December 22, 2023 | Rule Changes Reduced false positives for the following rules: Change memory swap options
Packet socket created in container
eBPF Program Loaded into Kernel
| 0.133.10 |
December 21, 2023 | Rule Changes Reduced false positives for the following rules: Improved condition for the Detect outbound connections to Proxy/VPN rule. Updated the IoCs Ruleset with new findings.
| 0.133.9 |
December 20, 2023 | Rule Changes Reduced false positives for the following rules: Improved condition for the Detect outbound connections to TOR Entry Nodes rule. Updated the IoCs Ruleset with new findings.
| 0.133.8 |
December 19, 2023 | Rule Changes Reduced false positives for the following rules: Create Hidden Files or Directories
Suspicious Cron Modification
eBPF Program Loaded into Kernel
Write below etc
Launch Sensitive Mount Container
Launch Root User Container
Improved condition for the following rule:Connection to IPFS Network Detected Updated the IoCs Ruleset with new findings.
| 0.133.7 |
December 18, 2023 | Rule Changes Reduced false positives for the following rules: Improved condition for the following rules: Improved output for the Connection to IPFS Network Detectedrule. Updated the IoCs Ruleset with new findings.
| 0.133.6 |
December 15, 2023 | Rule Changes Reduced false postives for the following rules: Improved output for the following rules: Detect outbound connections to TOR Entry Nodes
Detect crypto miners using the Stratum protocol
Connection to IPFS Network Detected
Updated the IoCs Ruleset with new findings. Improved coverage for the Inhibit System Recoverytechnique.
| 0.133.5 |
December 14, 2023 | Rule Changes | 0.133.4 |
December 11, 2023 | Rule Changes | 0.133.1 |
December 04, 2023 | Rule Changes Improved condition for the following rules: Improved output for the following rules: Added the following rules: New GitHub Action Workflow Deployed
Okta Multiple Application Requests with Invalid Credentials
Push on GitHub Actions Detected
Okta MFA Bypass Attempt
Remove macro from the Detect outbound connections to common miner pool ports rule. Updated the IoCs Ruleset with new findings.
Default Policy Changes Added the following rules: New GitHub Action Workflow Deployed
Okta Multiple Application Requests with Invalid Credentials
Push on GitHub Actions Detected
Okta MFA Bypass Attempt
| 0.133.0 |
December 03, 2023 | Rule Changes | 0.132.5 |
November 30, 2023 | Rule Changes | 0.132.4 |
November 30, 2023 | Rule Changes | 0.132.2 |
November 29, 2023 | Rule Changes | 0.132.1 |
November 28, 2023 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
eBPF Program Loaded into Kernel
Fileless Malware Detected (memfd)
Modification of pam.d detected
Suspicious Cron Modification
Added the following rules: Update Secret in Secrets Manager
Delete Secret in Secrets Manager
Create Secret in Secrets Manager
Cancel Secret Rotation in Secrets Manager
Azure Create/Update User Managed Identity
Azure Create/Update a Public IP Address
Azure Create/Update a Key Vault
Azure Delete a Public IP Address
Azure Delete a Key Vault
Azure Delete User Managed Identity
CODEOWNERS file modified
Okta One-Time Token Reused
Improved the network_tool_binaries list. Updated the IoCs Ruleset with new findings.
Default Policy Changes | 0.132.0 |
November 27, 2023 | Rule Changes Default Policy Changes | 0.131.7 |
November 25, 2023 | Rule Changes Default Policy Changes | 0.131.5 |
November 24, 2023 | Rule Changes Reduced false positives for the following rules: Launch Sensitive Mount Container
Create Symlink Over Sensitive Files
Kernel startup modules changed
Execution from /tmp
Changed rule name Azure Terminate the Virtual Machine to Azure Stop a Virtual Machine Updated the IoCs Ruleset with new findings. Updated MITRE tags.
Default Policy Changes | 0.131.4 |
November 23, 2023 | Rule Changes Default Policy Changes Updated policy for the Azure Terminate the Virtual Machine rule. | 0.131.3 |
November 22, 2023 | Rule Changes | 0.131.2 |
November 21, 2023 | Default Policy Changes | 0.131.1 |
November 21, 2023 | Rule Changes Reduced false positive for the following rules: eBPF program loaded into kernel
Suspicious Cron Modification
Set Setuid or Setgid bit
Write below root
Detect outbound connections to common miner pool ports
Added the following rules: Updated the policy for the Contact K8S API Server From Container rule. Updated the IoCs Ruleset with new findings.
Default Policy Changes | 0.131.0 |
November 20, 2023 | Rule Changes Default Policy Changes | 0.130.8 |
November 17, 2023 | Rule Changes Reduced false positives for the following rules: Modification of pam.d detected
Possible Backdoor using BPF
Packet socket created in container
Dump memory for credentials
Launch Remote File Copy Tools in Container
Suspicious cron modification
Base64-encoded Shell Script Execution
Fileless Malware Detected (memfd)
Fixed exception in Share RDS Snapshot with Foreign Account rule. Improved output for the GitHub Webhook Connected rule. Updated the indicators of compromise (IoC) Ruleset with new findings.
| 0.130.7 |
November 16, 2023 | Rule Changes | 0.130.6 |
November 15, 2023 | Rule Changes Reduced false positives for the following rules: Launch root user container
eBPF program loaded into kernel
Possible Backdoor using BPF
Non sudo setuid
Modification of pam.d detected
Improved output Okta ruleset. Improved tags for the AWS RDS Master Password Update. Updated the IoCs Ruleset with new findings.
| 0.130.5 |
November 14, 2023 | Rule Changes Reduced false positives for the following rules: Removed Sysdig images from the Terminal shell in container rule. Improve description for the Okta Admin Console Access Velocity Behavior rule. Updated policy for the SSM Get Parameter rule. Updated the IoCs Ruleset with new findings.
Default Policy Changes | 0.130.4 |
November 13, 2023 | Rule Changes | 0.130.3 |
November 10, 2023 | Rule Changes | 0.130.2 |
November 08, 2023 | Rule Changes | 0.130.1 |
November 07, 2023 | Rule Changes Reduced false positives for the following rules: Suspicious Cron Modification
Mount Launched in Privileged Container
eBPF Program Loaded into Kernel
Modification of pam.d detected
Added the following rules: Improved condition for the following rules: System procs network activity
Potential UAC Bypass Using Registry Manipulation
ump memory for credentials
Improved the Windows suspicious_network_binaries list. Updated description for the Malicious C2 IPs or domains exploiting log4j rule. Updated the IoCs Ruleset with new findings.
Default Policy Changes | 0.130.0 |
November 06, 2023 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Write below etc
Read Environment Variable from /proc files in Container
Modification of pam.d detected
Non sudo setuid
| 0.129.4 |
November 04, 2023 | Rule Changes Reduced false positives for the following rules: Search Private Keys or Passwords
Fileless Malware Detected (memfd)
Mount Launched in Privileged Container
Modification of pam.d detected
SSH keys added to authorized_keys
Non sudo setuid
Possible backdoor using BPF
Change memory swap options
Kernel startup modules changed
Improved output for the Shutdown or Reboot detected rule. Updated MITRE tags. Improved condition for the Execution of binary using ld-linux rule.
| 0.129.3 |
November 02, 2023 | Default Policy Changes | 0.129.2 |
October 31, 2023 | Rule Changes Added the following rules: Shutdown or Reboot detected
Get Federation Token with Admin Policy
Full Visibility on Federated Sessions
GCP CloudRun Service Started
Create Key Pair
Stop EC2 Instances
Get Lambda Function
Attach IAM Policy to Group
Escape to host via command injection in process
Updated the IoCs Ruleset with new findings. Improved the network_tool_binarieslist. Improved condition for the following rules: GLIBC "Looney Tunables" Local Privilege Escalation
CVE-2023-4911 Potential IRC connection detected
Put Object in Watched Bucket
Default Policy Changes | 0.129.0 |
October 30, 2023 | Rule Changes Reduced false positives for the following rules: Suspicious cron modification
Packet socket created in container
Fileless Malware Detected (memfd)
Modification of pam.d detected
Write below etc
Read SSH information
docker client is executed in a container
eBPF Program Loaded into Kernel
Write below rpm databasec
Updated the IoCs Ruleset with new findings. Updated MITRE tags. Improved output for the following:
| 0.128.7 |
October 26, 2023 | Added Windows support. | 0.128.6 |
October 24, 2023 | Rule Changes Reduced false positives for the following rules: Suspicious Cron Modification
Possible backdoor using BPF
Modification of pam.d detected
SSH keys added to authorized_keys
Kernel startup modules changed
Updated the IoCs Ruleset with new findings. Updated MITRE tags. Improved the condition for the Modification of pam.d detected rule.
| 0.128.4 |
October 23, 2023 | Rule Changes | 0.128.3 |
October 18, 2023 | Rule Changes Reduced false positives for the following rules: Mount launched in privileged container
Kernel startup modules changed
Read SSH information
Possible Backdoor using BPF
| 0.128.2 |
October 17, 2023 | Rule Changes | 0.128.1 |
October 06, 2023 | Rule Changes Reduced false positives for the following rules: Improved condition for the GLIBC "Looney Tunables" Local Privilege Escalation (CVE-2023-4911) rule. Updated the IoCs Ruleset with new findings.
| 0.127.7 |
October 04, 2023 | Rule Changes Added the following rules: CodeBuild Create Project with Miner
CodeBuild Start Build with Miner
CodeCommit Create Repository
CodeCommit Git Push
CodeBuild Create Project
CloudFormation Create Stack
SSH keys added to authorized_keys
SageMaker Create Notebook Instance Lifecycle Configuration
Image Builder Create Component
Amplify Create App
EC2 Create Auto Scaling Group
Potential IRC connection detected
CodeBuild Start Build
ECS Create Cluster
EC2 Create Launch Template
Change memory swap options
Azure Update a Web App's configuration settings
Azure Function App Create/Update a Connection
Azure Create/Update Web Apps Hostname Bindings
Azure Cosmos DB Delete MongoDB Database
Azure Cosmos DB Delete SQL DB Container
Azure Cosmos DB Delete Postgres Firewall Rule
Azure Cosmos DB Delete Postgres Cluster
Azure Cosmos DB Delete Service
Azure Cosmos DB Delete MongoDB Role Definition
Azure Cosmos DB Delete MongoDB User Definition
Azure Cosmos DB Delete MongoDB Database Collection
Azure Cosmos DB Delete Gramlin Database
Azure Cosmos DB Delete Gremlin Database Graphs
Azure Cosmos DB Delete Cassandra Keyspace
Azure Cosmos DB Delete Cassandra Table
Azure Cosmos DB Delete Database Account
Azure Cosmos DB Delete Table
Azure Cosmos DB Delete Postgres Role
Azure Cosmos DB Delete SQL Assignment
Azure Cosmos DB Delete SQL Database
Azure Cosmos DB Delete SQL User Defined Function
Azure Cosmos DB Delete SQL Trigger
Azure Cosmos DB Delete SQL Stored Procedure
Azure Cosmos DB Create SQL Assignment
Azure Cosmos DB Create Postgres Role
Azure Cosmos DB Create SQL Definition
Azure Cosmos DB Create SQL Database
Azure Cosmos DB Create SQL User Defined Function
Azure Cosmos DB Create SQL Trigger
Azure Cosmos DB Create SQL Stored Procedure
Azure Cosmos DB Create SQL DB Container
Azure Cosmos DB Create Postgres Firewall Rule
Azure Cosmos DB Create MongoDB Database
Azure Cosmos DB Create Postgres Cluster
Azure Cosmos DB Create MongoDB Role Definition
Azure Cosmos DB Create MongoDB User Definition
Azure Cosmos DB Create MongoDB Database Collection
Azure Cosmos DB Create Gramlin Database
Azure Cosmos DB Create Gremlin Database Graphs
Azure Cosmos DB Create Cassandra Keyspace
Azure Cosmos DB Create Cassandra Table
Azure Cosmos DB Create Database Account
Azure Cosmos DB Create Table
Azure Cosmos DB Create Service
Reduced false positivess for the following rules: Read Environment Variable from /proc files in Container
Set Setuid or Setgid bit
Launch Suspicious Network Tool in Container
Non sudo setuid
Clear log activities
eBPF Program Loaded into Kernel
Search Private Keys or Passwords
Improved condition for the following rules: Updated MITRE tags. Updated policy for the Modification of pam.d detected rule. Improved log_files list. Updated the IoCs Ruleset with new findings.
Default Policy Changes Added the following rules: CodeBuild Create Project with Miner
CodeBuild Start Build with Miner
CodeCommit Create Repository
CodeCommit Git Push
CodeBuild Create Project
CloudFormation Create Stack
SSH keys added to authorized_keys
SageMaker Create Notebook Instance Lifecycle Configuration
Image Builder Create Component
Amplify Create App
EC2 Create Auto Scaling Group
Potential IRC connection detected
CodeBuild Start Build
ECS Create Cluster
EC2 Create Launch Template
Change memory swap options
Updated policy for the following rules: Added Simple Systems Manager (SSM) rules to awscloudtrail policy.
| 0.128.0 |
October 04, 2023 | Rule Changes Added the GLIBC "Looney Tunables" Local Privilege Escalation (CVE-2023-4911) rule. Default Policy Changes Added the GLIBC "Looney Tunables" Local Privilege Escalation (CVE-2023-4911) rule. | 0.127.6 |
October 04, 2023 | Rule Changes | 0.127.5 |
October 03, 2023 | Rule Changes | 0.127.4 |
September 29, 2023 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
AWS CLI used with endpoint url parameter
eBPF Program Loaded into Kernel
Non sudo setuid
Updated the MITRE tags. Added thedns_traffic macro. Improved the Okta rules. Updated the IoCs Ruleset with new findings.
| 0.127.3 |
September 28, 2023 | Rule Changes Reduced false positives for the following rules: Set Setuid or Setgid bit
Non sudo setuid
Launch root user container
Packet socket created in container
Redirect STDOUT/STDIN to Network Connection in Container
Fileless Malware Detected (memfd)
Updated MITRE tags. Added exception for the Suspicious Domain Contacted rule. Updated the IoCs Ruleset with new findings.
| 0.127.2 |
September 27, 2023 | Rule Changes Reduced false positives for the following rules: Set Setuid or Setgid bit
Launch excessively capable container
Possible backdoor using BPF
Launch privileged container
Improved output for the Fileless Malware Detected (memfd) rule. Updated the IoCs Ruleset with new findings.
| 0.127.1 |
September 26, 2023 | Rule Changes Added the following rules: GCP VPC Add Peering
Okta Suspicious User Activity Report
Okta Admin Console Access via New Device
Okta FastPass Phishing Attempt
Modification of pam.d detected
GCP Modified VPC Network
GCP Create VPC Network
GCP VPC Remove Peering
Okta Admin Console Access Velocity Behavior
GCP Create Role
GCP Delete Route
Suspicious device created in container
GCP Update CloudSQL
Okta Admin Console Access with New Behaviors
GCP Create Route
Okta Sign-in via Proxy
Okta Create Identity Provider
K8s Pod Deleted
GCP Update Role
GCP Modify Audit Policy
SSM Start Session
Okta Admin Console Access Failure
Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Set Setuid or Setgid bit
Mount Launched in Privileged Container
Suspicious Cron Modification
Possible Backdoor using BPF
Improved condition for the following rules: Updated MITRE tags. Improved output for the Packet socket created in container rule. Updated the IoCs Ruleset with new findings.
Default Policy Changes | 0.127.0 |
September 22, 2023 | Rule Changes Reduced false positives for the following rules: Kernel startup module changed
Launch root user container
Read shell configuration file
Write below etc
Improved output for the SSM Send Command rule. Updated the IoCs Ruleset with new findings. Updated MITRE tag.
| 0.126.3 |
September 21, 2023 | Rule Changes | 0.126.2 |
September 20, 2023 | Rule Changes Default Policy Changes Updated policy for the following rules: | 0.126.1 |
September 19, 2023 | Rule Changes Reduced false positives for the following rules: Redirect STDOUT/STDIN to Network Connection in Container
Launch Root User Container
Suspicious Operations with Firewalls
Non sudo setuid
Fileless Malware Detected (memfd)
Non Sudo Setuid
Added the following rules: Improved condition for the Packet socket created in container rule.
Default Policy Changes Added the following files: Updated the policy for Container escape via discretionary access control. Added the Sysdig Azure Threat Intelligencepolicy.
| 0.126.0 |
September 14, 2023 | Rule Changes Reduced false positives for the following rule: | 0.125.3 |
September 13, 2023 | Rule Changes | 0.125.1 |
September 12, 2023 | Rule Changes Added the following files: Unexpected Unshare event in Container
Disallowed SSH Connection Non Standard Port
Azure Suspicious IP Inbound Request
GCP Change Owner
Container escape via discretionary access control
Improved condition for the following: Launch Privileged Container
Write below etc
Suspicious Operations with Firewalls
Launch Remote File Copy Tools in Container
Improved the sysdig_commercial_images list. Improved the performance of the renamemacro. Updated the IoCs Ruleset with new findings.
Default Policy Changes Added the following files: Unexpected Unshare event in Container
Disallowed SSH Connection Non Standard Port
Azure Suspicious IP Inbound Request
GCP Change Owner
Container escape via discretionary access control
| 0.125.0 |
September 08, 2023 | Rule Changes Reduced false positives for the following rules: Launch Ingress Remote File Copy Tools in Container
Launch Root User Container
Possible Backdoor using BPF
Fileless Malware Detected (memfd)
Packet socket created in container
Change thread namespace
Improved host and container tags. Updated the IoCs Ruleset with new findings.
| 0.124.3 |
September 06, 2023 | Rule Changes Reduced false positives for the following rules: PTRACE attached to process
Mount Launched in Privileged Container
Launch Root User Container
Launch Sensitive Mount Container
Launch Privileged Container
Added the azure_trusted_images_launch_root_list list. Updated the IoCs Ruleset with new findings.
| 0.124.1 |
September 05, 2023 | Rule Changes Default Policy Changes | 0.124.0 |
September 04, 2023 | Rule Changes Reduced false positives for the following rules: The docker client is executed in a container
Possible Backdoor using BPF
Fileless Malware Detected (memfd)
Improved host and container tags. Updated the IoCs Ruleset with new findings.
| 0.123.3 |
September 02, 2023 | Rule Changes Reduced false positives for the following rules: The docker client is executed in a container
Mount Launched in Privileged Container
Packet Socket Created in Container
Launch Root User Container
Launch Privileged Container
Improved condition for the following rule: Updated the IoCs Ruleset with new findings. Improved the host and container tags.
| 0.123.2 |
August 30, 2023 | Rule Changes | 0.123.1 |
August 29, 2023 | Rule Changes Reduced false positives for the following rules: Improved condition for the following rules: Improved output for the following rules: Updated the IoCs Ruleset with new findings. Improved the miner_portslist.
| 0.123.0 |
August 28, 2023 | Rule Changes Default Policy Changes Reduced false positives for Put Object in Watched Bucket. | 0.122.5 |
August 18, 2023 | Rule Changes Reduced false positives for the following rules: Default Policy Changes Downgraded AWS rules. | 0.122.4 |
August 05, 2023 | Rule Changes | 0.122.3 |
August 03, 2023 | Rule Changes Reduced false positives for the following rules: Updated the IoCs Ruleset with new findings. Improved output for the Fileless Malware Detected (memfd) rule.
Default Policy Changes Removed Packet socket created in container from the Sysdig Runtime Notable Events policy. | 0.122.2 |
August 02, 2023 | Rule Changes Default Policy Changes Remove the AWS IAM Credential Report Request rule from policy. | 0.122.1 |
August 01, 2023 | Rule Changes Reduced false positives for the Launch Root User Container rule. Added the following rules: AWS ECS Create Task Definition
AWS RDS Master Password Update
AWS IAM Credential Report Request
Updated the IoCs Ruleset with new findings. Improved the network_tool_binaries list. Added support for accept4 syscall.
Default Policy Changes Added the following rules: AWS ECS Create Task Definition
AWS RDS Master Password Update
AWS IAM Credential Report Request
| 0.122.0 |
July 28, 2023 | Rule Changes | 0.121.4 |
July 27, 2023 | Rule Changes Reduced false positives for the following rules: Fileless Malware Detected (memfd)
Redirect STDOUT/STDIN to Network Connection in Container
Write below root
Packet socket created in container
Execution from /tmp
Increased the async limit to speed up validation times. Updated the IoCs Ruleset with new findings.
| 0.121.3 |
July 26, 2023 | Rule Changes Reduced false positives for the following rules: Improved performance for Contact Task Metadata Endpoint Updated the IoCs Ruleset with new findings.
| 0.121.2 |
July 25, 2023 | Rule Changes | 0.121.1 |
July 25, 2023 | Rule Changes Reduced false positives for the following rules: Added the following rules: Fileless Malware Detected (memfd)
Contact Azure Instance Metadata Service from Container
Contact GCP Instance Metadata Service from Container
Updated the IoCs Ruleset with new findings.
Default Policy Changes | 0.121.0 |
July 24, 2023 | Rule Changes | 0.120.4 |
July 22, 2023 | Rule Changes Reduced false positives for the following rules: Change thread namespacer
Launch Privileged Container
Mount Launched in Privileged Container
Possible Backdoor using BPF
Improved outputs for the following rules: Suspicious Domain Contacted
Suspicious Domain Contacted
non_system_user
Connection to IPFS Network Detected
Added the following macros to Threat Intel: Updated the IoCs Ruleset with new findings.
| 0.120.0 |
July 21, 2023 | Rule Changes Reduced false positives for the following rules: Suspicious Domain Contacted
The docker client is executed in a container
eBPF Program Loaded into Kernel
Packet socket created in container
Updated the IoCs Ruleset with new findings. Tuned thePotential IRC connection detected preview rule.
| 0.120.3 |
July 20, 2023 | Rule Changes | 0.120.2 |
July 18, 2023 | Rule Changes Reduced false positives for the following rules: Read Shell Configuration File
Read sensitive file untrusted
Read ssh information
Write below monitored dir
Added exception for the following rules: Improved performance for Write below monitored dir Updated the IoCs Ruleset with new findings.
| 0.120.1 |
July 17, 2023 | Rule Changes | 0.119.4 |
July 13, 2023 | Rule Changes Reduced false positives for the following rules: Improved performance for the following rules: Updated the IoCs Ruleset with new findings.
| 0.119.3 |
July 12, 2023 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
Packet socket created in container
Change thread namespace
Terminal shell in container
eBPF Program Loaded into Kernel
Write below root
Improved performance for the following rules: Updated the IoCs Ruleset with new findings. Introduced retries for intermittent HTTP errors and improved logs.
| 0.119.2 |
July 11, 2023 | Rule Changes Reduced false positives for the following rules: Improved performance for the following rules: Unprivileged Delegation of Page Faults Handling to a Userspace Process
Write below rpm database
DB program spawned process
Delete or rename shell history
Updated the IoCs Ruleset with new findings.
| 0.119.1 |
July 10, 2023 | Rule Changes Reduced false positives for the following rules: Excluded local IPv6 from macros. Improved performance for the following rules: Read sensitive file trusted after startup
Write below etc
System procs network activity
Read sensitive file untrusted
AWS SSM Agent Activity
Added the following rules: EC2 Instance Connect System Access
AWS SSM Agent File Write
Removing MFA from Admin in Okta
Download and launch remote file copy tools in container
Find GCP Credentials
Find Azure Credentials
Updated the IoCs Ruleset with new findings. Improved condition for the following rule: Default Policy Changes Added the following rules: EC2 Instance Connect System Access
AWS SSM Agent File Write
Removing MFA from Admin in Okta
Download and launch remote file copy tools in container
Find GCP Credentials
Find Azure Credentials
| 0.119.0 |
July 07, 2023 | Rule Changes Reduced false positives for the following rules: Updated the IoCs Ruleset with new findings. Improved the network_tool_binaries list.
| 0.118.3 |
July 06, 2023 | Rule Changes | 0.118.2 |
July 05, 2023 | Rule Changes Reduced false positives for the following rules: Launch Remote File Copy Tools in Container
Packet socket created in container
eBPF Program Loaded into Kernel
Launch Sensitive Mount Containe
Updated the IoCs Ruleset with new findings. Fix exceptions for the AWS SSM Agent Activity rule.
| 0.118.1 |
June 30, 2023 | Rule Changes | 0.117.8 |
June 28, 2023 | Rule Changes Reduced false positives for the following rules: DB program spawned process
Launch Sensitive Mount Container
Launch Root User Container
Updated the IoCs Ruleset with new findings. Improved the falco_sensitive_mount_imageslist. Added preview structure for rules.
Default Policy Changes | 0.117.7 |
June 26, 2023 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Redirect STDOUT/STDIN to Network Connection in Host
Launch Sensitive Mount Containe
DB program spawned processt
Read ssh information
Non sudo Setuid
Updated the IoCs Ruleset with new findings. Improved the process_name_exists macro.
| 0.117.6 |
June 23, 2023 | Rule Changes | 0.117.5 |
June 22, 2023 | Rule Changes Reduced false positives for the following rules: Updated the IoCs Ruleset with new findings. Improved performance for the Contact EC2 Instance Metadata Service From Container and Write below binary dir rules.
| 0.117.4 |
June 21, 2023 | Rule Changes | 0.117.3 |
June 19, 2023 | Rule Changes Reduced false positives for the following rules: Updated the IoCs Ruleset with new findings. Improved the falco_privileged_images list.
| 0.117.2 |
June 20, 2023 | Rule Changes Reduced false positives for the following rules: Updated the IoCs Ruleset with new findings. Fixed exception value. Removed append fields from rules and macros.
| 0.117.1 |
June 09, 2023 | Rule Changes | 0.116.5 |
June 09, 2023 | Rule Changes | 0.116.4 |
June 08, 2023 | Rule Changes Reduced false positives for the following rules: Improved output for The docker client is executed in a container rule. Updated the IoCs Ruleset with new findings.
| 0.116.3 |
June 07, 2023 | Rule Changes Default Policy Changes | 0.116.2 |
May 31, 2023 | Rule Changes | 0.115.1 |
May 30, 2023 | Rule Changes Reduced false positives for the Execution from /tm rule. Added the following rules: K8s Ingress Deleted
K8s Ingress Created/Modified
AWS EC2 Instance Connect/SSH Public Key Uploaded Admin permission has been assigned to a group in Okta
Updated the IoCs Ruleset with new findings. Improved condition for the following rules: Default Policy Changes Added the following rules: K8s Ingress Deleted
K8s Ingress Created/Modified
AWS EC2 Instance Connect/SSH Public Key Uploaded Admin permission has been assigned to a group in Okta
| 0.115.0 |
May 18, 2023 | Rule Changes Added the Okta CAPTCHA Settings Updated rule. Reduced false positives for the following rules: Read ssh information
Write below root
Run shell untrusted
Updated the IoCs Ruleset with new findings. Default Policy Changes Added the Okta CAPTCHA Settings Updated rule.
| 0.114.1 |
May 17, 2023 | Rule Changes Reduced false positives for the following rules: Launch Privileged Container
Read sensitive file untrusted
Read Shell Configuration File
eBPF Program Loaded into Kernel
Write below etc
Launch Root User Container
Create files below dev
Non sudo setuid
Added the following rules: Drop and execute new binary in container
GCP Cloud SQL Data Exfiltration
GCP Create Service Account
GCP Create or Modify Compute SSH Key
GCP Default Service Account Activity
Directory traversal monitored file read
Detection bypass by symlinked files
Updated the IoCs Ruleset with new findings. Introduced v16 ruleset. Improved condition for the OpenSSL File Read or Write rule. Improved detection for the Suspicious System Service Modification rule.
Default Policy Changes Added the following rules: Drop and execute new binary in container
GCP Cloud SQL Data Exfiltration
GCP Create Service Account
GCP Create or Modify Compute SSH Key
GCP Default Service Account Activity
Directory traversal monitored file read
Detection bypass by symlinked files
| 0.114.0 |
May 10, 2023 | Rule Changes | 0.113.2 |
May 09, 2023 | Rule Changes | 0.113.1 |
May 08, 2023 | Rule Changes Reduced false positives for the following rules: Launch Remote File Copy Tools in Container
Read Shell Configuration File
Write below etc
Set Setuid or Setgid bit
Change thread namespace
Write below rpm database
Launch Privileged Container
eBPF Program Loaded into Kernel
Set Setuid or Setgid bit
Updated the IoCs Ruleset with new findings. Improved condition for the following rules: Added the following rules: Added exceptions for the Ingress Object without TLS Certificate Created rule.
Default Policy Changes Added the following rules: | 0.113.0 |
May 05, 2023 | Rule Changes Reduced false positives for the following rules: Set Setuid or Setgid bit
Non sudo setuid
Updated the Sysdig Mitre Attack mapper. Updated the IoCs Ruleset with new findings.
| 0.112.3 |
May 04, 2023 | Rule Changes | 0.112.2 |
May 01, 2023 | Rule Changes Reduced false positives for the following rules: Write below etc
Read sensitive file untrusted
Kernel startup modules changed
Launch Privileged Container
Mount Launched in Privileged Container
Launch Ingress Remote File Copy Tools in Container
Non sudo setuid
Updated the IoCs Ruleset with new findings. Enable theJava Process Class File Download rule by default.
Default Policy Changes Enable the following rules by default: | 0.112.0 |
April 26, 2023 | Rule Changes Reduced false positives for the following rules: Run shell untrusted
eBPF Program Loaded into Kernel
Launch Sensitive Mount Container
Launch Package Management Process in Container
Launch Root User Container
Updated the following tags: AWS MITRE ATT&CK
Azure MITRE ATT&CK
GCP MITRE ATT&CK
Updated the IoCs Ruleset with new findings. Improved the MITRE ATT&CK tags. Improved the sysdig_commercial_images list.
Default Policy Changes Updated policy for the following rules: | 0.111.0 |
April 17, 2023 | Rule Changes Reduced false positives for the following rules: Non sudo setuid
Write below etc
Redirect STDOUT/STDIN to Network Connection in Container
Read ssh information
Clear Log Activities
Modify Shell Configuration File
System ClusterRole Modified/Deleted
Updated policy for the following rules: Updated IoCs Ruleset with new findings. Improved output for the Launch Excessively Capable Container rule. Added the Kernel startup modules changed rule.
Default Policy Changes | 0.110.0 |
April 11, 2023 | Rule Changes Reduced false positives for the following rules: Launch Package Management Process in Container
Read sensitive file untrusted
Write below etc
Netcat Remote Code Execution in Container
Container Run as Root User
Set Setuid or Setgid bit
Mount Launched in Privileged Container
Launch Root User Container
Non sudo setuid
Added tags for the following rules: Detect release_agent File Container Escapes
Unprivileged Delegation of Page Faults Handling to a Userspace Process
Launch Excessively Capable Container
Updated IoCs Ruleset with new findings. Moved malicious_download_tools in Suspicious Network tools rules Improved list network_tool_binaries rule. Fixed Set Setuid or Setgid bit tag.
Default Policy Changes Updated policy for the following rules: Security Hub Disassociate From Master Account
Security Hub Delete Members
Security Hub Disassociate Members
| 0.109.0 |
April 07, 2023 | Rule Changes Reduced false positives for the following rules: Set Setuid or Setgid bit
Suspicious Cron Modification
Disallowed K8s User
The docker client is executed in a container
Launch Package Management Process in Container
Clear Log Activities
Launch Package Management Process in Container
Write below etc
Read sensitive file untrusted
PTRACE attached to process
Launch Excessively Capable Container
eBPF Program Loaded into Kernel
Read sensitive file untrusted
Non sudo setuid
Write below root
Read sensitive file untrusted
Write below rpm database
Launch Sensitive Mount Container
Launch Root User in Container
Added the following rules: Detect release_agent File Container Escapes
Java Process Class File Download
Launch Excessively Capable Container
Unprivileged Delegation of Page Faults Handling to a Userspace Process
Updated IoCs Ruleset with new findings. Added Falco rules versioning support. Added an exception for the Outbound Connection to C2 Servers rule.
Default Policy Changes Added the following rules: Detect release_agent File Container Escapes
Java Process Class File Download
Launch Excessively Capable Container
Unprivileged Delegation of Page Faults Handling to a Userspace Process
Updated policy for the following rules: Guard Duty Disassociate Members
Guard Duty Disassociate from Master Account
Guard Duty Delete Members
Added Falco rules versioning support. Removed the following rules from policies: Launch Disallowed Container
Interpreted procs inbound network activity
Interpreted procs outbound network activity
| 0.108.0 |
March 13, 2023 | Rule Changes Reduced false positives for the following rules: Clear Log Activities
Launch Package Management Process in Container
Container Run as Root User
Launch Remote File Copy Tools in Container
Launch Root User Container
Improved condition for the following rules: Updated IoCs Ruleset with new findings.
Default Policy Changes Updated policy for the following rules: | 0.106.0 |
March 07, 2023 | Rule Changes Added the following rules: Create Bucket
Delete Bucket
Improved the output for the following rules: Updated the MITRE, GCP MITRE, and AWS MITRE tags. Improved condition for the Tampering with Security Software in Container rule. Reduced false positives for the following rules: The docker client is executed in a container
Launch Privileged Container
Write below root
Schedule Cron Jobs
Suspicious Cron Modification
Launch Remote File Copy Tools in Container
Launch Suspicious Network Tool on Host
System procs activity
Modify Shell Configuration File
Write below etc
Launch Sensitive Mount Container
Mount Launched in Privileged Container
PTRACE attached to process
Updated Kubernetes image registry domains. Improved the falco_privileged_imageslist. Updated IoCs Ruleset with new findings.
Default Policy Changes | 0.105.0 |
February 28, 2023 | Rule Changes Added the following rules: Create Hardlink Over Sensitive Files
Azure Storage Account Created
Azure Storage Account Deleted
GCP Create Project
GCP Create Compute VM Instance
GCP Enable API
Reduced false positives for the following rules: Suspicious Operations with Firewalls
Linux Kernel Module Injection Detected
PTRACE attached to process
Read sensitive file untrusted
Improved condition for the following rules: Updated IoCs Ruleset with new findings.
Default Policy Changes Added the following rules: Create Hardlink Over Sensitive Files
Azure Storage Account Created
Azure Storage Account Deleted
GCP Create Project
GCP Create Compute VM Instance
GCP Enable API
| 0.104.1 |
February 24, 2023 | Rule Changes | 0.103.1 |
February 23, 2023 | Rule Changes Added the following rules: Modify Timestamp attribute in File
Launch Code Compiler Tool in Container
Put Bucket ACL for AllUsers
Reduced false positives for the following rules: Improved condition for the following rule: Put Bucket Lifecycle Updated IoCs Ruleset with new findings.
Default Policy Changes | 0.103.0 |
February 14, 2023 | Rule Changes Added the following rules: User Management Event Detected
Users Group Management Event Detected
OpenSSL File Read or Write
Reduced false positives for the following rules: Improved condition for the following rules: Improved the sensitive_kernel_parameter_fileslist. Updated IoCs Ruleset with new findings. Added an exception for the OpenSSL File Read or Write rule.
Default Policy Changes | 0.102.1 |
February 08, 2023 | Rule Changes Added the following list: Add list security_processes Improved the following list: network_tool_binaries Reduced false positives for the following rules: Contact EC2 Instance Metadata Service From Container
Run shell untrusted
System procs network activity
Set Setuid or Setgid bit
eBPF Program Loaded into Kernel
Improved the condition for the following rule: Detect reconnaissance scripts Updated IoCs Ruleset with new findings.
| 0.101.1 |
January 26, 2023 | Rule Changes Added the following rules: K8s CronJob Deleted
K8s CronJob Created/Modified
Read Environment Variable from /proc files in Container
Suspicious OpenSSL Shared Object Loaded
Reduced false positives for the following rules: Improved condition for the following rule: GPG Key Reconnaissance Updated IoCs Ruleset with new findings.
Default Policy Changes Added the following rules: K8s CronJob Deleted
K8s CronJob Created/Modified
Read Environment Variable from /proc files in Container
Suspicious OpenSSL Shared Object Loaded
| 0.100.2 |
January 20, 2023 | Rule Changes Added the following rules: Improved condition for the following rules: Create Security Group Rule Allowing Ingress Open to the World
Create a Network ACL Entry Allowing Ingress Open to the World
Detect reconnaissance scripts
Lastlog Files Cleared
Launch Remote File Copy Tools in Container
Put Bucket Lifecycle
Delete or rename shell history
Added exception for the following rules: Updated IoCs Ruleset with new findings. Reduced false positives for the following rule Find AWS Credentials rule. Default Policy Changes Added the following rules:
| 0.99.0 |
January 09, 2023 | Rule Changes Reduced false positives for the Container Run as Root User rule. Improved condition for the Suspicious Operations with Firewalls rule. Added the following rules: Added tags to the K8s Networkpolicy Deleted rule. Added exceptions for the following: Delete Organization Config Rule
Delete Cluster
Elasticsearch Domain Creation without Encryption at Rest
ECR Image Pushed
Put Remediation Configurations
Delete Configuration Aggregator
Put Organization Config Rule
Put Organization Conformance Pack
Stop Configuration Recorder
Delete Organization Conformance Pack
ECS Service Created
ECS Service Deleted
Terminal Shell in ECS Container
ECS Task Run or Started
ECS Service Task Definition Updated
ECS Task Stopped
Create HTTP Target Group without SSL
Elasticsearch Domain Creation without VPC
Run Instances
CloudTrail Trail Created
Create Security Group Rule Allowing SSH Ingress
Guard Duty Disassociate from Master Account
Guard Duty Delete Members
Disable GuardDuty
Delete Detector
Create Access Key for Root User
Guard Duty Disassociate Members
Stop Monitoring Members
Password Recovery Requested
Deactivate Hardware MFA for Root User
Add AWS User to Group
Attach Administrator Policy
Attach IAM Policy to User
Deactivate MFA for Root User
Create Group
Create IAM Policy that Allows All
Create Access Key for User
Deactivate Virtual MFA for Root User
Delete Virtual MFA for Root User
Create AWS user (SSO)
Create AWS user
Delete AWS user (SSO)
Deactivate MFA for User Access
Delete Group
Put IAM Inline Policy to User
Delete AWS user
Remove AWS User from Group
Update Account Password Policy Not Expiring
Update Account Password Policy Expiring in More Than 90 Days
Update Account Password Policy Not Preventing Reuse of Last 24 Passwords
Update Account Password Policy Not Preventing Reuse of Last 4 Passwords
Update Account Password Policy Not Requiring 14 Characters
Update Account Password Policy Not Requiring 7 Characters
Update Account Password Policy Not Requiring Lowercase
Update Account Password Policy Not Requiring Number
Update Account Password Policy Not Requiring Symbol
Update Account Password Policy Not Requiring Uppercase
Replace Route
Modify Image Attribute
Modify Snapshot Attribute
Revoke Security Group Egress
Revoke Security Group Igress
Run Instances in Non-approved Region
Create Internet-facing AWS Public Facing Load Balancer
Delete Listener
Modify Listener
Disable EBS Encryption by Default
Contact EC2 Instance Metadata Service From Container
EC2 Serial Console Access Enabled
Make EBS Snapshot Public
Get Password Data
Default Policy Changes Added the following rules: | 0.98.2 |
January 04, 2023 | Rule Changes Reduced false positives for the following rules: Updated IoCs Ruleset with new findings. Added exception for the DB program spawned process rule. Improved output for the Suspicious System Service Modification rule.
| 0.98.0 |
