules changed

      • Possible backdoor using BPF

      • Launch Root User Container

      • Packet socket created in container

      • Suspicious Operations with Firewalls

    • Improved tags for Workload Rules.

    • Updated Indicators of Compromise (IoCs).

    Default Policy Changes

    • Updated the policy for nsenter Container Escape rule.

    0.134.1

    January 09, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • Suspicious Cron Modification

      • Packet socket created in container

      • Clear Log Activities

    • Added the following rules:

      • Simple Email Service (SES) Verify Identity

      • SES Update Account Sending

      • SES Delete Identity

      • SES Create SMTP

      • SNS Delete Subscription

      • SNS Delete Topic

      • SNS Get SMS Sending Information

      • Organization Update Service Control Policy

      • Organization Create Service Control Policy

      • Organization Delete Service Control Policy

      • Repository Fork Set to Public

      • Repository Fork Set to Private

      • Attach SES Policy to User

      • Auditd Logging Commands

      • Repository Fork Set to Public

    • Improved output for Workload Rules - Event Summary.

    • Imoroved condition for the following rules:

      • Get Federation Token with Admin Policy
      • Ransomware Filenames Detected

      • Detect malicious cmdlines

      • nsenter Container Escape

      • Mount Launched in Privileged Container

      • Put Bucket ACL for AllUsers

      Default Policy Changes

    • Updated policies for the following rules:

      • AWS CLI used with endpoint url parameter rule

      • Ransomware Filenames Detected

      • Azure Blob Created, Azure Blob Deleted

    0.134.0

    January 08, 2024

    Rule Changes

    • Reduced false positives for the following rule:

      • Contact EC2 Instance Metadata Service From Container

    0.133.14

    January 05, 2024

    Rule Changes

    • Reduced for the following rules:

      • Modification of pam.d detected

      • Possible Backdoor using BPF

      • Suspicious Cron Modification

      • PTRACE attached to process

    • Updated the IoCs Ruleset with new findings.

    • Improved condition for the Ransomware Filenames Detectedrule.

    0.133.13

    January 04, 2024

    Rule Changes

    • Reduced false positives for the following rules:

      •  Modification of pam.d detected

      • Non sudo setuid

      • Execution from /tmp

      • Suspicious Cron Modification

      • Suspicious Cron Modification

      • Set Setuid or Setgid bit

      • Read sensitive file untrusted

    • Updated the IoCs Ruleset with new findings.

    • Added the Ransomware Filenames Detectedrule.

    Default Policy Changes

    • Added the Ransomware Filenames Detectedrule.

    • Policy updated for Azure Blob Created and Azure Blob Deletedrules.

    0.133.12

    January 03, 2024

      Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious Cron Modification

      • Possible Backdoor using BPF

      • eBPF Program Loaded into Kernel

    • Updated the IoCs Ruleset with new findings.

    0.133.11

    December 22, 2023

    Rule Changes

    Reduced false positives for the following rules:

    • Change memory swap options

    • Packet socket created in container

    • eBPF Program Loaded into Kernel

    0.133.10

    December 21, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Read ssh information

      • eBPF Program Loaded into Kernel

    • Improved condition for the Detect outbound connections to Proxy/VPN rule.

    • Updated the IoCs Ruleset with new findings.

    0.133.9

    December 20, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious Cron Modification

      • Clear Log Activities

      • Possible Backdoor using BPF

    • Improved condition for the Detect outbound connections to TOR Entry Nodes rule.

    • Updated the IoCs Ruleset with new findings.

    0.133.8

    December 19, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Create Hidden Files or Directories

      • Suspicious Cron Modification

      • eBPF Program Loaded into Kernel

      • Write below etc

      • Launch Sensitive Mount Container

      • Launch Root User Container

    • Improved condition for the following rule:Connection to IPFS Network Detected

    • Updated the IoCs Ruleset with new findings.

    0.133.7

    December 18, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Non sudo setuid

      • Launch Root User Container

    • Improved condition for the following rules:

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process

      • AWS CLI used with endpoint url parameter

    • Improved output for the Connection to IPFS Network Detectedrule.

    • Updated the IoCs Ruleset with new findings.

    0.133.6

    December 15, 2023

    Rule Changes

    • Reduced false postives for the following rules:

      • Launch Privileged Container

      • Set Setuid or Setgid bit

      • AWS CLI used with endpoint url parameter

    • Improved output for the following rules:

      • Detect outbound connections to TOR Entry Nodes

      • Detect crypto miners using the Stratum protocol

      • Connection to IPFS Network Detected

    • Updated the IoCs Ruleset with new findings.

    • Improved coverage for the Inhibit System Recoverytechnique.

    0.133.5

    December 14, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Connection to IPFS Network Detected

      • Packet socket created in container

      • Possible Backdoor using BPF

      • eBPF Program Loaded into Kernel

    • Updated the IoCs Ruleset with new findings.

    0.133.4

    December 11, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious Cron Modification

      • eBPF Program Loaded into Kernel

      • Possible Backdoor using BPF

      • Launch Root User Containerl

      • Launch Sensitive Mount Container

      • Fileless Malware Detected (memfd)F

      • Create Symlink Over Sensitive Files

    • Updated the IoCs Ruleset with new findings.

    0.133.1

    December 04, 2023

    Rule Changes

    • Improved condition for the following rules:

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Redirect STDOUT/STDIN to Network Connection in Host

    • Improved output for the following rules:

      • Suspicious Home Directory Creation

      • Detect outbound connections to Proxy/VPN

    • Added the following rules:

      • New GitHub Action Workflow Deployed

      • Okta Multiple Application Requests with Invalid Credentials

      • Push on Github Actions Detected

      • Okta MFA Bypass Attempt

    • Remove macro from the Detect outbound connections to common miner pool ports rule.

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    Added the following rules:

    • New GitHub Action Workflow Deployed

    • Okta Multiple Application Requests with Invalid Credentials

    • Push on Github Actions Detected

    • Okta MFA Bypass Attempt

    0.133.0

    December 03, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Modify binary dirs

      • Packet socket created in container

      • Possible Backdoor using BPF

      • eBPF Program Loaded into Kernel

    • Updated the IoCs Ruleset with new findings.

    0.132.5

    November 30, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below etc

      • Azure RDP Access Is Allowed from The Internet

      • Possible Backdoor using BPF

      • Azure SSH Access Is Allowed from The Internet

      • Read Shell Configuration File

      • Packet socket created in container

    • Updated the IoCs Ruleset with new findings.

    0.132.4

    November 30, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Privileged Container

      • Possible Backdoor using BPF

      • Modification of pam.d detected

      • Read ssh information

    • Updated the IoCs Ruleset with new findings.

    0.132.2

    November 29, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Read ssh information

      • Suspicious Cron Modification

      • Possible Backdoor using BPF

      • Non sudo setuid

    • Updated the IoCs Ruleset with new findings.

    0.132.1

    November 28, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • eBPF Program Loaded into Kernel

      • Fileless Malware Detected (memfd)

      • Modification of pam.d detected

      • Suspicious Cron Modification

    • Added the following rules:

      • Update Secret in Secrets Manager

      • Delete Secret in Secrets Manager

      • Create Secret in Secrets Manager

      • Cancel Secret Rotation in Secrets Manager

      • Azure Create/Update User Managed Identity

      • Azure Create/Update a Public IP Address

      • Azure Create/Update a Key Vault

      • Azure Delete a Public IP Address

      • Azure Delete a Key Vault

      • Azure Delete User Managed Identity

      • CODEOWNERS file modified

      • Okta One-Time Token Reused

    • Improved the network_tool_binaries list.

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following rules:

      • Update Secret in Secrets Manager

      • Delete Secret in Secrets Manager

      • Create Secret in Secrets Manager

      • Cancel Secret Rotation in Secrets Manager

      • Azure Create/Update User Managed Identity

      • Azure Create/Update a Public IP Address

      • Azure Create/Update a Key Vault

      • Azure Delete a Public IP Address

      • Azure Delete a Key Vault

      • Azure Delete User Managed Identity

      • CODEOWNERS file modified

      • Okta One-Time Token Reused

    0.132.0

    November 27, 2023

    Rule Changes

    • Restored the Azure duplicated rules which were previously removed.

    Default Policy Changes

    • Restored the Azure duplicated rules which were previously removed.

    0.131.7

    November 25, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Contact EC2 Instance Metadata Service From Containe

      • Non sudo setuid

    • Improved condition for the following:

      • Azure Delete a Run Command on the Virtual Machine rule.

      • chmod macro.

    Default Policy Changes

    • Updated policy for Azure duplicated rules.

    0.131.5

    November 24, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Sensitive Mount Container

      • Create Symlink Over Sensitive Files

      • Kernel startup modules changed

      • Execution from /tmp

    • Changed rule name Azure Terminate the Virtual Machine to Azure Stop a Virtual Machine

    • Updated the IoCs Ruleset with new findings.

    • Updated MITRE tags.

    Default Policy Changes

    • Change rule name Azure Terminate the Virtual Machine to Azure Stop a Virtual Machine.

    0.131.4

    November 23, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious Cron Modification

      • Write below etc

      • Mount Launched in Privileged Container

      • Modification of pam.d detected

      • Read Environment Variable from /proc files in Container

    • Updated the IoCs Ruleset with new findings.

    • Updated MITRE tags.

    Default Policy Changes

    Updated policy for the Azure Terminate the Virtual Machine rule.

    0.131.3

    November 22, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF program loaded into kernel

      • Suspicious Cron Modification

      • Write below root

      • Non sudo setuid

    • Updated the IoCs Ruleset with new findings.

    0.131.2

    November 21, 2023

    Default Policy Changes

    • Updated policy for the Assume Role performed by an Assumed Role Identity rule.

    0.131.1

    November 21, 2023

    Rule Changes

    • Reduced false positive for the following rules:

      • eBPF program loaded into kernel

      • Suspicious Cron Modification

      • Set Setuid or Setgid bit

      • Write below root

      • Detect outbound connections to common miner pool ports

    • Added the following rules:

      • Cloudtrail Management Events Disabled via Event Selectors

      • Assume Role performed by an Assumed Role Identity

    • Updated the policy for the Contact K8S API Server From Container rule.

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following rules:

      • Cloudtrail Management Events Disabled via Event Selectors

      • Assume Role performed by an Assumed Role Identity

    • Updated the policy for following rules:

      • Contact K8S API Server From Container

      • Contact Task Metadata Endpoint

    0.131.0

    November 20, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF program loaded into kernel

      • PTRACE attached to process

      • Set Setuid or Setgid bit

      • Non sudo setuid

      • Packet socket created in container

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    • Removed the Disallowed K8s User rule from Managed Policies.

    0.130.8

    November 17, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Modification of pam.d detected

      • Possible Backdoor using BPF

      • Packet socket created in container

      • Dump memory for credentials

      • Launch Remote File Copy Tools in Container

      • Suspicious cron modification

      • Base64-encoded Shell Script Execution

      • Fileless Malware Detected (memfd)

    • Fixed exception in Share RDS Snapshot with Foreign Account rule.

    • Improved output for the Github Webhook Connected rule.

    • Updated the indicators of compromise (IoC) Ruleset with new findings.

    0.130.7

    November 16, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Launch Ingress Remote File Copy Tools in Container

      • Write below etc

      • Escape to host via command injection in process

    • Updated the IoCs Ruleset with new findings.

    0.130.6

    November 15, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch root user container

      • eBPF program loaded into kernel

      • Possible Backdoor using BPF

      • Non sudo setuid

      • Modification of pam.d detected

    • Improved output Okta ruleset.

    • Improved tags for the AWS RDS Master Password Update.

    • Updated the IoCs Ruleset with new findings.

    0.130.5

    November 14, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF program loaded into kernel

      • Mount Launched in Privileged Containe

      • Change thread namespace

    • Removed Sysdig images from the Terminal shell in container rule.

    • Improve description for the Okta Admin Console Access Velocity Behavior rule.

    • Updated policy for the SSM Get Parameter rule.

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    • Updated the policy for the following rules:

      • EC2 Instance Connect/SSH Public Key Uploaded

      • SSM Get Parameter

    0.130.4

    November 13, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Non sudo setuid

      • Set Setuid or Setgid bit

      • Write below etc

      • Launch Sensitive Mount Container

      • Launch Root User Container

      • Write below root

      • Packet socket created in container

      • Launch privileged container

      • eBPF program loaded into kernel

    0.130.3

    November 10, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Mount Launched in Privileged Container

      • Possible Backdoor using BPF

      • Packet socket created in container

      • Non sudo setuid

    0.130.2

    November 08, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Modification of pam.d detected

      • Diamorphine Rootkit Activity

      • Write below root

      • eBPF program loaded into kernel

      • Write below etc

    • Updated the IoCs Ruleset with new findings.

    0.130.1

    November 07, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious Cron Modification

      • Mount Launched in Privileged Container

      • eBPF Program Loaded into Kernel

      • Modification of pam.d detected

    • Added the following rules:

      • Container image built on host

      • Leave Organization

      • EC2 Add User Data

      • SSM Get Parameter

      • EC2 Get User Data

    • Improved condition for the following rules:

      • System procs network activity

      • Potential UAC Bypass Using Registry Manipulation

      • ump memory for credentials

    • Improved the Windows suspicious_network_binaries list.

    • Updated description for the Malicious C2 IPs or domains exploiting log4j rule.

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following rules:

      • Container image built on host

      • Leave Organization

      • EC2 Add User Data

      • SSM Get Parameter

      • EC2 Get User Data

    • Updated the Remove MFA from user in Oktapolicy.

    0.130.0

    November 06, 2023

    Rule Changes

    Reduced false positives for the following rules:

    • eBPF Program Loaded into Kernel

    • Write below etc

    • Read Environment Variable from /proc files in Container

    • Modification of pam.d detected

    • Non sudo setuid

    0.129.4

    November 04, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Search Private Keys or Passwords

      • Fileless Malware Detected (memfd)

      • Mount Launched in Privileged Container

      • Modification of pam.d detected

      • SSH keys added to authorized_keys

      • Non sudo setuid

      • Possible backdoor using BPF

      • Change memory swap options

      • Kernel startup modules changed

    • Improved output for the Shutdown or Reboot detected rule.

    • Updated MITRE tags.

    • Improved condition for the Execution of binary using ld-linux rule.

    0.129.3

    November 02, 2023

    Default Policy Changes

    • Updated theSysdig AWS Notable Events policy.

    0.129.2

    October 31, 2023

    Rule Changes

    • Added the following rules:

      • Shutdown or Reboot detected

      • Get Federation Token with Admin Policy

      • Full Visibility on Federated Sessions

      • GCP CloudRun Service Started

      • Create Key Pair

      • Stop EC2 Instances

      • Get Lambda Function

      • Attach IAM Policy to Group

      • Escape to host via command injection in process

    • Updated the IoCs Ruleset with new findings.

    • Improved the network_tool_binarieslist.

    • Improved condition for the following rules:

      • GLIBC "Looney Tunables" Local Privilege Escalation

        CVE-2023-4911

      • Potential IRC connection detected

      • Put Object in Watched Bucket

    Default Policy Changes

    • Added the following rules:

      • Shutdown or Reboot detected

      • Get Federation Token with Admin Policy

      • Full Visibility on Federated Sessions

      • GCP CloudRun Service Started

      • Create Key Pair

      • Stop EC2 Instances

      • Get Lambda Function

      • Attach IAM Policy to Group

      • Escape to host via command injection in process

    • Updated the policy for the following rule:

      • Change memory swap options

    0.129.0

    October 30, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious cron modification

      • Packet socket created in container

      • Fileless Malware Detected (memfd)

      • Modification of pam.d detected

      • Write below etc

      • Read SSH information

      • docker client is executed in a container

      • eBPF Program Loaded into Kernel

      • Write below rpm databasec

    • Updated the IoCs Ruleset with new findings.

    • Updated MITRE tags.

    • Improved output for the following:

      • Hexadecimal string detected

      • Output CloudRun Create Service

    0.128.7

    October 26, 2023

    Added Windows support.

    0.128.6

    October 24, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious Cron Modification

      • Possible backdoor using BPF

      • Modification of pam.d detected

      • SSH keys added to authorized_keys

      • Kernel startup modules changed

    • Updated the IoCs Ruleset with new findings.

    • Updated MITRE tags.

    • Improved the condition for the Modification of pam.d detected rule.

    0.128.4

    October 23, 2023

    Rule Changes

    • Updated Sysdig Mitre Attack Mapper.

    • Updated MITRE tags.

    • Reduced false positives for the following rules:

      • Fileless Malware Detected (memfd)

      • Modification of pam.d detected

      • Possible Backdoor using BPF

      • Suspicious Cron Modification

      • Packet socket created in container

      • Kernel startup modules changed

      • Modification of pam.d detected

      • Fileless Malware Detected (memfd)

      • Modify ld.so.preload

    0.128.3

    October 18, 2023

    Rule Changes

    Reduced false positives for the following rules:

    • Mount launched in privileged container

    • Kernel startup modules changed

    • Read SSH information

    • Possible Backdoor using BPF

    0.128.2

    October 17, 2023

    Rule Changes

    • Reduced false positives for the following preview rules:

      • Unmount executed on host

      • System Time Discovery Detected

      • System Time Discovery Detected

      • Shutdown or Reboot detected

    • Updated MITRE tags.

    • Reduced false positives for the following rules:

      • Suspicious Cron Modification

      • Fileless Malware Detected (memfd)

      • eBPF Program Loaded into Kernel

    0.128.1

    October 06, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel rule

      • Possible Backdoor using BPF

    • Improved condition for the GLIBC "Looney Tunables" Local Privilege Escalation (CVE-2023-4911) rule.

    • Updated the IoCs Ruleset with new findings.

    0.127.7

    October 04, 2023

    Rule Changes

    • Added the following rules:

      • CodeBuild Create Project with Miner

      • CodeBuild Start Build with Miner

      • CodeCommit Create Repository

      • CodeCommit Git Push

      • CodeBuild Create Project

      • CloudFormation Create Stack

      • SSH keys added to authorized_keys

      • SageMaker Create Notebook Instance Lifecycle Configuration

      • Image Builder Create Component

      • Amplify Create App

      • EC2 Create Auto Scaling Group

      • Potential IRC connection detected

      • CodeBuild Start Build

      • ECS Create Cluster

      • EC2 Create Launch Template

      • Change memory swap options

      • Azure Update a Web App's configuration settings

      • Azure Function App Create/Update a Connection

      • Azure Create/Update Web Apps Hostname Bindings

      • Azure Cosmos DB Delete MongoDB Database

      • Azure Cosmos DB Delete SQL DB Container

      • Azure Cosmos DB Delete Postgres Firewall Rule

      • Azure Cosmos DB Delete Postgres Cluster

      • Azure Cosmos DB Delete Service

      • Azure Cosmos DB Delete MongoDB Role Definition

      • Azure Cosmos DB Delete MongoDB User Definition

      • Azure Cosmos DB Delete MongoDB Database Collection

      • Azure Cosmos DB Delete Gramlin Database

      • Azure Cosmos DB Delete Gremlin Database Graphs

      • Azure Cosmos DB Delete Cassandra Keyspace

      • Azure Cosmos DB Delete Cassandra Table

      • Azure Cosmos DB Delete Database Account

      • Azure Cosmos DB Delete Table

      • Azure Cosmos DB Delete Postgres Role

      • Azure Cosmos DB Delete SQL Assignment

      • Azure Cosmos DB Delete SQL Database

      • Azure Cosmos DB Delete SQL User Defined Function

      • Azure Cosmos DB Delete SQL Trigger

      • Azure Cosmos DB Delete SQL Stored Procedure

      • Azure Cosmos DB Create SQL Assignment

      • Azure Cosmos DB Create Postgres Role

      • Azure Cosmos DB Create SQL Definition

      • Azure Cosmos DB Create SQL Database

      • Azure Cosmos DB Create SQL User Defined Function

      • Azure Cosmos DB Create SQL Trigger

      • Azure Cosmos DB Create SQL Stored Procedure

      • Azure Cosmos DB Create SQL DB Container

      • Azure Cosmos DB Create Postgres Firewall Rule

      • Azure Cosmos DB Create MongoDB Database

      • Azure Cosmos DB Create Postgres Cluster

      • Azure Cosmos DB Create MongoDB Role Definition

      • Azure Cosmos DB Create MongoDB User Definition

      • Azure Cosmos DB Create MongoDB Database Collection

      • Azure Cosmos DB Create Gramlin Database

      • Azure Cosmos DB Create Gremlin Database Graphs

      • Azure Cosmos DB Create Cassandra Keyspace

      • Azure Cosmos DB Create Cassandra Table

      • Azure Cosmos DB Create Database Account

      • Azure Cosmos DB Create Table

      • Azure Cosmos DB Create Service

    • Reduced false positivess for the following rules:

      • Read Environment Variable from /proc files in Container

      • Set Setuid or Setgid bit

      • Launch Suspicious Network Tool in Container

      • Non sudo setuid

      • Clear log activities

      • eBPF Program Loaded into Kernel

      • Search Private Keys or Passwords

    • Improved condition for the following rules:

      • Detect curl Using Socks Proxy

      • Detect cloned process by PRoot

    • Updated MITRE tags.

    • Updated policy for the Modification of pam.d detected rule.

    • Improved log_files list.

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following rules:

      • CodeBuild Create Project with Miner

      • CodeBuild Start Build with Miner

      • CodeCommit Create Repository

      • CodeCommit Git Push

      • CodeBuild Create Project

      • CloudFormation Create Stack

      • SSH keys added to authorized_keys

      • SageMaker Create Notebook Instance Lifecycle Configuration

      • Image Builder Create Component

      • Amplify Create App

      • EC2 Create Auto Scaling Group

      • Potential IRC connection detected

      • CodeBuild Start Build

      • ECS Create Cluster

      • EC2 Create Launch Template

      • Change memory swap options

    • Updated policy for the following rules:

      • Suspicious device created in container

      • Modification of pam.d detected

    • Added Simple Systems Manager (SSM) rules to awscloudtrail policy.

    0.128.0

    October 04, 2023

    Rule Changes

    Added the GLIBC "Looney Tunables" Local Privilege Escalation (CVE-2023-4911) rule.

    Default Policy Changes

    Added the GLIBC "Looney Tunables" Local Privilege Escalation (CVE-2023-4911) rule.

    0.127.6

    October 04, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Modify ld.so.preload

      • Contact EC2 Instance Metadata Service From Containe

    • Updated the IoCs Ruleset with new findings.

    0.127.5

    October 03, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Read Environment Variable from /proc files in Container

      • Set Setuid or Setgid bit

      • Launch Suspicious Network Tool in Container

      • Non sudo setuid

      • Clear log activities

      • eBPF Program Loaded into Kernel

      • Search Private Keys or Passwords

    • Updated the IoCs Ruleset with new findings.

    0.127.4

    September 29, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • AWS CLI used with endpoint url parameter

      • eBPF Program Loaded into Kernel

      • Non sudo setuid

    • Updated the MITRE tags.

    • Added thedns_traffic macro.

    • Improved the Okta rules.

    • Updated the IoCs Ruleset with new findings.

    0.127.3

    September 28, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Set Setuid or Setgid bit

      • Non sudo setuid

      • Launch root user container

      • Packet socket created in container

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Fileless Malware Detected (memfd)

    • Updated MITRE tags.

    • Added exception for the Suspicious Domain Contacted rule.

    • Updated the IoCs Ruleset with new findings.

    0.127.2

    September 27, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Set Setuid or Setgid bit

      • Launch excessively capable container

      • Possible backdoor using BPF

      • Launch privileged container

    • Improved output for the Fileless Malware Detected (memfd) rule.

    • Updated the IoCs Ruleset with new findings.

    0.127.1

    September 26, 2023

    Rule Changes

    • Added the following rules:

      • GCP VPC Add Peering

      • Okta Suspicious User Activity Report

      • Okta Admin Console Access via New Device

      • Okta FastPass Phishing Attempt

      • Modification of pam.d detected

      • GCP Modified VPC Network

      • GCP Create VPC Network

      • GCP VPC Remove Peering

      • Okta Admin Console Access Velocity Behavior

      • GCP Create Role

      • GCP Delete Route

      • Suspicious device created in container

      • GCP Update CloudSQL

      • Okta Admin Console Access with New Behaviors

      • GCP Create Route

      • Okta Sign-in via Proxy

      • Okta Create Identity Provider

      • K8s Pod Deleted

      • GCP Update Role

      • GCP Modify Audit Policy

      • SSM Start Session

      • Okta Admin Console Access Failure

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Set Setuid or Setgid bit

      • Mount Launched in Privileged Container

      • Suspicious Cron Modification

      • Possible Backdoor using BPF

    • Improved condition for the following rules:

      • Okta CAPTCHA Settings Updated

      • Okta Suspicious IP Inbound Request

    • Updated MITRE tags.

    • Improved output for the Packet socket created in container rule.

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following rules:

      • GCP VPC Add Peering

      • Okta Suspicious User Activity Report

      • Okta Admin Console Access via New Device

      • Okta FastPass Phishing Attempt

      • Modification of pam.d detected

      • GCP Modified VPC Network

      • GCP Create VPC Network

      • GCP VPC Remove Peering

      • Okta Admin Console Access Velocity Behavior

      • GCP Create Role

      • GCP Delete Route

      • Suspicious device created in container

      • GCP Update CloudSQL

      • Okta Admin Console Access with New Behaviors

      • GCP Create Route

      • Okta Sign-in via Proxy

      • Okta Create Identity Provider

      • K8s Pod Deleted

      • GCP Update Role

      • GCP Modify Audit Policy

      • SSM Start Session

      • Okta Admin Console Access Failure

    • Updated policy for the following rules:

      • AWS CLI used with endpoint url parameter

      • Hexadecimal string detected

    0.127.0

    September 22, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Kernel startup module changed

      • Launch root user container

      • Read shell configuration file

      • Write below etc

    • Improved output for the SSM Send Command rule.

    • Updated the IoCs Ruleset with new findings.

    • Updated MITRE tag.

    0.126.3

    September 21, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Non Sudo Setuid

      • Mount Launched in Privileged Container

      • Fileless Malware Detected (memfd)

      • Base64-encoded Shell Script Execution

      • Mount Launched in Privileged Container

      • Packet socket created in container

      • Write below etc

      • Launch sensitive mount container

    • Updated the IoCs Ruleset with new findings.

    • Updated MITRE tag.

    0.126.2

    September 20, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • kernel startup module changed

      • Launch Privileged Container

    • Updated the IoCs Ruleset with new findings.

    • Fixed incorrect tags.

    Default Policy Changes

    Updated policy for the following rules:

    • CloudWatch Delete Alarms

    • Schedule Key Deletion

    • CloudWatch Delete Log Group

    0.126.1

    September 19, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Launch Root User Container

      • Suspicious Operations with Firewalls

      • Non sudo setuid

      • Fileless Malware Detected (memfd)

      • Non Sudo Setuid

    • Added the following rules:

      • AWS CLI used with endpoint url parameter

      • Hexadecimal string detected

    • Improved condition for the Packet socket created in container rule.

    Default Policy Changes

    • Added the following files:

      • AWS CLI used with endpoint url parameter

      • Hexadecimal string detected

    • Updated the policy for Container escape via discretionary access control.

    • Added the Sysdig Azure Threat Intelligencepolicy.

    0.126.0

    September 14, 2023

    Rule Changes

  • Reduced false positives for the following rule:

    • Suspicious Operations with firewall

    0.125.3

    September 13, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Root User Container

      • Set Setuid or Setgid bit

      • Launch Suspicious Network Tool in Container

    • Updated the IoCs Ruleset with new findings.

    0.125.1

    September 12, 2023

    Rule Changes

    • Added the following files:

      • Unexpected Unshare event in Container

      • Disallowed SSH Connection Non Standard Port

      • Azure Suspicious IP Inbound Request

      • GCP Change Owner

      • Container escape via discretionary access control

    • Improved condition for the following:

      • Launch Privileged Container

      • Write below etc

      • Suspicious Operations with Firewalls

      • Launch Remote File Copy Tools in Container

    • Improved the sysdig_commercial_images list.

    • Improved the performance of the renamemacro.

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    Added the following files:

    • Unexpected Unshare event in Container

    • Disallowed SSH Connection Non Standard Port

    • Azure Suspicious IP Inbound Request

    • GCP Change Owner

    • Container escape via discretionary access control

    0.125.0

    September 08, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Ingress Remote File Copy Tools in Container

      • Launch Root User Container

      • Possible Backdoor using BPF

      • Fileless Malware Detected (memfd)

      • Packet socket created in container

      • Change thread namespace

    • Improved host and container tags.

    • Updated the IoCs Ruleset with new findings.

    0.124.3

    September 06, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • PTRACE attached to process

      • Mount Launched in Privileged Container

      • Launch Root User Container

      • Launch Sensitive Mount Container

      • Launch Privileged Container

    • Added the azure_trusted_images_launch_root_list list.

    • Updated the IoCs Ruleset with new findings.

    0.124.1

    September 05, 2023

    Rule Changes

    • Improved condition for the following:

      • Possible Backdoor using BPF

      • Create Symlink Over Sensitive Files

      • Suspicious Home Directory Creation

      • container_entrypoint

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the rule to the AWS IAM Credential Report Requestpolicy.

    • Update the policy for the Contact Task Metadata Endpoint rule.

    0.124.0

    September 04, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • The docker client is executed in a container

      • Possible Backdoor using BPF

      • Fileless Malware Detected (memfd)

    • Improved host and container tags.

    • Updated the IoCs Ruleset with new findings.

    0.123.3

    September 02, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • The docker client is executed in a container

      • Mount Launched in Privileged Container

      • Packet Socket Created in Container

      • Launch Root User Container

      • Launch Privileged Container

    • Improved condition for the following rule:

      • GCP Default Service Account Activity

    • Updated the IoCs Ruleset with new findings.

    • Improved the host and container tags.

    0.123.2

    August 30, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Packet Socket Created in Container

      • Read Shell Configuration File

      • Change Thread Namespace

      • eBPF Program Loaded into Kernel

      • Possible Backdoor using BPF

    • Updated the IoCs Ruleset with new findings.

    0.123.1

    August 29, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below root

      • Kernel startup modules changed

    • Improved condition for the following rules:

      • Contact Task Metadata Endpoint

      • Detect reconnaissance scripts

    • Improved output for the following rules:

      • Update Package Repository

      • Possible Backdoor using BPF

    • Updated the IoCs Ruleset with new findings.

    • Improved the miner_portslist.

    0.123.0

    August 28, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Read ssh information

      • Suspicious System Service Modification

      • Suspicious Cron Modification

      • Read Shell Configuration File

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    Reduced false positives for Put Object in Watched Bucket.

    0.122.5

    August 18, 2023

    Rule Changes

    Reduced false positives for the following rules:

    • Packet socket created in container

    • Change thread namespace

    • AWS SSM Agent File Write

    Default Policy Changes

    Downgraded AWS rules.

    0.122.4

    August 05, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Execution from /tmp

      • Launch Privileged Container

      • Packet socket created in container

    • Updated the IoCs Ruleset with new findings.

    0.122.3

    August 03, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below root

      • Set Setuid or Setgid bit

      • Possible Backdoor using BPF

      • Non sudo setuid

      • Launch Sensitive Mount Container

    • Updated the IoCs Ruleset with new findings.

    • Improved output for the Fileless Malware Detected (memfd) rule.

    Default Policy Changes

    Removed Packet socket created in container from the Sysdig Runtime Notable Events policy.

    0.122.2

    August 02, 2023

    Rule Changes

    • Improved condition for Azure RDP Access Is Allowed from The Internet rule.

    • Improved condition for Azure SSH Access Is Allowed from The Internet rule.

    Default Policy Changes

    Remove the AWS IAM Credential Report Request rule from policy.

    0.122.1

    August 01, 2023

    Rule Changes

    • Reduced false positives for the Launch Root User Container rule.

    • Added the following rules:

      • AWS ECS Create Task Definition

      • AWS RDS Master Password Update

      • AWS IAM Credential Report Request

    • Updated the IoCs Ruleset with new findings.

    • Improved the network_tool_binaries list.

    • Added support for accept4 syscall.

    Default Policy Changes

    Added the following rules:

    • AWS ECS Create Task Definition

    • AWS RDS Master Password Update

    • AWS IAM Credential Report Request

    0.122.0

    July 28, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Privileged Container

      • Write below rpm database

      • Write below binary dir

    • Updated the IoCs Ruleset with new findings.

    0.121.4

    July 27, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Fileless Malware Detected (memfd)

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Write below root

      • Packet socket created in container

      • Execution from /tmp

    • Increased the async limit to speed up validation times.

    • Updated the IoCs Ruleset with new findings.

    0.121.3

    July 26, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Fileless Malware Detected (memfd)

      • Contact GCP Instance Metadata Service from Container

    • Improved performance for Contact Task Metadata Endpoint

    • Updated the IoCs Ruleset with new findings.

    0.121.2

    July 25, 2023

    Rule Changes

    • Reduced false positives for the following rule: Fileless Malware Detected (memfd)

    • Tuned the preview rule:

      • Potential IRC connection detected<

    • Added the preview rule:

      • Contact AWS Fargate Task Metadata Endpoint

    0.121.1

    July 25, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Execution from /tmp

      • Change thread namespace

      • Packet socket created in container

      • AWS SSM Agent File Write

    • Added the following rules:

      • Fileless Malware Detected (memfd)

      • Contact Azure Instance Metadata Service from Container

      • Contact GCP Instance Metadata Service from Container

    • Updated the IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following rules:

      • Fileless Malware Detected (memfd)

      • Contact Azure Instance Metadata Service from Container

      • Contact GCP Instance Metadata Service from Container

    • Updated the policy for the following rules:

      • Find Azure Credentials

      • Find GCP Credentials

      • Download and launch remote file copy tools in container

      • Find GCP Credentials

      • Removed the Contact cloud metadata service from container rule from policies.

    0.121.0

    July 24, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Packet socket created in container

      • User Management Event Detected

      • Possible Backdoor using BPF

    • Updated the IoCs Ruleset with new findings.

    0.120.4

    July 22, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Change thread namespacer

      • Launch Privileged Container

      • Mount Launched in Privileged Container

      • Possible Backdoor using BPF

    • Improved outputs for the following rules:

      • Suspicious Domain Contacted

      • Suspicious Domain Contacted

      • non_system_user

      • Connection to IPFS Network Detected

    • Added the following macros to Threat Intel:

      • ipfs_domains_in_args

      • suspicious_domains_connection_data

    • Updated the IoCs Ruleset with new findings.

    0.120.0

    July 21, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious Domain Contacted

      • The docker client is executed in a container

      • eBPF Program Loaded into Kernel

      • Packet socket created in container

    • Updated the IoCs Ruleset with new findings.

    • Tuned thePotential IRC connection detected preview rule.

    0.120.3

    July 20, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Connection to IPFS Network Detected

      • Packet socket created in container

      • The docker client is executed in a container

      • Launch Privileged Container

    • Updated the IoCs Ruleset with new findings.

    0.120.2

    July 18, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Read Shell Configuration File

      • Read sensitive file untrusted

      • Read ssh information

      • Write below monitored dir

    • Added exception for the following rules:

      • Suspicious Domain Contacted

      • Connection to IPFS Network Detected

    • Improved performance for Write below monitored dir

    • Updated the IoCs Ruleset with new findings.

    0.120.1

    July 17, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below etc

      • The docker client is executed in a container

      • Change thread namespace

      • Packet socket created in container

      • Possible Backdoor using BPF

      • AWS SSM Agent File Write

    • Updated the IoCs Ruleset with new findings.

    0.119.4

    July 13, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • AWS SSM Agent File Write

      • Possible Backdoor using BPF

      • Change thread namespace

    • Improved performance for the following rules:

      • Shell binaries opening connections

      • Drop and execute new binary in container

    • Updated the IoCs Ruleset with new findings.

    0.119.3

    July 12, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • Packet socket created in container

      • Change thread namespace

      • Terminal shell in container

      • eBPF Program Loaded into Kernel

      • Write below root

    • Improved performance for the following rules:

      • Dump memory for credentials

      • Lastlog Files Cleared

      • Diamorphine Rootkit Activity

    • Updated the IoCs Ruleset with new findings.

    • Introduced retries for intermittent HTTP errors and improved logs.

    0.119.2

    July 11, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Possible Backdoor using BPF

      • Non sudo setuid

      • Run shell untrusted

      • Find GCP Credentials

      • Change thread namespace

    • Improved performance for the following rules:

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process

      • Write below rpm database

      • DB program spawned process

      • Delete or rename shell history

    • Updated the IoCs Ruleset with new findings.

    0.119.1

    July 10, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Write below etc

      • Possible Backdoor using BPF

    • Excluded local IPv6 from macros.

    • Improved performance for the following rules:

      • Read sensitive file trusted after startup

      • Write below etc

      • System procs network activity

      • Read sensitive file untrusted

      • AWS SSM Agent Activity

    • Added the following rules:

      • EC2 Instance Connect System Access

      • AWS SSM Agent File Write

      • Removing MFA from Admin in Okta

      • Download and launch remote file copy tools in container

      • Find GCP Credentials

      • Find Azure Credentials

    • Updated the IoCs Ruleset with new findings.

    • Improved condition for the following rule:

      • Kernel startup modules changed

    • Default Policy Changes

    • Added the following rules:

      • EC2 Instance Connect System Access

      • AWS SSM Agent File Write

      • Removing MFA from Admin in Okta

      • Download and launch remote file copy tools in container

      • Find GCP Credentials

      • Find Azure Credentials

    0.119.0

    July 07, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • The docker client is executed in a container

      • Search Private Keys and Passwords

    • Updated the IoCs Ruleset with new findings.

    • Improved the network_tool_binaries list.

    0.118.3

    July 06, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Remote File Copy Tools in Container

      • Change thread namespace rule

      • Search Private Keys or Passwords

      • Packet socket created in container

    • Updated the IoCs Ruleset with new findings.

    0.118.2

    July 05, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Remote File Copy Tools in Container

      • Packet socket created in container

      • eBPF Program Loaded into Kernel

      • Launch Sensitive Mount Containe

    • Updated the IoCs Ruleset with new findings.

    • Fix exceptions for the AWS SSM Agent Activity rule.

    0.118.1

    June 30, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Privileged Container

      • Launch Root User Container

      • Detection bypass by symlinked files

      • Launch Ingress Remote File Copy Tools in Container

      • Possible Backdoor using BPF

    • Updated the IoCs Ruleset with new findings.

    0.117.8

    June 28, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • DB program spawned process

      • Launch Sensitive Mount Container

      • Launch Root User Container

    • Updated the IoCs Ruleset with new findings.

    • Improved the falco_sensitive_mount_imageslist.

    • Added preview structure for rules.

    Default Policy Changes

    • Added preview structure for rules.

    0.117.7

    June 26, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Redirect STDOUT/STDIN to Network Connection in Host

      • Launch Sensitive Mount Containe

      • DB program spawned processt

      • Read ssh information

      • Non sudo Setuid

    • Updated the IoCs Ruleset with new findings.

    • Improved the process_name_exists macro.

    0.117.6

    June 23, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Terminal shell in container

      • Launch Sensitive Mount Container

      • Modify binary dirs

      • Set Setuid or Setgid bit

    • Updated the IoCs Ruleset with new findings.

    0.117.5

    June 22, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious System Service Modification

      • Write below root

      • Change thread namespace

      • Launch Sensitive Mount Container

    • Updated the IoCs Ruleset with new findings.

    • Improved performance for the Contact EC2 Instance Metadata Service From Container and Write below binary dir rules.

    0.117.4

    June 21, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Remote File Copy Tools in Container

      • Launch Sensitive Mount Container

      • Launch Root User Container

    • Updated the IoCs Ruleset with new findings.

    0.117.3

    June 19, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Ingress Remote File Copy Tools in Container

      • AWS SSM Agent Activity

      • Read Shell Configuration File

      • Write below rpm database

    • Updated the IoCs Ruleset with new findings.

    • Improved the falco_privileged_images list.

    0.117.2

    June 20, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below etc

      • AWS SSM Agent Activity

      • Suspicious Operations with Firewallse

      • Non sudo setuid

    • Updated the IoCs Ruleset with new findings.

    • Fixed exception value.

    • Removed append fields from rules and macros.

    0.117.1

    June 09, 2023

    Rule Changes

    • Removed duplicate tags in rules.

    0.116.5

    June 09, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Java Process Class File Download

      • Set Setuid or Setgid bit

      • User mgmt binaries

    • Updated the IoCs Ruleset with new findings.

    0.116.4

    June 08, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Write below etc

    • Improved output for The docker client is executed in a container rule.

    • Updated the IoCs Ruleset with new findings.

    0.116.3

    June 07, 2023

    Rule Changes

    • Removed the Okta 5 minute rules.

    • Improved the output for the Java Process Class File Downloadrule.

    Default Policy Changes

      Removed the Okta 5 minute rules.

    0.116.2

    May 31, 2023

    Rule Changes

    • Updated the IoCs Ruleset with new findings.

    • Added exception for the following rules:

      • Launch Privileged Container

      • Launch Excessively Capable Container

      • Launch Sensitive Mount Container

    0.115.1

    May 30, 2023

    Rule Changes

    • Reduced false positives for the Execution from /tm rule.

    • Added the following rules:

      • K8s Ingress Deleted

      • K8s Ingress Created/Modified

      • AWS EC2 Instance Connect/SSH Public Key Uploaded

      • Admin permission has been assigned to a group in Okta

    • Updated the IoCs Ruleset with new findings.

    • Improved condition for the following rules:

      • Find AWS Credentials

      • Okta CAPTCHA Settings Updated

      • Search Private Keys or Passwords

    • Default Policy Changes

    • Added the following rules:

      • K8s Ingress Deleted

      • K8s Ingress Created/Modified

      • AWS EC2 Instance Connect/SSH Public Key Uploaded

      • Admin permission has been assigned to a group in Okta

    0.115.0

    May 18, 2023

    Rule Changes

    • Added the Okta CAPTCHA Settings Updated rule.

    • Reduced false positives for the following rules:

      • Read ssh information

      • Write below root

      • Run shell untrusted

    • Updated the IoCs Ruleset with new findings.

    • Default Policy Changes

    • Added the Okta CAPTCHA Settings Updated rule.

    0.114.1

    May 17, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Privileged Container

      • Read sensitive file untrusted

      • Read Shell Configuration File

      • eBPF Program Loaded into Kernel

      • Write below etc

      • Launch Root User Container

      • Create files below dev

      • Non sudo setuid

    • Added the following rules:

      • Drop and execute new binary in container

      • GCP Cloud SQL Data Exfiltration

      • GCP Create Service Account

      • GCP Create or Modify Compute SSH Key

      • GCP Default Service Account Activity

      • Directory traversal monitored file read

      • Detection bypass by symlinked files

    • Updated the IoCs Ruleset with new findings.

    • Introduced v16 ruleset.

    • Improved condition for the OpenSSL File Read or Write rule.

    • Improved detection for the Suspicious System Service Modification rule.

    Default Policy Changes

    Added the following rules:

    • Drop and execute new binary in container

    • GCP Cloud SQL Data Exfiltration

    • GCP Create Service Account

    • GCP Create or Modify Compute SSH Key

    • GCP Default Service Account Activity

    • Directory traversal monitored file read

    • Detection bypass by symlinked files

    0.114.0

    May 10, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • User mgmt binaries

      • Write below etc

      • Execution from /tmp

      • Non sudo setuid

    • Updated the IoCs Ruleset with new findings.

    0.113.2

    May 09, 2023

    Rule Changes

      Reduced false positives for the following rules:

      • Shell binaries opening connections

      • Execution from /tmp

    0.113.1

    May 08, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Remote File Copy Tools in Container

      • Read Shell Configuration File

      • Write below etc

      • Set Setuid or Setgid bit

      • Change thread namespace

      • Write below rpm database

      • Launch Privileged Container

      • eBPF Program Loaded into Kernel

      • Set Setuid or Setgid bit

    • Updated the IoCs Ruleset with new findings.

    • Improved condition for the following rules:

      • Execution from /tmp

      • Redirect STDOUT/STDIN to Network Connection in Host

    • Added the following rules:

      • Shell binaries opening connections

      • AWS Attach IAM Policy to Role

    • Added exceptions for the Ingress Object without TLS Certificate Created rule.

    Default Policy Changes

    Added the following rules:

    • Shell binaries opening connections

    • AWS Attach IAM Policy to Role

    0.113.0

    May 05, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Set Setuid or Setgid bit

      • Non sudo setuid

    • Updated the Sysdig Mitre Attack mapper.

    • Updated the IoCs Ruleset with new findings.

    0.112.3

    May 04, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Suspicious Network Tool in Container

      • Write below rpm database

      • Launch Remote File Copy Tools in Container

    • Updated the IoCs Ruleset with new findings.

    0.112.2

    May 01, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Write below etc

      • Read sensitive file untrusted

      • Kernel startup modules changed

      • Launch Privileged Container

      • Mount Launched in Privileged Container

      • Launch Ingress Remote File Copy Tools in Container

      • Non sudo setuid

    • Updated the IoCs Ruleset with new findings.

    • Enable theJava Process Class File Download rule by default.

    Default Policy Changes

    Enable the following rules by default:

    • Java Process Class File Download

    • Kernel startup modules changed

    0.112.0

    April 26, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Run shell untrusted

      • eBPF Program Loaded into Kernel

      • Launch Sensitive Mount Container

      • Launch Package Management Process in Container

      • Launch Root User Container

    • Updated the following tags:

      • AWS MITRE ATT&CK

      • Azure MITRE ATT&CK

      • GCP MITRE ATT&CK 

    • Updated the IoCs Ruleset with new findings.

    • Improved the MITRE ATT&CK tags.

    • Improved the sysdig_commercial_images list.

    Default Policy Changes

    Updated policy for the following rules:

    • Packet socket created in container

    • Create Hardlink Over Sensitive Files

    0.111.0

    April 17, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Non sudo setuid

      • Write below etc

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Read ssh information

      • Clear Log Activities

      • Modify Shell Configuration File

      • System ClusterRole Modified/Deleted

    • Updated policy for the following rules:

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process

      • Detect release_agent File Container Escapes

    • Updated IoCs Ruleset with new findings.

    • Improved output for the Launch Excessively Capable Container rule.

    • Added the Kernel startup modules changed rule.

    Default Policy Changes

    • Added the Kernel startup modules changed rule.

    • Updated policy for the following rules:

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process

      • Detect release_agent File Container Escapes

      • Register Domain

      • Disable Security Hub

    0.110.0

    April 11, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Launch Package Management Process in Container

      • Read sensitive file untrusted

      • Write below etc

      • Netcat Remote Code Execution in Container

      • Container Run as Root User

      • Set Setuid or Setgid bit

      • Mount Launched in Privileged Container

      • Launch Root User Container

      • Non sudo setuid

    • Added tags for the following rules:

      • Detect release_agent File Container Escapes

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process

      • Launch Excessively Capable Container

    • Updated IoCs Ruleset with new findings.

    • Moved malicious_download_tools in Suspicious Network tools rules

    • Improved list network_tool_binaries rule.

    • Fixed Set Setuid or Setgid bit tag.

    Default Policy Changes

    Updated policy for the following rules:

    • Security Hub Disassociate From Master Account

    • Security Hub Delete Members

    • Security Hub Disassociate Members

    0.109.0

    April 07, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Set Setuid or Setgid bit

      • Suspicious Cron Modification

      • Disallowed K8s User

      • The docker client is executed in a container

      • Launch Package Management Process in Container

      • Clear Log Activities

      • Launch Package Management Process in Container

      • Write below etc

      • Read sensitive file untrusted

      • PTRACE attached to process

      • Launch Excessively Capable Container

      • eBPF Program Loaded into Kernel

      • Read sensitive file untrusted

      • Non sudo setuid

      • Write below root

      • Read sensitive file untrusted

      • Write below rpm database

      • Launch Sensitive Mount Container

      • Launch Root User in Container

    • Added the following rules:

      • Detect release_agent File Container Escapes

      • Java Process Class File Download

      • Launch Excessively Capable Container

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process

    • Updated IoCs Ruleset with new findings.

    • Added Falco rules versioning support.

    • Added an exception for the Outbound Connection to C2 Servers rule.

    Default Policy Changes

    • Added the following rules:

      • Detect release_agent File Container Escapes

      • Java Process Class File Download

      • Launch Excessively Capable Container

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process

    • Updated policy for the following rules:

      • Guard Duty Disassociate Members

      • Guard Duty Disassociate from Master Account

      • Guard Duty Delete Members

    • Added Falco rules versioning support.

    • Removed the following rules from policies:

      • Launch Disallowed Container

      • Interpreted procs inbound network activity

      • Interpreted procs outbound network activity

    0.108.0

    March 13, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • Clear Log Activities

      • Launch Package Management Process in Container

      • Container Run as Root User

      • Launch Remote File Copy Tools in Container

      • Launch Root User Container

    • Improved condition for the following rules:

      • Launch Ingress Remote File Copy Tools in Container

      • Modify Timestamp attribute in File

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    Updated policy for the following rules:

    • OpenSSL File Read or Write

    • CloudTrail Logging Disabled

    • Disable GuardDuty

    0.106.0

    March 07, 2023

    Rule Changes

    • Added the following rules:

      • Create Bucket

      • Delete Bucket

    • Improved the output for the following rules:

      • Read Shell Configuration File

      • Set Setuid or Setgid bit

      • Launch Root User Container

    • Updated the MITRE, GCP MITRE, and AWS MITRE tags.

    • Improved condition for the Tampering with Security Software in Container rule.

    • Reduced false positives for the following rules:

      • The docker client is executed in a container

      • Launch Privileged Container

      • Write below root

      • Schedule Cron Jobs

      • Suspicious Cron Modification

      • Launch Remote File Copy Tools in Container

      • Launch Suspicious Network Tool on Host

      • System procs activity

      • Modify Shell Configuration File

      • Write below etc

      • Launch Sensitive Mount Container

      • Mount Launched in Privileged Container

      • PTRACE attached to process

    • Updated Kubernetes image registry domains.

    • Improved the falco_privileged_imageslist.

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following rules:

      • Create Bucket

      • Delete Bucket

    • Updated the policy for the following rules:

      • Deactivate MFA for Root User

      • CloudTrail Trail Deleted

    0.105.0

    February 28, 2023

    Rule Changes

    • Added the following rules:

      • Create Hardlink Over Sensitive Files

      • Azure Storage Account Created

      • Azure Storage Account Deleted

      • GCP Create Project

      • GCP Create Compute VM Instance

      • GCP Enable API

    • Reduced false positives for the following rules:

      • Suspicious Operations with Firewalls

      • Linux Kernel Module Injection Detected

      • PTRACE attached to process

      • Read sensitive file untrusted

    • Improved condition for the following rules:

      • Execution of binary using ld-linux

      • Mount Launched in Privileged Container

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    Added the following rules:

    • Create Hardlink Over Sensitive Files

    • Azure Storage Account Created

    • Azure Storage Account Deleted

    • GCP Create Project

    • GCP Create Compute VM Instance

    • GCP Enable API

    0.104.1

    February 24, 2023

    Rule Changes

    • Improved output for the Modify Timestamp attribute in File rule.
    • Reduced false positives for the following rules:

      • Linux Kernel Module Injection Detected

      • Launch Privileged Container

      • Reconnaissance attempt to find SUID binaries

    • Updated IoCs Ruleset with new findings.

    0.103.1

    February 23, 2023

    Rule Changes

    • Added the following rules:

      • Modify Timestamp attribute in File

      • Launch Code Compiler Tool in Container

      • Put Bucket ACL for AllUsers

    • Reduced false positives for the following rules:

      • Launch Package Management Process in Container

      • PTRACE anti-debug attempt

    • Improved condition for the following rule: Put Bucket Lifecycle

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following rules:

      • Modify Timestamp attribute in File

      • Launch Code Compiler Tool in Container

      • Put Bucket ACL for AllUsers

    • Updated policy for the following rules:

      • Launch Code Compiler Tool in Container

      • Connection to IPFS Network Detected

      • Detect outbound connections to Proxy/VPN

    0.103.0

    February 14, 2023

    Rule Changes

    • Added the following rules:

      • User Management Event Detected

      • Users Group Management Event Detected

      • OpenSSL File Read or Write

    • Reduced false positives for the following rules:

      • Modify ld.so preload

      • Clear Log Activities

      • Read sensitive file untrusted

      • Read Shell Configuration File

    • Improved condition for the following rules:

      • Delete Bash History

      • Delete or rename shell history

      • Detect malicious cmdlines

    • Improved the sensitive_kernel_parameter_fileslist.

    • Updated IoCs Ruleset with new findings.

    • Added an exception for the OpenSSL File Read or Write rule.

    Default Policy Changes

    • Added the following rules:

      • User Management Event Detected

      • Users Group Management Event Detected

      • OpenSSL File Read or Write

    • Update policies for SuspiciousOpenSSL Shared Object Loaded rule.

    0.102.1

    February 08, 2023

    Rule Changes

    • Added the following list: Add list security_processes

    • Improved the following list: network_tool_binaries

    • Reduced false positives for the following rules:

      • Contact EC2 Instance Metadata Service From Container

      • Run shell untrusted

      • System procs network activity

      • Set Setuid or Setgid bit

      • eBPF Program Loaded into Kernel

    • Improved the condition for the following rule: Detect reconnaissance scripts

    • Updated IoCs Ruleset with new findings.

    0.101.1

    January 26, 2023

    Rule Changes

    • Added the following rules:

      • K8s CronJob Deleted

      • K8s CronJob Created/Modified

      • Read Environment Variable from /proc files in Container

      • Suspicious OpenSSL Shared Object Loaded

    • Reduced false positives for the following rules:

      • Run shell untrusted

      • Find AWS Credentials

      • PTRACE attached to process

      • Clear Log Activities

      • Non sudo setuid

      • Redirect STDOUT/STDIN to Network Connection in Host

    • Improved condition for the following rule: GPG Key Reconnaissance

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    Added the following rules:

    • K8s CronJob Deleted

    • K8s CronJob Created/Modified

    • Read Environment Variable from /proc files in Container

    • Suspicious OpenSSL Shared Object Loaded

    0.100.2

    January 20, 2023

    Rule Changes

    • Added the following rules:

      • Modify Security Group Rule Allowing Ingress Open to the World

      • Connection to IPFS Network Detected

    • Improved condition for the following rules:

      • Create Security Group Rule Allowing Ingress Open to the World

      • Create a Network ACL Entry Allowing Ingress Open to the World

      • Detect reconnaissance scripts

      • Lastlog Files Cleared

      • Launch Remote File Copy Tools in Container

      • Put Bucket Lifecycle

      • Delete or rename shell history

    • Added exception for the following rules:

      • Put Bucket Lifecycle

      • Update Assume Role Policy

    • Updated IoCs Ruleset with new findings.

    • Reduced false positives for the following rule Find AWS Credentials rule.

    • Default Policy Changes

      Added the following rules:

      • Modify Security Group Rule Allowing Ingress Open to the World

      • Connection to IPFS Network Detected

    0.99.0

    January 09, 2023

    Rule Changes

    • Reduced false positives for the Container Run as Root User rule.

    • Improved condition for the Suspicious Operations with Firewalls rule.

    • Added the following rules:

      • K8s Networkpolicy Deleted

      • Modify Security Group

      • K8s Networkpolicy Created/modified

      • AWS SSM Send Command

    • Added tags to the K8s Networkpolicy Deleted rule.

    • Added exceptions for the following:

      • Delete Organization Config Rule

      • Delete Cluster

      • Elasticsearch Domain Creation without Encryption at Rest

      • ECR Image Pushed

      • Put Remediation Configurations

      • Delete Configuration Aggregator

      • Put Organization Config Rule

      • Put Organization Conformance Pack

      • Stop Configuration Recorder

      • Delete Organization Conformance Pack

      • ECS Service Created

      • ECS Service Deleted

      • Terminal Shell in ECS Container

      • ECS Task Run or Started

      • ECS Service Task Definition Updated

      • ECS Task Stopped

      • Create HTTP Target Group without SSL

      • Elasticsearch Domain Creation without VPC

      • Run Instances

      • CloudTrail Trail Created

      • Create Security Group Rule Allowing SSH Ingress

      • Guard Duty Disassociate from Master Account

      • Guard Duty Delete Members

      • Disable GuardDuty

      • Delete Detector

      • Create Access Key for Root User

      • Guard Duty Disassociate Members

      • Stop Monitoring Members

      • Password Recovery Requested

      • Deactivate Hardware MFA for Root User

      • Add AWS User to Group

      • Attach Administrator Policy

      • Attach IAM Policy to User

      • Deactivate MFA for Root User

      • Create Group

      • Create IAM Policy that Allows All

      • Create Access Key for User

      • Deactivate Virtual MFA for Root User

      • Delete Virtual MFA for Root User

      • Create AWS user (SSO)

      • Create AWS user

      • Delete AWS user (SSO)

      • Deactivate MFA for User Access

      • Delete Group

      • Put IAM Inline Policy to User

      • Delete AWS user

      • Remove AWS User from Group

      • Update Account Password Policy Not Expiring

      • Update Account Password Policy Expiring in More Than 90 Days

      • Update Account Password Policy Not Preventing Reuse of Last 24 Passwords

      • Update Account Password Policy Not Preventing Reuse of Last 4 Passwords

      • Update Account Password Policy Not Requiring 14 Characters

      • Update Account Password Policy Not Requiring 7 Characters

      • Update Account Password Policy Not Requiring Lowercase

      • Update Account Password Policy Not Requiring Number

      • Update Account Password Policy Not Requiring Symbol

      • Update Account Password Policy Not Requiring Uppercase

      • Replace Route

      • Modify Image Attribute

      • Modify Snapshot Attribute

      • Revoke Security Group Egress

      • Revoke Security Group Igress

      • Run Instances in Non-approved Region

      • Create Internet-facing AWS Public Facing Load Balancer

      • Delete Listener

      • Modify Listener

      • Disable EBS Encryption by Default

      • Contact EC2 Instance Metadata Service From Container

      • EC2 Serial Console Access Enabled

      • Make EBS Snapshot Public

      • Get Password Data

    • Default Policy Changes

    • Added the following rules:

      • K8s Networkpolicy Deleted

      • Modify Security Group

      • K8s Networkpolicy Created/modified

      • AWS SSM Send Command

    0.98.2

    January 04, 2023

    Rule Changes

    • Reduced false positives for the following rules:

      • aws_latest_runtimes

      • Read sensitive file untrusted

      • Read Shell Configuration File

    • Updated IoCs Ruleset with new findings.

    • Added exception for the DB program spawned process rule.

    • Improved output for the Suspicious System Service Modification rule.

    0.98.0

    December 04, 2022

    Rule Changes

    • Reduced false positives for the following rules:

      • eBPF Program Loaded into Kernel

      • Non sudo setuid

      • Read SSH information

      • Read Shell Configuration File

      • Write below etc

      • Reconnaissance attempt to find SUID binaries

      • Suspicious Domain Contacted

    • Updated IoCs Ruleset with new findings.

    • Improved detection for the Non sudo setuid rule.

    • Added the following rule: Detect cloned process by PRoot

    • Default Policy Changes

      Added the Detect cloned process by PRoot rule.

    0.96.0

    December 01, 2022

    Rule Changes

    Disabled the Create Hidden Files or Directories rule.

    0.94.2

    November 29, 2022

    Rule Changes

    • Improved output for the Suspicious Cron Modification rule.

    • Reduced false positive for the Read SSH information rule.

    • Updated IoCs Ruleset with new findings.

    • Enabled the Create Hidden Files or Directoriesrule.

    • Added the Create/modify EKS serviceaccount boundrule to the AWS Identity and Access Management (IAM) role.

    • Added the Suspicious Domain Contactedrule.

    Default Policy Changes

    • Added the Suspicious Domain Contactedrule.

    • Added the Create/modify EKS serviceaccount boundrule to the AWS IAM role.

    0.94.0

    November 22, 2022

    Rule Changes

    • Reduced false positives for the following rules:

      • Privileged Shell Spawned Inside Container

      • Clear Log Activities

      • Read ssh information

      • Search Private Keys or Passwords

      • Launch Suspicious Network Tool in Container

      • Container Run as Root User

      • Change Thread Namespace

      • Read Shell Configuration File

    • Improved tags for the eBPF Program Loaded into Kernelrule.

    • Updated IoCs Ruleset with new findings.

    • Improved detection for the Non sudo setuid rule.

    • Added the following rules:

      • Mutated Pod Detected

      • Configmap aws-auth changed

    • Default Policy Changes

      • Added the following rules:

        • Mutated Pod Detected

        • Configmap aws-auth changed

    0.93.0

    November 10, 2022

    Rule Changes

    • Reduced false positives for the following rules:

      • Suspicious Kernel Parameter Modification

      • The docker client is executed in a container

      • Mount Launched in Privileged Container

      • Reconnaissance attempt to find SUID binaries

      • PTRACE attached to process

      • Linux Kernel Module Injection Detected

    • Updated IoCs Ruleset with new findings.

    • Improved detection for the Non sudo setuid rule.

    • Added the following rules:

      • Redirect STDOUT/STDIN to Network Connection in Host

      • Lastlog files cleared

    • Default Policy Changes

      • Added the following rules:

        • Redirect STDOUT/STDIN to Network Connection in Host

        • Lastlog files cleared

      • Move the Unexpected Connection from legitimate Process/Port rule to Default Policy

    0.92.0

    October 19, 2022

    Rule Changes

    • Renamed lists, macros, and rules for Falco Cloud.

    • Added the Unexpected Connection from legitimate Process/Port rule.

    • Updated IoCs Ruleset with new findings.

    • Edited the output for the  Reconnaissance attempt to find SUID binaries rule.

    Default Policy Changes

    • Renamed lists, macros, and rules for Falco Cloud.

    • Added the Unexpected Connection from legitimate Process/Port rule.

    0.91.0

    October 14, 2022

    Rule Changes

    • Updated the sensitive_kernel_parameter_files list to detect changes on the ptrace_scope file.

    • Added the Diamorphine Rootkit Activity rule.

    • Updated IoCs Ruleset with new findings.

    • Reduced false positives in the Dump memory for credentials rule.

    Default Policy Changes

    • Added the Diamorphine Rootkit Activity rule.

    • Reduced false positives in the Dump memory for credentials rule.

    0.90.0

    October 07, 2022

    Rule Changes

    • Tuning the Dump memory for credentials on rule.

    • Added the following rules:

      • kill malicious process
      • detect dump memory for credentials
    • Updated IoCs Ruleset with new findings.

    • Updated Cloud Mitre tags.

    • Reduced false positives in Falco Rules.

    • Added new ruless:

      • Dump memory for credentials
      • Kill known malicious process
    • Use glob in the user_ssh_directory macro and remove openat2 from conditions.

    • Added an exception to the AWS Command Executed by Untrusted User rule.

    • Changed exception in the Change Resource Record Sets rule.

    • Changed the allowed_k8s_users list.

    Default Policy Changes

    • Tuned the Dump memory for credentials rule.

    • Added new rules:

      • Dump memory for credentials
      • Kill known malicious process

    0.89.0

    September 27, 2022

    Rule Changes

    • Increased IoCs and added additional exceptions.

    • Disabled Simple Storage Service (S3) versioning.

    Default Policy Changes

    Disabled S3 versioning

    0.88.0

    September 23, 2022

    Rule Changes

    • Increased IoCs and added additional exceptions.

    • Added exclusions to reduce false positives.

    • Adding additional parameters to sensitive_kernel_parameter_files list.

    0.87.0

    September 09, 2022

    Rule Changes

    • Added exception to reduce false positives in the sysdig_commercial_imagesmacro.

    • Updated IoCs Ruleset with new findings.

    0.86.0

    September 08, 2022

    Rule Changes

    • Added additional exceptions to aid in addressing false positives: Suspicious Kernel Parameter Modification.

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    Removed the following rules from default policies:Scripting Language Execution below dev.

    0.85.0

    August 24, 2022

    Rule Changes

    • New rules:Share RDS Snapshot with Foreign Account

    • Rule tuning for the following:

      • PTRACE anti-debug attempt

      • Suspicious Cron Modification

      • Suspicious Java Child Processes

      • Create Symlink Over Sensitive Files

      • Netcat Remote Code Execution in Container

      • eBPF Program Loaded into Kernel

    • Updated IoCs Ruleset with new findings.

    0.83.0

    August 19, 2022

    Rule Changes

    • Fixed the output for two PTRACE rules.

    • Added additional conditions to improve detections for Delete/rename Bash History.

    • Enable the do_unexpected_udp_checkmacro.

    • Added the new rule: GCP Firewall Remote Access from Internet. It detects remote access ports allowed through the firewall from the public internet (0.0.0.0/0).

    Auto-Tuner Exception Updates

    • Added additional exceptions for Privileged Shell Inside Container.

    • Added Azure core image to the exception, Suspicious Cron Modification.

    0.82.0

    Aug 11, 2022

    Rule Changes

    • Added Azure rule: Azure RDP Access Is Allowed from The Internet

    • Updated auto-tuner exceptions to reduce excessive noise:

      • Change Resource Record Sets (AWS)

      • Create Hidden Files or Directories

      • Describe Instances (AWS)

      • GCP Delete Compute VM Instance

      • GCP Operation by a Non-corporate Account

      • List Buckets (AWS)

      • Non sudo setuid

      • Root User Executing AWS Command

      • Run shell untrusted

      • The docker client is executed in a container

      • User mgmt binaries

    • Updated IoCs Ruleset with new findings.

    • Default Policy Changes

      Added new rules: Azure RDP Access Is Allowed from The Internet

    0.81.2

    Aug 05, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positives:

      • Linux Kernel Module Injection Detected

      • eBPF Program Loaded into Kernel

      • Privileged Shell Spawned Inside Container

    • Added the following new rules:

      • GPG Key Reconnaissance

      • Create Access Key for User

    • Extended the condition of the following rules:

      • Base64-encoded Python Script Execution

      • nsenter Container Escape

    • Updated IoCs Ruleset with new findings.

    • Default Policy Changes

      Added new rules to default policies.

      • nsenter Container Escape

      • GPG Key Reconnaissance

      • Create Access Key for User

    0.80.1

    July 26, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positives:

      • Non sudo setuid

      • Set Setuid or Setgid bit

      • eBPF Program Loaded into Kernel

    • Added the following new rules:

      • PTRACE anti-debug attempt

      • PTRACE attached to process

      • Detect reconnaissance scripts

      • Detect malicious cmdlines

      • GCP Create DNS Record

      • GCP Create DNS Zone

      • GCP Delete DNS Record

      • GCP Update DNS Record

      • GCP Update DNS Zone

      • GCP Cloud Armor Blocked Connection

      • GCP Cloud IDS Alert

      • Delete AWS user (SSO)

    • Updated the following rule: Reconnaissance attempt to find SUID binaries

    • Updated the following lists: falco_privileged_images

    • Updated IoCs Ruleset with new findings.

    • Default Policy Changes

      Added new rules to default policies.

    0.79.2

    July 15, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positives:

      • Non sudo setuid

      • Set Setuid or Setgid bit

      • eBPF Program Loaded into Kernel

    • Added the following new rules:

      • Detect curl Using Socks Proxy

      • Create AWS user (SSO)

      • GCP Delete VPN

      • GCP App Engine Firewall Rule Created

      • GCP Compute Firewall Rule Created

      • GCP Create VPN

      • GCP Sensitive Role Added to User

    • Added additional exceptions to:

      • Read sensitive file untrusted

      • Run shell untrusted

      • Non sudo setuid

      • Clear Log Activities

      • Execution of binary using ld-linux

      • eBPF Program Loaded into Kernel

      • Terminal shell in container

      • The docker client is executed in a container

    • Added the Detect curl Using Socks Proxy rule to IoCs Malware Activity and Sysdig Runtime Threat Detection policies

    • Added Create AWS user (SSO) to the Sysdig AWS Activity Logs policy.

    • Added GCP Delete VPN and GCP Sensitive Role Added to the User rules to Sysdig GCP Notable Events policy.

    • Added the GCP App Engine Firewall Rule Created, GCP Compute Firewall Rule Created, and GCP Create VPN rules to the Sysdig GCP Activity Logs policy.

    • Split AWS rules into individual files and moved lists out of individual files and into its own file at the top of the output aws_cloudtrail.yaml.

    • Fixed tag in the Delete Cluster rule.

    • Updated IoCs Ruleset with new findings.

    0.78.0

    July 08, 2022

    Rule Changes

    • Restored the following missing rule: nsenter Container Escape

    • Cleaned up the following duplicate macro: falco_sensitive_mount_containers

    • Adjusted the following eBPF rule: eBPF Program Loaded into Kernel

    • Updated IoCs Ruleset with new findings.

    • Updated all the Cloudtrail rules to add ARNs to output.

    Default Policy Changes

    Modified to work with both old default_policies and managed default_policies.

    0.77.0

    July 01, 2022

    Rule Changes

    Added Miner IP Pool Threat Intelligence: Detect outbound connections to common miner pool ports

    0.76.1

    June 30, 2022

    Rule Changes

    • Added additional exceptions : Linux Kernel Module Injection Detected

    • Created the following new rules:

      • GCP App Engine Firewall Rule Deleted

      • GCP App Engine Firewall Rule Updated

      • GCP Create Cloud Function v2 Not Using Latest Runtime

      • GCP Create Cloud Function v2

      • GCP Compute Firewall Rule Deleted

      • GCP Compute Firewall Rule Updated

      • GCP Delete Compute VM Instance

      • GCP Update Cloud Function v2

      • Malicious Environment Variable in Spawned Process

      • nsenter Container Escape

    • Updated the following GCP rules:

      • GCP Create Cloud Function Not Using Latest Runtime

      • GCP Create Cloud Function

      • GCP Create DLP Job

      • GCP Delete DLP Job

      • GCP Paused DLP Job

      • GCP Suspicious IP Inbound Request

      • GCP Update Cloud Function

      • GCP Updated DLP Job

    • Added CIS tag to the rules related to Center for Internet Security (CIS) Docker Security Benchmark controls:

      • Container Run as Root User

      • Disallowed SSH Connection

      • Launch Privileged Container

      • Launch Root User Container

      • Launch Sensitive Mount Container

      • Mount Launched in Privileged Container

      • Privileged Shell Spawned Inside Container

      • Reconnaissance attempt to find SUID binaries

      • The docker client is executed in a container

      • Write below root

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    Added the following rules to the default policy:

    • GCP App Engine Firewall Rule Deleted

    • GCP Compute Firewall Rule Deleted

    • Malicious Environment Variable in Spawned Process

    • nsenter Container Escape

    0.76.0

    June 24, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positives:

      • Create Symlink Over Sensitive Files

      • Execution of binary using ld-linux

      • Run shell untrusted

    • Modified the following macros:

      • truncate_shell_history

      • modify_shell_history

    • Extended the condition of the rule, Detect crypto miners using the Stratum protocol, to improve detection capabilites.

    • New rules created:

      • Launch malicious container image

      • GCP Suspicious IP Inbound Request

      • GCP Allow Public Access to Bucket

      • GCP KMS Schedule Key Deletion

      • GCP Create DLP Job

      • GCP Delete DLP Job

      • GCP Update DLP Job

      • GCP Paused DLP Job

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following rule to the default policy, IoCs Malware Activity: Launch malicious container image

    • Added the following rules to the default policy, Sysdig GCP Best Practices:

      • GCP Suspicious IP Inbound Request

      • GCP Allow Public Access to Bucket

      • GCP KMS Schedule Key Deletion

      • GCP Delete DLP Job

      • GCP Paused DLP Job

    0.75.0

    June 17, 2022

    Rule Changes

    • Added the following new rules:

      • AWS Suspicious IP Inbound Request

      • eBPF Program Loaded into Kernel

    • Modified the following rules:

      • Symlink over Sensitive Files

      • Container Drift rules (with new exceptions)

    • Updated the macro: sysdig_commercial_images. It now contains two new Kubernetes Security Posture Management (KSPM) images.

    • Added the new macro ti_anon_ips  for Tor source IP addresses.

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the new rule,  AWS Suspicious IP Inbound Request to the Sysdig AWS Best Practices policy.

    • Added the new rule, eBPF Program Loaded into Kernel  to the Suspicious Container Activity policy.

    0.74.3

    June 03, 2022

    Rule Changes

    • Added a new rule: Suspicious Java Child Processes

    • Updated the package_mgmt_procs macro to detect package management processes with Python.

    • Updated some exceptions in the rule,Change thread namespace

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    Added the new rule, Suspicious Java Child Processes,to the IoCs Malware Activity

    0.72.0

    May 26, 2022

    Rule Changes

    • Added the following new rules:

      • Reconnaissance attempt to find SUID binaries

      • Suspicious Home Directory Creation

    • Modified exceptions to reduce noise:

      • Change thread namespace

      • Contact cloud metadata service from container

      • DB program spawned process

      • K8s ConfigMap Created

      • K8s ConfigMap Deleted

      • K8s Serviceaccount Created

      • Netcat Remote Code Execution in Container

      • Privileged Shell Spawned Inside Container

      • Set Setuid or Setgid bit

      • System ClusterRole Modified/Deleted

      • Write below monitored dir

      • Write below root

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following new policies:

      • Reconnaissance attempt to find SUID binaries

      • Suspicious Home Directory Creation

    0.70.3

    May 20, 2022

    Rule Changes

    • Added additional exceptions to the following rules to aid in addressing false positives:

      • Set Setuid or Setgid bit

      • Execution from /tmp

    • Fixed the condition of the following rules:

      • Execution from /tmp

      • Execution from /dev/shm

    • Updated IoCs Ruleset with new findings.

    0.69.0

    May 13, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positives:

      • Run shell untrusted

      • Launch Privileged Container

      • Container Run as Root User

      • Write below root

      • Write below rpm database

      • DB program spawned process

      • Privileged Shell Spawned Inside Container

      • Launch Suspicious Network Tool in Container

      • Remove Bulk Data from Disk

      • Set Setuid or Setgid bit

      • Packet socket created in container

      • Execution from /tmp

    • Created the new rule, Possible Backdoor using BPF. This rule triggers if a process was seen attaching a Berkeley Packet Filter (BPF) filter on a network socket. This could indicate packet sniffing for use in a backdoor such as BPFDoor. Network diagnostic tools may also trigger this rule.

    • Created the new rule, Execution of binary using ld-linux. This method can be used to execute programs that do not have the exec bit set and may possibly evade detection measures.

    • Fixed the condition of the following rules:

      • Write below binary dir

      • Set Setuid or Setgid bit

    • Updated IoCs Ruleset with new findings

    Default Policy Changes

      • Added the  Possible Backdoor using BPF rule to the Notable Network Activity policy.

      • Added the new rule,  Execution of binary using ld-linux to the IoCs Malware Activity policy.

    0.68.1

    May 6, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positives:

      • Modify binary dirs

      • Redirect STDOUT/STDIN to Network Connection in Container

      • Container Run as Root User

      • Execution from /tmp

    • Created the new rule Tampering with Security Software in Container. This rule detects common techniques by threat actors to disable runtime security software.

    • Created the new rule Detect outbound connections to TOR Entry Nodes. This rule detects when clients reach the Tor network through its entry nodes. Note that this is an experimental rule and only contains a subset of Tor entry nodes. It will be improved upon in the future.

    • Fixed the condition of the following rule: Execution from /tmp

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    • Moved the Redirect STDOUT/STDIN to Network Connection in Container rule to the Notable Container Activity default policy.

    • Added the Tampering with Security Software in Container rule to the Suspicious Container Activity default policy.

    • Added the Detect outbound connections to TOR Entry Nodes rule to the IoCs Malware Activity default policy.

    0.67.1

    April 28, 2022

    Rule Changes

    • Added a new rule file, threat_intelligence_feed.yaml , with lists and macros directly updated by theSysdig Threat Research Team.

    • Updated the following list: sysdig_commercial_images

    • Updated IoCs Ruleset with new findings.

    • Updated Falco rules conditions:

      • Execution from /tmp

      • Execution from /dev/shm

      • Network Connection outside Local Subnet

    • Added additional exceptions to aid in addressing false positives:

      • Execution from /tmp

      • Create Symlink Over Sensitive Files

      • Change thread namespace

      • DB program spawned process  

      • Suspicious Cron Modification

    0.66.1

    April 21, 2022

    Rule Changes

    • Added a new AWS Cloudtrail rule: Create RDS DB Instance with Public Access

    • Added the following Falco rules:

      • Base64-encoded Shell Script Execution
      • Execution from /dev/shm
    • Added additional exceptions to aid in addressing false positives:

      • Service Account Created in Kube Namespace
      • K8s Serviceaccount Created
    • Modified to add a list of malicious IPs: Outbound Connection to C2 Servers

    • Updated IoCs Ruleset with new findings

    Default Policy Changes

    • Added the following:

      • Base64-encoded Shell Script Execution
      • Execution from /dev/shm
    • Moved to enabled policy: Outbound Connection to C2 Servers

    0. 65.1

    April 18, 2022

    Rule Changes

    Added additional exceptions to the following rules to aid in addressing false positives:

    • Change thread namespace

    • Create Symlink Over Sensitive Files

    • Container Run as Root User

    • DB program spawned process

    • Privileged Shell Spawned Inside Container

    • Run shell untrusted

    • Set Setuid or Setgid bit

    • Write below etc

    0.65.0

    April 17, 2022

    Rule Changes

    Added additional exceptions to the following rules to aid in addressing false positives: Privileged Shell Spawned Inside Container

    0.64.1

    April 15, 2022

    Rule Changes

    • Added additional exceptions to the following rules to aid in addressing false positives:

      • Packet socket created in container

      • Change thread namespace

      • Run shell untrusted

      • Container Run as Root User

    • Created the new rule Base64-encoded Python Script Execution. This rule detects base64-encoded Python scripts on command line arguments. Base64 can be used to encode binary data for transfer to ASCII-only command lines. Attackers can leverage this technique in various exploits to load shellcode and evade detection.

    • Fixed the output of the following rules:

      • K8s Serviceaccount Created

      • K8s Serviceaccount Deleted

    • Updated IoCs Ruleset with new findings

    Rule Changes

    • Added the Base64-encoded Python Script Execution  rule to the IoCs Malware Activity default policy

    • Added the Launch Ingress Remote File Copy Tools in Container rule to the Notable Container Activity default policy

    • Created the new default policy,  Known Exploit Detection. This policy embeds the rules that can identify potential exploits of well-known CVEs.

    0.64.0

    April 12, 2022

    Rule Changes

    • Added additional exceptions to the following rules to aid in addressing false positives:

      • Schedule Cron Jobs

      • Set Setuid or Setgid bit

      • Create Symlink Over Sensitive Files

    • Disabled the Unprivileged Delegation of Page Faults Handling to a Userspace Process rule removing its condition.

    0.63.0

    April 09, 2022

    Rule Changes

    • Updated the following rules:

      • Simple output changes to the Detect outbound connections to common miner pool ports rule.

      • Updated priority and included additional cron paths for the Create Symlink Over Sensitive Files rule.

      • Updated IoCs Ruleset with new findings

    • The following new rules have been introduced.

      • Privileged Shell Spawned Inside Container. This rule detects a root shell being opened by a compromised process for interaction by the attack.

      • Debugfs Launched in Privileged Container. This rule detects file system debugger, debugfs, launched inside a privileged container which might lead to container escape.

      • Mount Launched in Privileged Container. This rule detects file system mount occurrence inside a privileged container which might lead to container escape.

      • Unprivileged Delegation of Page Faults Handling to a Userspace Process. This rule detects a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs

      • Launch Ingress Remote File Copy Tools in Container. This rule detects ingress remote file copy tools launched in a container. For example, curl and wget.

      • Suspicious Cron Modification. This rule detects direct writes to cron job files.

    Default Policy Changes

    • Policy: Notable Filesystem Changes

      • added the Suspicious Cron Modification rule.

      Policy: Suspicious Container Activity

      • Added the Debugfs Launched in Privileged Container rule.

      • Added the Unprivileged Delegation of Page Faults Handling to a Userspace Process rule.

      Policy: Suspicious Lateral Movement Activity to Cloud

      • Added the Mount Launched in Privileged Container rule.

      Policy: Unexpected Spawned Processes

      • Added the Privileged Shell Spawned Inside Container rule.

    0.62.1

    April 06, 2022

    Rule Changes

    Reduced noise for the rulesWrite below monitored dir and write below etc by adding additional exceptions.

    0.62.0

    March 25, 2022

    Rule Changes

    • Added the following new rules:

      • Base64'd ELF file on Command Line

      • Execution from /tmp

    • Updated auto-tuner exceptions for the following:

      • Launch Sensitive Mount Container

      • Service Account Created in Kube Namespace

    • Updated IoCs Ruleset with new findings.

    Default Policy Changes

    • Added the following new rules:

      • Base64'd ELF file on Command Line

      • Execution from /tmp

    0.60.0

    March 18, 2022

    Rule Changes

    • Updated the Launch Root User Container condition rule.

    • Updated the following lists to address false positive:

      • miner_domains

      • allowed_k8s_users

    • Updated some exceptions in the  Schedule Cron Jobs rule.

    • Created the sssd_writing_krb  macro from the new release of OSS Falco.

    • Updated IoCs Ruleset with new findings.

    • Updated the following macros based on the changes in Falco OS:

      • modify_shell_history

      • truncate_shell_history

      • write_etc_common

    Default Policy Changes

    • Updated the IoCs Malware Activity policy.

      • Malicious filenames writtenadded.

      • Malicious process detected removed.

    • Removed some rules from Notable Filesystem Changes policy:

      • Write below etc

      • Write below root

      • Write below rpm database

      • Write below binary dir

    • Removed one rule from the Notable Container Activity policy: Change thread namespace

    0.59.2

    March 10, 2022

    Rule Changes

    • Excluded ptp and dp from the Change thread namespacerule.

    • Excluded self from the K8s Serviceaccount Created rule.

    • Excluded known cron writers from the Schedule Cron Jobs rule.

    • Updated the IoCs Ruleset with new findings.

    0.58.1

    March 06, 2022

    Rule Changes

    • Added additional exceptions to aid in addressing false positive for rules:

      • Schedule Cron Jobs

      • Non sudo setuid

      • Launch Privileged Container

      • K8s Serviceaccount Created

    • Updated the following macros baed on the changes in Falco OS:aws_eks_core_images

    • Updated IoCs Ruleset with new findings.

    0.57.2

    March 03, 2022

    Rule Changes

    Fixed exception to aid in addressing false positives for rules: Contact K8S API Server From Container

    0.56.5

    March 01, 2022

    Rule Changes

    • Update rule: DB program spawned process

    • Create macro:pgbackrest_info_childs

    0.56.4

    February 18, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positive for rules:

      • Modify Shell Configuration File

      • Modify Shell Configuration File

      • Write below etc

      • Write below rpm database

      • DB program spawned process

      • Clear Log Activities

      • Launch Root User Container

    • Updated the following macros based on the changes in Falco OS:

      • containerd_shell_modify

      • tanium_client_running_python

      • postgres_running_pgbackrest

      • proc_file_suffix

      • known_redirect_procs

    • Updated the following lists to address false positives:

      • known_setuid_binaries

      • known_k8s_api_programs

      • gke_trusted_images_launch_root_list

    • Updated IoCs Ruleset with new findings.

    0.55.2

    February 10, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positive for rules:

      • Change thread namespace

      • Write below rpm database

      • Write below root

      • Clear Log Activities

      • Launch Root User Container

    • Updated the following macros based on the changes in Falco OS:

      • parent_python_running_sdchecks

      • python_running_sdchecks

      • exe_sysdig

      • tanium_client_running_python

      • sysdig_dragent

      • trusted_logging_images

    • Updated the following lists based on the changes in Falco OS:

      • sysdig_commercial_images

      • allowed_dev_files

      • user_known_chmod_applications

      • miner_domains

    • Updated IoCs Ruleset with new findings.

    0.54.3

    February 07, 2022

    Rule Changes

      Added additional exceptions to older agent versions to aid in addressing false positive for rules: Launch Root User Container

    0.53.4

    February 04, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positive for rules:

      • Modify Shell Configuration File

      • Write below etc

      • Write below root

      • Read sensitive file trusted after startup

      • Change thread namespace

      • Launch Suspicious Network Tool in Container

      • Redirect STDOUT/STDIN to Network Connection in Container

    • Updated the following macros based on the changes in Falco OS:

      • spawned_process

      • sensitive_mount

    • Updated the following lists based on the changes in Falco OS:

      • falco_hostnetwork_images

      • deb_binaries

      • known_sa_list

      • falco_sensitive_mount_images

    • Updated the following lists to address false positives:

      • db_server_binaries

      • user_known_chmod_applications

    • Updated IoCs Ruleset with new findings.

    0.53.3

    January 29, 2022

    Rule Changes

    • Added additional exceptions to older agent versions to aid in addressing false positives for rules:Write below etc.

    • Updated IoCs Ruleset with new findings.

    • Added new rules:

      • Modify ld.so.preload

      • Polkit Local Privilege Escalation Vulnerability(CVE-2021-4034)

    0.52.0

    January 21, 2022

    Rule Changes

    Updated IoCs Ruleset with new findings.

    0.51.1

    January 14, 2022

    Rule Changes

    • Created a new AWS Rule: Read Object through AWSSupportServiceRolePolicy Assumed Role.

    • Updated tags for AWS Rule:AWS Command Executed on Unused Region.

    • Updated tags for the following Google Cloud Platform (GCP) Rules:

      • GCP Invitation Sent to Non-corporate Account

      • GCP Create User-managed Service Account Key

      • GCP Create GCP-managed Service Account Key

      • GCP Create Cloud Function Not Using Latest Runtime

      • GCP Set Bucket IAM Policy

      • GCP Create Bucket

    0.50.5

    Topics in This Section
    2021 Archive

    2021 Archive of released Falco Rules.

    2020 Archive

    2020 Archive of released Falco Rules.

    2019 Archive

    2019 Archive of released Falco Rules.