Falco Rules Changelog

Falco rules are used in the Sysdig Secure Policy Editor. On this page, you can read the most recent changes to Falco Rules.

Subscribe to the RSS feed to stay updated with the latest Falco rules.

Commit Date

Rule Notes

Version of the Falco Rules Installer (On-Prem)

January 28, 2026

Rule Changes

  • Reduced FPs for Dynamic Linker Hijacking Using ld.so Files rule.

  • Reduced FPs for Clear Log Activities rule.

  • Reduced FPs for Reconnaissance attempt to find SUID binaries rule.

  • Reduced FPs for Reconnaissance attempt to find SETGID binaries rule.

0.234.1

January 27, 2026

New Rules

  • Added rule CodeCommit Create Git Credentials.

  • Added rule Change Policy's Default Version.

Rule Changes

  • Reduced FPs for Base64-encoded Python Script Execution rule.

  • Reduced FPs for Drop and Execute /tmp Binary rule.

  • Reduced FPs for Reverse Shell Spawned From Binary Through Pipes rule.

  • Reduced FPs for Modify Grub Configuration Files rule.

  • Reduced FPs for Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket rule.

0.234.0

January 26, 2026

Rule Changes

  • Reduced FPs for Execution from Temporary Filesystem (tmpfs) rule.

  • Reduced FPs for Reverse Shell Spawned From Binary Through Pipes rule.

  • Reduced FPs for Modification of Container Image Cache rule.

  • Reduced FPs for Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket rule.

  • Reduced FPs for Find GCP Credentials rule.

  • Reduced FPs for Drop and Execute /tmp Binary rule.

  • Reduced FPs for Dynamic Linker Hijacking Using ld.so Files rule.

0.233.3

January 23, 2026

Rule Changes

  • Reduced FPs for New Kernel Module Created and Loaded rule.

  • Reduced FPs for Drop and Execute /tmp Binary rule.

  • Reduced FPs for Dynamic Linker Hijacking Using ld.so Files rule.

0.233.2

January 22, 2026

Rule Changes

  • Reduced FPs for Dynamic Linker Hijacking Using ld.so Files rule.

  • Reduced FPs for Suspicious Operations with Firewalls rule.

  • Reduced FPs for Launch Suspicious Network Tool on Host rule.

  • Reduced FPs for Drop and Execute /tmp Binary rule.

  • Reduced FPs for PTRACE Attached to Process rule.

  • Reduced FPs for BPFDoor Backdoor Activity Detected rule.

  • Reduced FPs for Reverse Shell Redirects STDIN/STDOUT To Socket with Pipes rule.

0.233.1

January 20, 2026

Rule Changes

  • Reduced FPs for EC2 Create Launch Template rule.

  • Reduced FPs for Reverse Shell Detected rule.

  • Reduced FPs for Reverse Shell Spawned From Binary Through Pipes rule.

  • Reduced FPs for Launch Ingress Remote File Copy Tools in Container rule.

  • Reduced FPs for DNS Fast Flux Activity Detected rule.

0.233.0

January 16, 2026

Rule Changes

  • Reduced FPs for Modify Grub Configuration Files rule.

  • Reduced FPs for Reverse Shell Redirects STDIN/STDOUT Using UNIX Socket rule.

  • Reduced FPs for Dynamic Linker Hijacking Detected rule.

  • Reduced FPs for Execution from /dev/shm rule.

  • Reduced FPs for BPFDoor Backdoor Activity Detected rule.

  • Reduced FPs for Dump Memory using /proc Filesystem rule.

  • Reduced FPs for Detect reconnaissance scripts rule.

  • Reduced FPs for nsenter Container Escape rule.

0.232.2

January 14, 2026

Rule Changes

  • Reduced FPs for Mount Launched in Privileged Container rule.

  • Reduced FPs for Launch Ingress Remote File Copy Tools in Container rule.

  • Reduced FPs for Detect reconnaissance scripts rule.

  • Reduced FPs for Mount on Container Path Detected rule.

  • Reduced FPs for Linux Kernel Module Injection Detected rule.

  • Reduced FPs for Reverse Shell Spawned From Binary Through Pipes rule.

0.232.1

January 13, 2026

Rule Changes

  • Reduced FPs for nsenter Container Escape rule.

  • Reduced FPs for EC2 Get User Data.

  • Reduced FPs for EC2 Create Launch Template.

  • Reduced FPs for Read sensitive file untrusted rule.

  • Reduced FPs for Dynamic Linker Hijacking Detected rule.

  • Reduced FPs for Execution from /dev/shm rule.

  • Reduced FPs for Base64-encoded Shell Script Execution rule.

  • Reduced FPs for Reverse Shell Detected rule.

  • Reduced FPs for New Kernel Module Created and Loaded rule.

  • Reduced FPs for Dynamic Linker Hijacking Using ld.so Files rule.

  • Improve Output for Allocate New Elastic IP Address to AWS Account.

0.232.0

January 09, 2026

Rule Changes

  • Reduced FPs for JVM Attach Attempt using Unix Socket rule.

  • Reduced FPs for DNS Fast Flux Activity Detected rule.

  • Reduced FPs for Reverse Shell Detected rule.

  • Reduced FPs for PTRACE attached to process rule.

  • Reduced FPs for BPFDoor Backdoor Activity Detected rule.

  • Reduced FPs for Network Tool Executed During NPM Install rule.

  • Reduced FPs for DNS Lookup for Proxy/VPN Domain Detected rule.

0.231.7

January 05, 2026

Rule Changes

  • Reduced FPs for Create Symlink Over Sensitive Files rule.

  • Reduced FPs for Possible Remote Command Execution Detected rule.

  • Reduced FPs for BPF Command Executed by Fileless Program rule.

  • Reduced FPs for Modify Grub Configuration Files rule.

0.231.6