December 20, 2024 | Rule Changes | 0.184.2 |
December 19, 2024 | Rule Changes Default Policy Changes | 0.184.1 | December 17, 2024 | Rule Changes Added the following rules: Improved condition for the DNS Lookup for Offensive Security Tool Domain Detected rule. Improved tags for the DNS Lookup for Offensive Security Tool Domain Detected rule. Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Clear Log Activities
Linux Kernel Module Injection Detected
Kernel startup modules changed
Unprivileged Delegation of Page Faults Handling to a Userspace Process
Suspicious Home Directory Creation
Change memory swap options
Default Policy Changes | 0.184.0 |
December 16, 2024 | Rule Changes | 0.183.3 |
December 13, 2024 | Rule Changes | 0.183.2 |
December 12, 2024 | Rule Changes | 0.183.1 |
December 10, 2024 | Rule Changes Updated Indicators of Compromise (IoCs) rulesets with new findings. Added the following rules: Role/Clusterrole Bound To Kubernetes Anonymous User
Highly Sensitive Clusterrole Bound To Kubernetes Anonymous User
Executable File Dropped in Container via Kubectl
Suspicious Interaction with Container Socket
Improved conditions for the following rules: Reduced false positives for the following rules: Non sudo setuid
Launch Privileged Container
Set Setuid or Setgid bit
Modify ld.so.preload
Mount Launched in Privileged Container
Kernel startup modules changed
DNS Lookup for Uncommon TLD Domain Detected
DNS Fast Flux Activity Detected
PTRACE anti-debug attempt
Default Policy Changes | 0.183.0 |
December 05, 2024 | Rule Changes Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: OpenSSL Reverse Shell Detected
Kernel Module Loaded by Unexpected Program
Modify Grub Configuration Files
eBPF Program Loaded into Kernel
Improved output for SSM Start Session.
| 0.182.1 |
December 03, 2024 | Rule Changes Added the following rules: eBPF Program Loaded From Unexpected Location.
Socat Reverse Shell Detected.
Modification of Container Image Cache.
Known Malicious eBPF Program Detected.
OpenSSL Reverse Shell Detected.
Possible Remote Command Execution Detected.
Updated policy for the following rules: Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Reverse Shell Detected
Fileless Malware Detected (memfd)
Dump memory for credentials
Find GCP Credentials
PTRACE anti-debug attempt
Set Setuid or Setgid bit
Default Policy Changes
| 0.182.0 |
November 29, 2024 | Rule Changes Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Improved output for DNS rules. Removed the following rules from managed policies: Unexpected K8s NodePort Connection
GCP Super Admin Executing Command
Network Connection outside Local Subnet from managed policies.
Reduced false positives for the following rules:
Default Policy Changes | 0.181.1 |
November 26, 2024 | Rule Changes Reduced false positives for Password Policy Discovery Activity Detected rule. Updated Indicators of Compromise (IoCs) rulesets with new findings. Added the following rules: Azure VM Activity using RunCommand
Persistence Across GitHub Runner Executions Detected
AKS RunCommand Container Launched
Perl Remote Command Execution Detected
Updated descriptions for: Updated policy for the following rules: Added rule Connection to Instance Metadata through AWS SSM. Improved condition for Suspicious Access To Kerberos Secrets rule.
Default Policy Changes | 0.181.0 |
November 25, 2024 | Rule Changes | 0.180.4 |
November 22, 2024 | Rule Changes | 0.180.3 |
November 21, 2024 | Rule Changes | 0.180.2 |
November 20, 2024 | Rule Changes Updated policies for the following rules: Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following: Ransomware Filenames Detected
Non sudo setuid
DNS Lookup for Uncommon TLD Domain Detected
Modification of pam.d detected
DNS Lookup for Reconnaissance Service Detected
DNS Lookup for Suspicious Domain Detected
Default Policy Changes | 0.180.1 |
November 19, 2024 | Rule Changes Added the following rules: Azure Network Watcher Deleted
Azure Firewall Policy Rule Collection Group Deleted
Azure Firewall Policy Deleted
Azure WAF Policy Deleted
Kernel or Physical Memory Dumped
Azure Network Watcher Flow Log Deleted
Azure Automation Watcher Job Action Created
Azure Automation Runbook Scheduled
Azure Firewall Deleted
Azure Network Packet Capture Created
Azure Automation Runbook Deleted
Azure Automation Webhook URI Created
Azure Automation Runbook Published
Entra Add Service Principal Credentials
Azure Execute RunCommand on Kubernetes Cluster
Azure DDoS Protection Deleted
Azure Event Hub Resource Deleted
Run Command in VM Instances via Virtual Machine Scale Set
Connect to VM via Serial Console
Improved condition for DNS Lookup for Uncommon TLD Domain Detected rule. Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following: Clear Log Activities
Non sudo setuid
Create Privileged Pod
Modify ld.so.preload
DNS Lookup for Uncommon TLD Domain Detected
Suspicious RC Script Modification
eBPF Program Loaded into Kernel
Default Policy Changes | 0.180.0 |
November 19, 2024 | Rule Changes | 0.179.3 |
November 15, 2024 | Default Policy Changes | 0.179.2 |
November 14, 2024 | Default Policy Changes | 0.179.1 |
November 12, 2024 | Rule Changes Reduced false positives for the following: Updated Indicators of Compromise (IoCs) rulesets with new findings. 0.179 Cloud Rules. Improved condition for Backdoored library loaded into SSHD (CVE-2024-3094) rule. Added the following rules: DNS Lookup for Tunneling Service Domain Detected
Run PowerShell Script in a VM via Desired State Configuration Extension
Run PowerShell Script in a VM via Custom Script Extension
Azure Delete Diagnostic Settings for Subscription
Entra Add External User as Member
Entra Add External User
Entra Remove Service Principal
DNS Lookup for Offensive Security Tool Domain Detected
Updated Indicators of Compromise (IoCs) rulesets with new findings.
Default Policy Changes 0.179 Cloud Rules. Added rule DNS Lookup for Tunneling Service Domain Detected. Updated policy for Azure rules. Added the following rules: Run PowerShell Script in a VM via Desired State Configuration Extension
Run PowerShell Script in a VM via Custom Script Extension
Azure Delete Diagnostic Settings for Subscription
Entra Add External User as Member
Entra Add External User
Entra Remove Service Principal
DNS Lookup for Offensive Security Tool Domain Detected
| 0.179.0 |
November 11, 2024 | Rule Changes | 0.178.5 |
November 08, 2024 | Rule Changes | 0.178.4 |
November 07, 2024 | Rule Changes | 0.178.3 |
November 06, 2024 | Rule Changes | 0.178.2 |
November 05, 2024 | Rule Changes | 0.178.1 |
November 05, 2024 | Rule Changes Added the following rules: Run Several XLarge EC2 Instances
Set 1-day Retention Policy on Bucket
Update Lambda Function Layers
Azure VM Reset Local Administrator Password
DNS Lookup for Remote Access Domain Detected
Improved conditions the following rules: Program run with disallowed http proxy env
Delete or rename shell history
LD_PRELOAD Library Injection
Improved the following lists: sensitive_file_names
code_compilers
Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following:
Default Policy Changes Added the following rules: DNS Lookup for Remote Access Domain Detected
Run Several XLarge EC2 Instances
Set 1-day Retention Policy on Bucket
Update Lambda Function Layers
Azure VM Reset Local Administrator Password
Improved condition for Program run with disallowed http proxy env rule. Updated policy for Update Lambda Function Code rule.
| 0.178.0 |
November 04, 2024 | Rule Changes | 0.177.3 |
October 31, 2024 | Rule Changes | 0.177.2 |
October 29, 2024 | Rule Changes | 0.177.1 |
October 29, 2024 | Rule Changes Improved condition for DNS Lookup for Uncommon TLD Domain Detected rule. Improved the suspicious_domains_contains macro. Added the following rules: LD_PRELOAD Library Injection
EKS Pod Attach Policy to User
EKS Pod Create Access Key for User
EKS Pod Create User
EKS Pod Attach Policy to User
EKS Pod Create Access Key for User
EKS Pod Create User
Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following: Download and launch remote file copy tools in container
eBPF Program Loaded into Kernel
proc_exepath_exists macro
Default Policy Changes | 0.177.0 |
October 28, 2024 | Rule Changes | 0.176.3 |
October 25, 2024 | Rule Changes | 0.176.2 |
October 24, 2024 | Rule Changes | 0.176.1 |
October 22, 2024 | Rule Changes Improved condition for Hexadecimal string detected rule. Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Clear Windows Event Log
eBPF Program Loaded into Kernel
DNS Lookup for Uncommon TLD Domain Detected
Change memory swap options
Find GCP Credentials
Updated policy for the DNS Rogue Server Detected rule. Improved condition for the DNS Lookup for Suspicious Domain Detected rule.
Default Policy Changes | 0.176.0 |
October 21, 2024 | Rule Changes Reduced false positives for the following rules: Clear Log Activities
PTRACE attached to process
Contact Azure Instance Metadata Service from Host
Modification of pam.d detected
Find GCP Credentials
Improved output for Change memory swap options rule. Improved tags for Kill known malicious process rule. Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.175.4 |
October 18, 2024 | Rule Changes | 0.175.3 |
October 17, 2024 | Rule Changes | 0.175.2 |
October 16, 2024 | Rule Changes Reduced false positives for the eBPF Program Loaded into Kernel rule. Updated Indicators of Compromise (IoCs) rulesets with new findings. Improved output for Attach Full Access or Administrative Policy.
| 0.175.1 |
October 15, 2024 | Rule Changes Improved condition for Clear Windows Event Log rule. Improved the output for Create IAM Policy that Allows All. Added the Attach Full Access or Administrative Policy rule. Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Write below etc
Ransomware Filenames Detected
Execution from /tmp
PTRACE anti-debug attempt
Modification of pam.d detected
Dump memory for credentials
Find GCP Credentials
Suspicious RC Script Modification
Modify ld.so.preload
Find AWS Credentials
Default Policy Changes | 0.175.0 |
October 10, 2024 | Rule Changes Reduced false positives for the following rules: DNS Lookup for Reconnaissance Service Detected
eBPF Program Loaded into Kernel
Potential IRC connection detected
PTRACE attached to process
DNS Fast Flux Activity Detected
Interactive Reconnaissance Activity Detected
Reverse Shell Detected
DNS Lookup for C2 Domain Detected
Improved output for Workload rules. Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.174.2 |
October 09, 2024 | Rule Changes Improved output for GCP Create Route rule. Updated Indicators of Compromise (IoC) rulesets with new findings. Reduced false positives for the following rules: Reduced false positives for OpenShift - Workload.
| 0.174.1 |
October 08, 2024 | Rule Changes Added the following rules: Updated policy for Interactive Reconnaissance Activity Detected rule Improved condition for the following rules: Delete or rename shell history
Junk Data Padding Detected
Escape to host via command injection in process
Improved output for Outbound Connection to C2 Servers rule Reduced false positives for the following rules: Modification of pam.d detected
Kernel startup modules changed
Suspicious RC Script Modification
Find GCP Credentials
Change thread namespace
Dump memory for credentials
Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes | 0.174.0 |
October 04, 2024 | Rule Changes | 0.173.1 |
October 03, 2024 | Rule Changes Added the following rules Reduced false positives for Modify ld.so.preload rule Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes Added the following rules | 0.173.0 |
October 02, 2024 | Rule Changes Reduced false positives for the following rules: Dump memory for credentials
Create Symlink Over Sensitive Files
Suspicious RC Script Modification
Interactive Reconnaissance Activity Detected
Clear Log Activities
Kernel Module Loaded by Unexpected Program
PTRACE anti-debug attempt
Suspicious Access To Kerberos Secrets
Standardise all AWS rules output Updated Indicators of Compromise (IoC) rulesets with new findings.
| 0.172.1 |
October 01, 2024 | Rule Changes Added the following rules DNS Fast Flux Activity Detected
AWS SSM Agent Activity using StartSession
AWS SSM Agent Activity Using SendCommand RunShellScript or RunPowerShellScript
DNS Rogue Server Detected
Improved condition for the following rules: Possible SSH Hijacking Attempt Detected
Active Directory Connection Detected
Shared Libraries Reconnaissance Activity Detected
Reduced false positives for the following rules: Escape to host via command injection in process
Modification of pam.d detected
Possible Backdoor using BPF
Suspicious RC Script Modification
Updated policy for Possible Backdoor using BPF and Shell Spawned with Inline Python Command rules Improved output for GCP Sensitive Role Added to User rule Updated Indicators of Compromise rulesets with new findings
Default Policy Changes | 0.172.0 |
September 30, 2024 | Rule Changes Reduced false positives for the following rules: Malicious filenames written rule
Possible Backdoor using BPF rule
Find GCP Credentials rule
eBPF Program Loaded into Kernel rule
Reverse Shell Detected rule
Reduced false positives for OpenShift Workload. Improved tags for the following rules: Improved tags for Workload rules. Updated Indicators of Compromise (IoC) rulesets with new findings. Improved output for Suspicious RC Script Modification rule.
Default Policy Changes | 0.171.1 |
September 29, 2024 | Rule Changes Default Policy Changes | 0.171.0 |
September 26, 2024 | Rule Changes | 0.170.3 |
September 25, 2024 | Rule Changes Default Policy Changes | 0.170.1 |
September 24, 2024 | What's Changed Rule Changes Added the following rules: Shell Spawned with Inline Python Command
System Capabilities Configuration Updated
EC2 Instance Attach Policy to User
EC2 Instance Create Access Key for User
Attach Administrator Policy to Role
Attach Administrator Policy to Group
Get Account Authorization Details
Improved conditions the following rules: Suspicious Kernel Parameter Modification
Modify Timestamp attribute in File
Modification of pam.d detected
Updated Indicators of Compromise (IoC) rulesets with new findings. Reduced false positives for the following rules: Create Hardlink Over Sensitive Files
Suspicious Process Loading Vault DLL
Mount Launched in Privileged Container
eBPF Program Loaded into Kernel
Junk Data Padding Detected
Read sensitive file untrusted
Added exceptions to GCP rules.
Default Policy Changes Added the following rules: Shell Spawned with Inline Python Command
System Capabilities Configuration Updated
EC2 Instance Attach Policy to User
EC2 Instance Create Access Key for User
Attach Administrator Policy to Role
Attach Administrator Policy to Group
Get Account Authorization Details
Updated policy for DNS Lookup for Reconnaissance Service Detected rule. Updated policy for Junk Data Padding Detected rule.
| 0.170.0 |
September 20, 2024 | Rule Changes | 0.169.5 |
September 19, 2024 | Rule Changes Updated Indicators of Compromise rulesets with new findings Reduced false positives for the following rules: Suspicious RC Script Modification
Junk Data Padding Detected
Possible Backdoor using BPF
DNS Lookup for Suspicious Domain Detected
Kernel startup modules changed
PTRACE anti-debug attempt
DNS Lookup for Dynamic DNS Domain Detected
Suspicious Domain Contacted
Improved output for Tampering with Security Software on Host rule Improved description for DNS Tunneling Activity Detected rule
Default Policy Changes Updated policy for the following rules: | 0.169.4 |
September 18, 2024 | Rule Changes Updated Indicators of Compromise (IoC) rulesets with new findings. Reduced false positives for the following rules: Kernel startup modules changed
Delete or rename shell history
Reverse Shell Detected
DNS Lookup for Dynamic DNS Domain Detected
Junk Data Padding Detected
Suspicious RC Script Modification
Launch Ingress Remote File Copy Tools in Container
Read ssh information
Improved tags for DNS Lookup for Suspicious Domain Detected rule.
| 0.169.2 |
September 18, 2024 | Rule Changes | 0.169.1 | September 17, 2024 | Rule Changes Updated Indicators of Compromise (IoC) rulesets with new findings. Added the following rules: Reverse Shell Detected
DNS Lookup for Reconnaissance Service Detected
DNS Lookup for Dynamic DNS Domain Detected
DNS Tunneling Activity Detected
Junk Data Padding Detected
Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Write below root
Possible Backdoor using BPF
Kernel Module Loaded by Unexpected Program
Default Policy Changes | 0.169.0 |
September 16, 2024 | Rule Changes Updated Indicators of Compromise (IoC) rulesets with new findings. Improved tags for the Kubernetes rules Reduced false positives for the following rules: Write below root
Dump memory for credentials
DNS Lookup for Uncommon TLD Domain Detected
DNS Lookup for Suspicious Domain Detected
| 0.168.4 |
September 13, 2024 | Rule Changes | 0.168.3 |
September 12, 2024 | Rule Changes | 0.168.2 |
September 11, 2024 | Rule Changes | 0.168.1 |
September 10, 2024 | Rule Changes Added the Modification of Udev Rules Detected rule Improved conditions for the following rules: Added eventSource to AWS rules - part 3 Improved tags for GitHub rules Improved MITRE tags - subtechniques Updated Indicators of Compromise (IoC) rulesets with new findings. Reduced false positives for the following rules: Fileless Malware Detected
DNS Lookup for Uncommon TLD Domain Detected
Modification of pam.d detected
Mount Launched in Privileged Container
Dump memory for credentials
eBPF Program Loaded into Kernel
Default Policy Changes | 0.168.0 |
September 09, 2024 | Rule Changes Updated Indicators of Compromise rulesets with new findings Reduced false positives for the following rules: eBPF Program Loaded into Kernel rule
DNS Lookup for Uncommon TLD Domain Detected rule
Kernel startup modules changed rule
Dump memory for credentials rule
Improved output for Outbound rules
| 0.167.4 |
September 06, 2024 | Rule Changes Default Policy Changes | 0.167.3 |
September 05, 2024 | Rule Changes | 0.167.2 |
September 03, 2024 | Rule Changes Added the following rules: Process memory injection via process_vm_writev
DNS Lookup for Uncommon TLD Domain Detected
Cgroup Filesystem Mounted in Container
Added eventSource to AWS rules Updated Indicators of Compromise rulesets with new findings Standardized output across Workload rules Reduced false positives for the following rules: Kernel startup modules changed
Modification of pam.d detected
Launch Ingress Remote File Copy Tools in Container
Suspicious Process Loading Vault DLL
Default Policy Changes | 0.167.0 |
August 30, 2024 | Rule Changes | 0.166.5 |
August 29, 2024 | Rule Changes | 0.166.4 |
August 29, 2024 | Rule Changes | 0.166.3 |
August 28, 2024 | Rule Changes | 0.166.2 |
August 28, 2024 | Rule Changes | 0.166.1 |
August 27, 2024 | Rule Changes Added the following rules: DNS Lookup for C2 Domain Detected
DNS Lookup for Miner Pool Domain Detected
Ingress NGINX Annotation Validation Potential Bypass
Reduced false positives for the following rules: ibm_trusted_images macro
Mount Launched in Privileged Container
Modification of pam.d detected
Dump memory for credentials
Modify ld.so.preload
DNS Lookup for IPFS Domain Detected
Launch Suspicious Network Tool in Container
Launch Ingress Remote File Copy Tools in Container
Create Symlink Over Sensitive Files
Improved condition for Data Split Activity Detected
Added eventSource to AWS rules Updated the tags for the following: Improved output for the following: Updated Indicators of Compromise rulesets with new findings
Default Policy Changes | 0.166.0 |
August 26, 2024 | Rule Changes | 0.165.1 |
August 20, 2024 | Rule Changes Added the following rules: DNS Lookup for Suspicious Domain Detected
DNS Lookup for IPFS Domain Detected
DNS Lookup for Proxy/VPN Domain Detected
Updated Indicators of Compromise rulesets with new findings Reduced false positives for the following rules: Encoded Powershell Execution
Clear Windows Event Log
Fileless Malware Detected
Reconnaissance attempt to find SUID binaries
Suspicious RC Script Modification
PTRACE anti-debug attempt
Policy Changes Added the following rules: DNS Lookup for Suspicious Domain Detected
DNS Lookup for IPFS Domain Detected
DNS Lookup for Proxy/VPN Domain Detected
| 0.165.0 |
August 13, 2024 | Rule Changes Reduced false positives for the following rules: Launch Sensitive Mount Container
Launch Package Management Process in Container
Create Symlink Over Sensitive Files
Launch Suspicious Network Tool in Container
Mount Launched in Privileged Container
Launch Root User Container
Updated Indicators of Compromise rulesets with new findings Improved condition for Dump memory for credentials rule Added the following rules: GuardDuty High Severity Finding on Container
GuardDuty High Severity Finding on EC2
GuardDuty High Severity Finding on ECS
GuardDuty High Severity Finding on EKS
GuardDuty High Severity Finding on IAM
GuardDuty High Severity Finding on Lambda
GuardDuty High Severity Finding on RDS
GuardDuty High Severity Finding on S3
GuardDuty Medium Severity Finding on Container
GuardDuty Medium Severity Finding on EC2
GuardDuty Medium Severity Finding on ECS
GuardDuty Medium Severity Finding on EKS
GuardDuty Medium Severity Finding on IAM
GuardDuty Medium Severity Finding on Lambda
GuardDuty Medium Severity Finding on RDS
GuardDuty Medium Severity Finding on S3
GuardDuty Low Severity Finding on Container
GuardDuty Low Severity Finding on EC2
GuardDuty Low Severity Finding on ECS
GuardDuty Low Severity Finding on EKS
GuardDuty Low Severity Finding on IAM
GuardDuty Low Severity Finding on Lambda
GuardDuty Low Severity Finding on RDS
GuardDuty Low Severity Finding on S3
Policy Changes | 0.164.0 |
August 06, 2024 | Rule Changes Updated Indicators of Compromise rulesets with new findings Reduced false positives for the following rules: Write below rpm database
Malicious IPs or domains detected on command line
Read sensitive file untrusted
Kernel startup modules changed
Added the following rules:
Default Policy Changes Added the following rules: | 0.163.0 |
August 05, 2024 | Rule Changes | 0.162.4 |
August 02, 2024 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Dump Cached Domain Credentials
Kernel Module Loaded by Unexpected Program
sysdig_commercial_images
Reduced false positives for sysdig_images_endswith macro. Updated Indicators of Compromise (IoC) rulesets with new findings.
| 0.162.3 |
August 01, 2024 | Rule Changes | 0.162.2 |
July 31, 2024 | Rule Changes | 0.162.1 |
July 30, 2024 | Rule Changes Added the following rules: Share EBS Snapshot With Foreign Account
Start EC2 Instances
EC2 Modify Instance Attribute
Share AMI With Foreign Account
Added macro busybox_network_tools. Improved condition for EC2 Add User Data rule. Improved priority tags - Sysdig Runtime Notable Events. Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes | 0.162.0 |
July 29, 2024 | Rule Changes | 0.161.5 |
July 26, 2024 | Rule Changes Reduced false positives for the following rules: Write below etc
eBPF Program Loaded into Kernel
Kernel Module Loaded by Unexpected Program
Contact GCP Instance Metadata Service from Host
azure_trusted_images_launch_root_list
Improved output for Create AWS user rule. Updated Indicators of Compromise (IoC) rulesets with new findings.
| 0.161.4 |
July 24, 2024 | Rule Changes | 0.161.2 |
July 23, 2024 | Rule Changes | 0.161.1 |
July 23, 2024 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
Modification of pam.d detected
Kernel startup modules changed
Potential Application Shimming
Added the IP Forward Configuration Modification rule. Improved macro network_tool_procs Improved conditions for the following rules: Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes Improved condition for PTRACE attached to process rule. Added theh IP Forward Configuration Modification rule. Updated policies for the following rules: Contact EC2 Instance Metadata Service From Container
Contact GCP Instance Metadata Service from Host
Contact Task Metadata Endpoint
Contact Azure Instance Metadata Service from Host
| 0.161.0 |
July 17, 2024 | Rule Changes Reduced false positives for the following rules: Suspicious Access To Kerberos Secrets
Launch Suspicious Network Tool on Host
Non sudo setuid
Possible Backdoor using BPF
Improved tags for Dump memory for credentials rule. Updated Indicators of Compromise (IoC) rulesets with new findings. Marked T1555.002 as not coverable - out of scope.
| 0.160.1 |
July 16, 2024 | Rule Changes Reduced false positives for the following rules: Launch Code Compiler Tool on Host
Create Symlink Over Sensitive Files
Non sudo setuid
Change thread namespace
Read ssh information
Kernel startup modules changed
Added the following rules: Improved condition for Delete or rename shell history rule Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes | 0.160.0 |
July 10, 2024 | Rule Changes Improved tags for Enable Windows Remote Management rule. Updated Indicators of Compromise (IoC) rulesets with new findings. Reduced false positives for the following rules:
| 0.159.1 |
July 09, 2024 | Rule Changes Reduced false positives for the following rules: Redirect STDOUT/STDIN to Network Connection in Container
eBPF Program Loaded into Kernel
PTRACE attached to process
Mount on Container Path Detected
Suspicious RC Script Modification
Create Hardlink Over Sensitive Files
Write below root
Possible Backdoor using BPF
Potential Application Shimming
Improved condition for Delete or rename shell history and nsenter Container Escape rules Improved list container_entrypoints Updated Indicators of Compromise rulesets with new findings
| 0.159.0 |
July 05, 2024 | Rule Changes | 0.158.1 |
July 02, 2024 | Rule Changes Reduced false positives for the following rules: Improved conditions for the following rules: Added the following rules: Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes | 0.158.0 |
June 26, 2024 | Rule Changes | 0.157.2 |
June 26, 2024 | Rule Changes Reduced false positives for the following rules: Malicious IPs or domains detected on command line
Suspicious RC Script Modification
eBPF Program Loaded into Kernel
Kernel startup modules changed
Run shell untrusted
System procs network activityWrite below monitored dir
Improved tags for Gsutil cp used to copy files from/to GCP buckets rule Updated Indicators of Compromise rulesets with new findings
| 0.157.1 |
June 25, 2024 | Rule Changes Reduced false positives for the following rules: Non sudo setuid
Connection to IPFS Network Detected
Kernel startup modules changed
System procs network activity
Contact Azure Instance Metadata Service from Host
Change thread namespace
Added the Mailbox Data Modificationrule Improved condition for GCP Sensitive Role Added to User rule. Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes | 0.157.0 |
June 21, 2024 | Rule Changes | 0.156.2 |
June 20, 2024 | Rule Changes | 0.156.1 |
June 19, 2024 | Rule Changes Improved conditions for the following rules: Added the following rules: Fixed list rfc_1918_addresses Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes | 0.156.0 |
June 14, 2024 | Rule Changes Reduced false positives for the following rules: Redirect STDOUT/STDIN to Network Connection in Host
Set Setuid or Setgid bit
PTRACE anti-debug attempt
eBPF Program Loaded into Kernel
Improved output for Change thread namespace rule. Updated Indicators of Compromise (IoC) rulesets with new findings.
| 0.155.3 |
June 13, 2024 | Rule Changes | 0.155.2 |
June 12, 2024 | Rule Changes | 0.155.1 |
June 11, 2024 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
nsenter Container Escape
Kernel startup modules changed
Mount on Container Path Detected
Non sudo setuid
System procs network activity
Write below etc
Improved conditions for the following rules: Clear Log Activities
Archive or Compression Activity Detected
Dump memory for credentials
Delete or rename shell history
Suspicious RC Script Modification
Improved macro sensitive_vol_mount. Updated Indicators of Compromise (IoC) rulesets with new findings.
Default Policy Changes | 0.155.0 |
June 10, 2024 | Rule Changes | 0.154.4 |
June 07, 2024 | Rule Changes | 0.154.3 |
June 06, 2024 | Rule Changes Improved output for Connection to IPFS Network Detected rule Updated Indicators of Compromise (IoC) rulesets with new findings. | 0.154.2 |
June 05, 2024 | Rule Changes | 0.154.1 |
June 04, 2024 | Rule Changes | 0.154.0 |
June 03, 2024 | Rule Changes | 0.153.5 |
May 31, 2024 | Rule Changes | 0.153.4 |
May 30, 2024 | Rule Changes | 0.153.3 |
May 29, 2024 | Rule Changes | 0.153.2 |
May 28, 2024 | Rule Changes Reduced false positives for the Archive or Compression Activity Detected and Delete or rename shell history rules | 0.153.1 |
May 28, 2024 | Rule Changes Reduced false positives for the following rules: Updated Indicators of Compromise rulesets with new findings Added the following rules: Leading or Trailing Space Detected in Filename
Archive or Compression Activity Detected
Connection with Suspicious User Agent Detected
Improved condition for the following rules: Launch Suspicious Network Tool in Container
Suspicious network tool downloaded and launched in container
Delete or rename shell history
Disable or Modify Linux Audit System
PTRACE anti-debug attempt
Suspicious Docker Options
Launch Suspicious Network Tool on Host
Default Policy Changes | 0.153.0 |
May 27, 2024 | Rule Changes | 0.152.4 |
May 23, 2024 | Rule Changes Reduced false positives for the eBPF Program Loaded into Kernel rule | 0.152.3 |
May 23, 2024 | Rule Changes | 0.152.2 |
May 22, 2024 | Updated Indicators of Compromise (IoC) rulesets with new findings. Sysdig Falco Rules release announcement 0.152.0. Updated Sysdig Mitre Attack Mapper.
Rule Changes | 0.152.1 |
May 21, 2024 | Rule Changes Reduced false positives for the following rules: Create files below dev
Possible Backdoor using BPF
eBPF Program Loaded into Kernel
Modify Grub Configuration Files
Non sudo setuid
Improved conditions for the following rules: Reconnaissance attempt to find SUID binaries
Reconnaissance attempt to find SETGID binaries
Launch Code Compiler Tool in Container
AWS Suspicious IP Inbound Request
Disable or Modify Linux Audit System
Modify Shell Configuration File
Added the Bedrock Create Provisioned Model Throughput rule. Updated Indicators of Compromise rulesets with new findings
Default Policy Changes | 0.152.0 |
May 20, 2024 | Rule Changes | 0.151.4 |
May 17, 2024 | Rule Changes | 0.151.3 |
May 16, 2024 | Rule Changes Improved exceptions for Detection bypass by symlinked files rule Reduced false positives for the following rules: Possible Backdoor using BPF
Non sudo setuid
eBPF Program Loaded into Kernel
Launch Code Compiler Tool on Host
Create Symlink Over Sensitive Files
Run shell untrusted
Updated Indicators of Compromise (IoC) rulesets with new findings.
| 0.151.2 |
May 15, 2024 | Rule Changes Reduced false positives for the following rules: Launch Code Compiler Tool on Host
Hide Process with Mount
eBPF Program Loaded into Kernel
Possible Backdoor using BPF
Mount Launched in Privileged Container
Kernel Module Loaded by Unexpected Program
System procs network activity
Disable or Modify Linux Audit System
Dump memory for credentials
Updated Indicators of Compromise (IoCs) rulesets with new findings. Updated Sysdig Mitre Attack Mapper.
| 0.151.1 |
May 14, 2024 | Rule Changes Reduced false positives for the following rules: Fileless Malware Detected
Launch Code Compiler Tool on Host
Escape to host via command injection in process
eBPF Program Loaded into Kernel
Possible Backdoor using BPF
Modify Grub Configuration Files
Updated Indicators of Compromise rulesets with new findings 9080306970 Improved tags for the following rules: Added the following rules: Disable or Modify Linux Audit System
Reconnaissance attempt to find SETGID binaries
Launch Code Compiler Tool on Host
Entra Add Guest Member to Administrative Role
Entra Invite External User
Improved conditions for the providing rules Delete or rename shell history
Suspicious Cron Modification
Fileless Malware Detected
Default Policy Changes | 0.151.0 |
May 13, 2024 | Rule Changes | 0.150.4 |
May 10, 2024 | Rule Changes | 0.150.3 |
May 09, 2024 | Rule Changes | 0.150.2 |
May 08, 2024 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
eBPF Program Loaded into Kernel
Non sudo setuid
System procs network activity
Updated Indicators of Compromise rulesets with new findings Sysdig Mitre Attack Mapper update
| 0.150.1 |
May 07, 2024 | Rule Changes Default Policy Changes | 0.150.0 |
May 06, 2024 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Suspicious Device Created in Container
Linux Kernel Module Injection Detected
Possible Backdoor using BPF
Modification of pam.d detected
Suspicious System Service Modification
Updated Indicators of Compromise rulesets with new findings Improved tags for Read sensitive file untrusted rule
| 0.149.3 |
May 03, 2024 | Rule Changes Reduced false positives for the following rules: Redirect STDOUT/STDIN to Network Connection in Container rule
eBPF Program Loaded into Kernel rule
Mount Launched in Privileged Container rule
Improved tags for System Geolocation Discovery rule Improved coverage for T1665 Updated Indicators of Compromise rulesets with new findings Sysdig Mitre Attack Mapper update
| 0.149.2 |
May 02, 2024 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
Write below etc
eBPF Program Loaded into Kernel
Hardware Added to the System
Modification of pam.d detected
Set Setuid or Setgid bit
Launch Remote File Copy Tools in Container
Updated Indicators of Compromise rulesets with new findings Improved output for the following rules: Improved tags for Malicious filenames written rule
| 0.149.1 |
April 30, 2024 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Possible Backdoor using BPF
Kernel Module Loaded by Unexpected Program
Mount Launched in Privileged Container
Read sensitive file untrusted
Improved condition for the following rules: Service Discovery Activity Detected
Password Policy Discovery Activity Detected
Modify Timestamp attribute in File
Active Directory Connection Detected
Updated Indicators of Compromise rulesets with new findings
| 0.149.0 |
April 29, 2024 | Rule Changes | 0.148.3 |
April 26, 2024 | Rule Changes | 0.148.2 |
April 24, 2024 | Rule Changes Reduced false positives for the following rules: Linux Kernel Module Injection Detected
Kernel Module Loaded by Unexpected Program
System procs network activity
Change memory swap options
Mount on Container Path Detected
Possible Backdoor using BPF
Modification of pam.d detected
Escape to host via command injection in process
Launch Suspicious Network Tool in Container
Associate Elastic IP Address to AWS Network Interface
Updated Indicators of Compromise rulesets with new findings Improved coverage for T1562.010 Improved coverage for T1552.003 Improved tags for the following rules: Sysdig Mitre Attack Mapper update
| 0.148.1 |
April 23, 2024 | Rule Changes Reduced false positives for the following rules: Write below root
eBPF Program Loaded into Kernel
Execution from /tmp rule
Launch Sensitive Mount Container
Launch Ingress Remote File Copy Tools in Container
Modification of pam.d detected
Improved conditions for the following rules: Improved tags for the following rules: Added rule Update Paging Cache Updated Indicators of Compromise (IoCs) rulesets with new findings. Updated Sysdig Mitre Attack Mapper.
Default Policy Changes | 0.148.0 |
April 22, 2024 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
System procs network activity
Launch Root User Container
Possible backdoor using BPF
Improved output for the following rules: Improved tags for the following rules: Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.147.4 |
April 19, 2024 | Rule Changes | 0.147.3 |
April 18, 2024 | Rule Changes Reduced false positives for the following rules: System Geolocation Discovery
Service Discovery Activity Detected
Read sensitive file untrusted
Non sudo setuid
Updated Indicators of Compromise (IoCs) rulesets with new findings. Improved TA0004 and TA0003 MITRE tags
| 0.147.2 | April 17, 2024 | Rule Changes Reduced false positives for the following rules: Packet Socket Created on Host
Possible Backdoor using BPF
Create Symlink Over Sensitive Files
Modify binary dirs
Run shell untrusted
Updated Indicators of Compromise (IoCs) rulesets with new findings. Improved output for GitHub rules.
| 0.147.1 |
April 16, 2024 | Rule Changes Reduced false positives for the following rules: Find GCP Credentials
Suspicious device created in container
Reconnaissance attempt to find SUID binaries
Escape to host via command injection in process
Mount Launched in Privileged Container
Modify binary dirs
Improved tags for Azure Access Level for Blob Container Set to Public rule New Falco Cloud Microsoft Entra plugin support Updated Indicators of Compromise (IoCs) rulesets with new findings. Added the following rules: Bedrock Model Recon Activity
Bedrock Invoke Agent
Bedrock Delete Knowledge Base
Bedrock Delete Data Source
Bedrock Delete Agent
Bedrock Delete Provisioned Model Throughput
Bedrock Delete Custom Model
Bedrock Disable Model Invocation Logging
Bedrock Invoke Model
Entra Add Member to Administrative Role
Entra Delete Application
Entra Add Administrative Unit
Entra Add Application
Entra Add Group
Entra Add Member to Group
Entra Add Member to Administrative Unit
Entra Add Owner To Application
Entra Add Owner to Service Principal
Entra Assign User to Application
Entra Change User Password
Entra Create Directory
Entra Delete Administrative Unit
Entra Delete Application Password for User
Entra Delete Group
Entra Disable Access to Application
Entra Hard Delete Application
Entra Remove App Role Assignment from User
Entra Remove Member from Administrative Unit
Entra Remove Member from Role
Entra Remove Verified Domain
Entra Update Application Certificates And Secrets Management
Entra Verify Domain
Entra Suspicious IP Inbound Request
Netcat Remote Code Execution on Host
Packet Socket Created on Host
Default Policy Changes | 0.147.0 |
April 15, 2024 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
eBPF Program Loaded into Kernel
DB program spawned process
Create Hidden Files or Directories
Connection to SMB Server detected
Read sensitive file untrusted
Write below root
Redirect STDOUT/STDIN to Network Connection in Container
Dump memory for credentials
Modification of pam.d detected
Directory traversal monitored file read
Updated Indicators of Compromise (IoCs) rulesets with new findings. Improved output for GitHub rules
| 0.146.4 |
April 12, 2024 | Rule Changes | 0.146.3 |
April 11, 2024 | Rule Changes Improved output for the Modification of pam.d detected rule. Reduced false positives for the following rules: Write below root
Launch Privileged Container
Read sensitive file untrusted
Launch Sensitive Mount Container
Launch Ingress Remote File Copy Tools in Container
Kernel startup modules changed
Improved tags for the QEMU Activity Detected rule. Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.146.2 |
April 10, 2024 | Rule Changes | 0.146.1 |
April 09, 2024 | Rule Changes Added the following rules: Improved description for workload rules Reduced false positives for the following rules: Possible Backdoor using BPF
Write below root
Suspicious Access To Kerberos Secrets
Root Certificate Installed
Suspicious Kernel Parameter Modification
Launch Root User Container
Non sudo setuid
Improved condition the following: Updated Indicators of Compromise (IoCs) rulesets with new findings.
Default Policy Changes | 0.146.0 |
April 08, 2024 | Rule Changes | 0.145.4 |
April 05, 2024 | Rule Changes | 0.145.3 |
April 04, 2024 | Rule Changes Updated Indicators of Compromise rulesets with new findings Improved coverage for T1136.001 Improved tags for Workload rules - T1036.003 Reduced false positives for the following rules: Kernel Module Loaded by Unexpected Program
Dump memory for credentials
Possible Backdoor using BPF
| 0.145.2 |
April 03, 2024 | Rule Changes Reduced false positives for the following rules: System procs network activity
eBPF Program Loaded into Kernel
Linux Kernel Module Injection
Possible Backdoor using BPF
Find GCP Credentials
Root Certificate Installed
Improved tags for Launch Ingress Remote File Copy Tools in Container rule. Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.145.1 |
April 02, 2024 | Rule Changes Reduced false positives for the following rules: Suspicious Operations with Firewalls
Non sudo setuid
Set Setuid or Setgid bit
System procs network activity
Launch Excessively Capable Container
Possible Backdoor using BPF
Modification of pam.d detected
Added the Root Certificate Installedrule Improved tags for Delete or rename shell history rule Improved output for Outbound Connection to C2 Servers rule
Default Policy Changes | 0.145.0 |
March 29, 2024 | Rule Changes Default Policy Changes | 0.144.3 |
March 28, 2024 | Rule Changes Reduced false positives for the following rules: DB program spawned process
Launch Ingress Remote File Copy Tools in Container
eBPF Program Loaded into Kernel
Modification of pam.d detected
Mount Launched in Privileged Container
Malicious IPs or domains detected on command line
Change thread namespace
Linux Kernel Module Injection Detected
Set Setuid or Setgid bit
Updated Indicators of Compromise rulesets with new findings Improved output for Modification of pam.d detected rule Improved tags for the following rules: Steganography Tool Detected
Discovery Security Service Activity Detected
Remove Bulk Data from Disk
| 0.144.2 |
March 27, 2024 | Rule Changes Reduced false positives for the following rules: Contact EC2 Instance Metadata Service From Container
Set Setuid or Setgid bit
Suspicious Home Directory Creation
Possible Backdoor using BPF
Launch Remote File Copy Tools on Host
Malicious IPs or domains detected on command line
Write below etc
Kernel startup modules changed
Modification of pam.d detected
Improved tags for the following rules: Connection to SMB Server detected
Java Process File Class Download
Possible SSH Hijacking Attempt Detected
Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.144.1 |
March 26, 2024 | Rule Changes Reduced false positives for the following rules: Non sudo setuid
Set Setuid or Setgid bit
Malicious IPs or domains detected on command line
Interactive Reconnaissance Activity Detected
Dump memory for credentials
Write below root
Change thread namespace
DB program spawned process
Possible Backdoor using BPF
Added the following rules:Tampering with Security Software on Host and Launch Remote File Copy Tools on Host Updated Indicators of Compromise rulesets with new findings Improved condition for System Geolocation Discovery rule
Default Policy Changes Added the following rules: Tampering with Security Software on Host and Launch Remote File Copy Tools on Host | 0.144.0 |
March 25, 2024 | Rule Changes | 0.143.4 |
March 22, 2024 | Rule Changes | 0.143.3 |
March 21, 2024 | Rule Changes Reduced false positives for the following rules: Container escape via discretionary access control
Non sudo setuid
Kernel Module Loaded by Unexpected Program
Dump memory for credentials
Launch Remote File Copy Tools in Container
Packet socket created in container
Create Hardlink Over Sensitive Files
Change memory swap options
eBPF Program Loaded into Kernel
Improved output for EC2 Instance Connect/SSH Public Key Uploaded Updated Indicators of Compromise rulesets with new findings
| 0.143.2 |
March 20, 2024 | Rule Changes Improved output for the Dump memory for credentials and Possible Backdoor using BPF rules Updated Indicators of Compromise (IoCs) rulesets with new findings. Reduced false positives for the following rules: Modify ld.so preload
eBPF Program Loaded into Kernel
Modification of pam.d detected
Packet socket created in container
Mount on Container Path Detected
Change thread namespace rule
| 0.143.1 |
March 19, 2024 | Rule Changes Reduced false positives for the following rules: Dump memory for credentials
Mount on Container Path Detected
Create Symlink Over Sensitive Files
Possible Backdoor using BPF
eBPF Program Loaded into Kernel
Added the following rules: Updated Indicators of Compromise (IoCs) rulesets with new findings
Default Policy Changes | 0.143.0 |
March 19, 2024 | Rule Changes | 0.142.8 |
March 15, 2024 | Rule Changes Reduced false positives for the following rules: Write below etc
Connection to IPFS Network Detected
Possible Backdoor using BPF
eBPF Program Loaded into Kernel
Linux Kernel Module Injection Detected
nsenter Container Escape
Execution from Temporary Filesystem
Launch Root User Container rule
Updated Indicators of Compromise rulesets with new findings Improved output for Discovery Security Service Activity Detected rule
| 0.142.7 |
March 14, 2024 | Rule Changes Reduced false positives for the following rules: Linux Kernel Module Injection Detected
Packet socket created in container
Container escape via discretionary access control
Possible Backdoor using BPF
Suspicious Cron Modification
Suspicious Access To Kerberos Secrets
Redirect STDOUT/STDIN to Network Connection in Host
Updated Indicators of Compromise (IoCs) rulesets with new findings/ Improved output for Reconnaissance attempt to find SUID binaries and Dump memory for credentials rules
| 0.142.6 |
March 13, 2024 | Rule Changes | 0.142.5 |
March 13, 2024 | Rule Changes | 0.142.4 |
March 13, 2024 | Rule Changes Reduced false positives for the following rules: Possible Backdoor using BPF
Suspicious Access To Kerberos Secrets
Redirect STDOUT/STDIN to Network Connection in Host
Improved conditions for the following rules: Improved output for AWS rules - Event Summary Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.142.3 |
March 12, 2024 | Rule Changes Added Execute Process from Masqueraded Directory to managed policies. Improved output for Kernel startup modules changed rule. Reduced false positives for the following rules: Redirect STDOUT/STDIN to Network Connection in Host
Linux Kernel Module Injection Detected
Suspicious Cron Modification
Suspicious Access To Kerberos Secrets
Default Policy Changes | 0.142.2 |
March 12, 2024 | Rule Changes Default Policy Changes | 0.142.1 |
March 12, 2024 | Rule Changes Reduced false positives for the following rules: Non sudo setuid
Suspicious Operations with Firewalls
Possible Backdoor using BPF
Packet socket created in container
Mount on Container Path Detected
Improved condition for the following rules: Dump memory for credentials
Suspicious Access To Kerberos Secrets
Linux Kernel Module Injection Detected
Redirect STDOUT/STDIN to Network Connection in Host
Suspicious Cron Modification
Clear Log Activities
Modification of pam.d detected
Added the following rules: Python HTTP Server Started
Execute Process from Masquerated Directory
Shared Libraries Reconnaissance Activity Detected
EC2 Instance Create User
Terminate EC2 Instances
Improved description and tags for Change memory swap options rule. Improved tags for AWS EC2 ruleset. Updated Indicators of Compromise (IoCs) rulesets with new findings.
Default Policy Changes Added the following rules: Python HTTP Server Started
Execute Process from Masquerated Directory
Shared Libraries Reconnaissance Activity Detected
EC2 Instance Create User
Terminate EC2 Instances
| 0.142.0 |
March 11, 2024 | Rule Changes Reduced false positives for the following rules: Mount on Container Path Detected
Mount Launched in Privileged Container
Possible Backdoor using BPF
Packet socket created in container
eBPF Program Loaded into Kernel
System procs network activity
Improved condition for Suspicious Cron Modification rule. Improved output for AWS rules - Event Summary Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.141.4 |
March 08, 2024 | Rule Changes Default Policy Changes | 0.141.3 |
March 07, 2024 | Rule Changes Improved tags for Suspicious Domain Contacted rule Improved condition for macro network_tool_procs Updated Indicators of Compromise rulesets with new findings Reduced false positives for the following rules: Launch Suspicious Network Tool in Container
Suspicious Cron Modification
Execution from /tmp
Launch Sensitive Mount Container
Non sudo setuid
| 0.141.2 |
March 06, 2024 | Rule Changes Updated Indicators of Compromise (IoCs) rulesets with new findings Improved condition for Kernel Module Loaded by Unexpected Program rule Reduced false positives for the following rules: Suspicious Cron Modification
Possible Backdoor using BPF
Escape to host via command injection in process
Mount on Container Path Detected
Launch Privileged Container
Container escape via discretionary access control
Set Setuid or Setgid bit
Execution from /tmp
Suspicious Domain Contacted
| 0.141.1 |
March 05, 2024 | Rule Changes Reduced false positives for the following rules: eBPF Program Loaded into Kernel
Suspicious Domain Contacted
Launch Suspicious Network Tool in Container
Modify Grub Configuration Files
Launch Root User Container
Fileless Malware Detected
Container escape via discretionary access control
Mount on Container Path Detected
Find GCP credentials
Suspicious Cron Modification
Updated Indicators of Compromise rulesets with new findings Improved tags for Suspicious Domain Contacted rule Improved output for AWS rules - Event Summary Added the Data Split Activity Detected and Contact EC2 Instance Metadata Service From Host rules
Default Policy Changes Added the following rules: | 0.141.0 |
March 01, 2024 | Rule Changes Reduced false positives for the following rules: Execution from /tmp
Mount on Container Path Detected
Possible Backdoor using BPF
Kernel Module Loaded by Unexpected Program
Packet socket created in container
Suspicious Cron Modification
Updated Indicators of Compromise rulesets with new findings Improved condition for the Describe Instances rule Improved tags for the GCP Create Cloud Function rule
| 0.140.3 |
February 29, 2024 | Rule Changes | 0.140.2 |
February 28, 2024 | Rule Changes Improved condition for Kernel Module Loaded by Unexpected Program rule Reduced false positives for the following rules: Suspicious Cron Modification
Possible Backdoor using BPF
Suspicious RC Script Modification
Launch Root User Container
Find Authentication Certificates
Updated Indicators of Compromise rulesets with new findings
| 0.140.1 |
February 27, 2024 | Rule Changes Reduced false positives for the following rules: Ransomware Filenames Detected
Suspicious Cron Modification
Mount Launched in Privileged Container
Modification of pam.d detected
eBPF Program Loaded into Kernel
Kernel startup modules changed
Suspicious RC Script Modification
Possible Backdoor using BPF
Improved conditions for the following rules: Suspicious network tool downloaded and launched in container
Launch Suspicious Network Tool on Host
Find GCP Credentials
Launch Suspicious Network Tool in Container
Updated Indicators of Compromise (IoCs) rulesets with new findings Improved output for Kernel Module Loaded by Unexpected Program rule Improve output for AWS rules - Event Summary Added the following rules: Find Authentication Certificates
Contact GCP Instance Metadata Service from Host
Contact Azure Instance Metadata Service from Host
Execution from Temporary Filesystem
Improve MITRE tags for AWS S3 ruleset
Default Policy Changes | 0.140.0 |
February 26, 2024 | Rule Changes Reduced false positive for Possible Backdoor using BPF and Change thread namespace rules Improve condition for the Update Package Repository rule Updated Indicators of Compromise rulesets with new findings
| 0.139.5 |
February 23, 2024 | Rule Changes Reduced false positives for the following rules: Write below root
Malicious binary detected
Launch Suspicious Network Tool in Container
Escape to host via command injection in process
Kernel Module Loaded by Unexpected Program
Possible Backdoor using BPF
Suspicious RC Script Modification
Improved output for the following rules: Improved condition for Non sudo setuid rule Updated Indicators of Compromise (IoCs) rulesets with new findings
| 0.139.4 |
February 22, 2024 | Rule Changes | 0.139.3 |
February 21, 2024 | Rule Changes Reduced false positives for the following rules: Launch Sensitive Mount Container
Create Symlink Over Sensitive Files
Reconnaissance attempt to find SUID binaries
Suspicious Cron Modification
Privileged Shell Spawned Inside Container
Set Setuid or Setgid bit
Suspicious RC Script Modification
Updated Indicators of Compromise rulesets with new findings Improved output for the Suspicious Docker Options rule Improved output for AWS rules - Event Summary Improved tags for the Suspicious Docker Options rule
| 0.139.2 |
February 21, 2024 | Rule Changes | 0.139.1 |
February 20, 2024 | Rule Changes Reduced false positives for the following rules: Kernel startup modules changed
Suspicious Cron Modification
eBPF Program Loaded into Kernel
Mount Launched in Privileged Container
Find AWS Credentials
Launch Root User Container
Change thread namespace
Non sudo setuid
Updated Indicators of Compromise rulesets with new findings Improved output for AWS rules - Event Summary Improved condition for for the following rules: Suspicious System Service Modification
Discovery Security Service Activity Detected
Mount Launched in Privileged Container
Update Package Repository
Added the following rules: RDS Delete DB Instance
RDS Create DB Instance
Peripheral Device Discovery Activity Detected
Interactive Reconnaissance Activity Detected
Suspicious Docker Options
Possible SSH Hijacking Attempt Detected
Default Policy Changes | 0.139.0 |
February 19, 2024 | Rule Changes Improved output for the Attach to cluster-admin Role rule Reduced false positives for the following rules: Set Setuid or Setgid bit
System procs network activity
Container escape via discretionary access control
Possible Backdoor using BPF
Create Symlink Over Sensitive Files
eBPF Program Loaded into Kernel
Updated Indicators of Compromise (IoCs) rulesets with new findings
| 0.138.3 |
February 15, 2024 | Rule Changes | 0.138.2 |
February 14, 2024 | Rule Changes Reduced false positive for the following rules: Find AWS Credentials
System procs network activity
Launch Root User Container
Suspicious Cron Modification
System Geolocation Discovery
Launch Ingress Remote File Copy Tools in Container
Fixed tags for the ld.so.preloadcode> rule Improved performance of the Modify binary dirs rule Fixed description for the Discovery Security Service Activity Detected rule Updated Indicators of Compromise (IoCs) rulesets with new findings Updated Sysdig Mitre Attack Mapper
Default Policy Changes | 0.138.1 |
February 13, 2024 | Rule Changes Reduced false positive for the following rules: Suspicious Cron Modification
Search Private Keys or Passwords
Kernel startup modules changed
Kernel Module Loaded by Unexpected Program
Added the following rules Exfiltrating Artifacts via Kubernetes Control Plane
Discovery Security Service Activity Detected
Suspicious RC Script Modification
Azure Read Service SAS Token for a Storage Account
CloudShell Download File
Create Support Case
Improved condition for the following: Improve coverage for T1025, T1092, and T1129 IoCs update
Default Policy Changes Added the following rules: Exfiltrating Artifacts via Kubernetes Control Plane
Discovery Security Service Activity Detected
Suspicious RC Script Modification
Azure Read Service SAS Token for a Storage Account
CloudShell Download File
Create Support Case
| 0.138.0 |
February 12, 2024 | Rule Changes Reduced false positives for the following rules: Launch Root User Container
Find AWS Credentials
Suspicious Cron Modification
eBPF Program Loaded into Kernel
Possible Backdoor using BPF
Improved condition for Hide Process with Mount rule Improved coverage for T1554 Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.137.4 |
February 09, 2024 | Rule Changes Improved tag T113 for the Workload rules Reduced false positives for the following rules: Fixed condition for the Possible Backdoor using BPF rule IoCs update
| 0.137.3 |
February 08, 2024 | Rule Changes Improved condition for the following macros: inbound_outbound
inbound
device_mounted_exists
ImprovedHide Process with Mountrule. Improve output for Kernel Module Loaded by Unexpected Program rule Reduced false positive for the following rules: eBPF Program Loaded into Kernel
Suspicious device created in container
Suspicious Cron Modification
Mount Launched in Privileged Container
Modify ld.so.preload
Kernel Module Loaded by Unexpected Program
Improved the rfc_1918_addresses list Updated IoCs
| 0.137.2 |
February 07, 2024 | Rule Changes | 0.137.1 |
February 06, 2024 | Rule Changes IoCs update Reduced false positives for the following rules: Possible Backdoor using BPF
Suspicious Cron Modification
Kernel startup modules changed
eBPF Program Loaded into Kernel
eBPF Program Loaded into Kernel
Possible Backdoor using BPF
Packet socket created in container
Suspicious Cron Modification
Terminal Shell in Container
Possible Backdoor using BPF
Kernel startup modules changed
Suspicious Cron Modification
Suspicious System Service Modification
Write below etc
Suspicious Cron Modification
Possible Backdoor using BPF
Launch Root User Container
Suspicious Domain Contacted
Non sudo setuid
Suspicious Cron Modification
Possible Backdoor using BPF
Malicious IPs or domains detected on command line
nsenter Container Escape
Kernel startup modules changed
Suspicious Cron Modification
Improved condition for the following rules: Suspicious device created in container
Suspicious Java Child Processes
Run shell untrusted
Create Hidden Files or Directories
Improved output for Workload rules - Event Summary Improved tags for Workload rules - MITRE T1555 Added the following rules: Suspicious Chdir Event Detected
Kernel Module Loaded by Unexpected Program
System Geolocation Discovery
Miner Filename Pushed to Repository
Mount on Container Path Detected
Hardware Added to the System
Abuse Sudo for Privilege Escalation
Suspicious Connection to K8S API Server From Container
Default Policy Changes Added the following rules: Suspicious Chdir Event Detected
Kernel Module Loaded by Unexpected Program
System Geolocation Discovery
Miner Filename Pushed to Repository
Mount on Container Path Detected
Hardware Added to the System
Abuse Sudo for Privilege Escalation
Suspicious Connection to K8S API Server From Container
| 0.137.0 |
February 05, 2024 | What's Changed Rule Changes Reduced false positive for the following rules: | 0.136.8 |
February 02, 2024 | Rule Changes Reduced false positives for the following: Suspicious Cron ModificationPacket socket created in containerPossible Backdoor using BPFeBPF Program Loaded into Kernel
| 0.136.7 |
February 01, 2024 | Rule Changes Reduced false positives for the following: Suspicious System Service Modification
Suspicious Cron Modification
Kernel startup modules changed
Possible Backdoor using BPF
Terminal Shell in Container
| 0.136.6 |
January 31, 2024 | Rule Changes Reduced false positives for the following: | 0.136.5 |
January 29, 2024 | Rule Changes Added macro internal_domains_connection_data Improved MITRE ATTCK tags for T1016 Reduced false positives for the following rules: Write below etc
eBPF Program Loaded into Kernel
Possible Backdoor using BPF
Possible Backdoor using BPF
Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.136.4 |
January 26, 2024 | Rule Changes | 0.136.3 |
January 25, 2024 | Rule Changes | 0.136.2 |
January 24, 2024 | Rule Changes | 0.136.1 |
January 23, 2024 | Rule Changes Reduced false positives for the following rules: Modify Shell Configuration File
Launch Ingress Remote File Copy Tools in Container
Possible Backdoor using BPF
Write below etc
Added the following rules: Query to Window Management System Detected
Access to Clipboard Data Detected
Service Discovery Activity Detected
Suspicious Access To Kerberos Secrets
SES Delete Identity Policy
SES Update Identity Policy
SES Attach Policy to Identity
Improved condition for the following rules: Updated Indicators of Compromise (IoCs) rulesets with new findings. Default Policy Changes Added the following rules: Query to Window Management System Detected
Access to Clipboard Data Detected
Service Discovery Activity Detected
Suspicious Access To Kerberos Secrets
SES Delete Identity Policy
SES Update Identity Policy
SES Attach Policy to Identity
| 0.136.0 |
January 22, 2024 | Rule Changes | 0.135.5 |
January 19, 2024 | Rule Changes | 0.135.4 |
January 18, 2024 | Rule Changes | 0.135.3 |
January 18, 2024 | Rule Changes Reduced false positives for the following rules: Improved descriptions for Hide Process with Mount rule. Improved output for Workload rules - Event Summary Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.135.2 |
January 17, 2024 | Rule Changes | 0.135.1 |
January 16, 2024 | Rule Changes Reduced false positives for the following rules: Mount Launched in Privileged Container
nsenter Container Escape
Possible Backdoor using BPF
eFileless Malware Detected (memfd)
Added the following rules: Updated IoCs Updated tags for Contact K8S API Server From Container rule. Improved conditions for cContact K8S API Server From Container rule. Improved list package_mgmt_binaries and macro package_listing Improved condition for Container image built on host rule. Improved tags for Workload rules - MITRE T1550 list. Improved iptables_similar list. Improved iptables_similar list. Improved iptables_similar list. Deprecated the following rules: Malicious process detected
Creation attempt Azure Secure Transfer Required Set to Disabled
Azure Access Level creation attempt for Blob Container Set to Publicrule.
Azure Blob Created
Azure Blob Deleted
Azure Create/Update a Storage Account
Azure Delete a Storage Account
Azure Delete Function Key
Azure Create/Update a Storage Account
Azure Create/Update a Storage Account
Default Policy Changes Added the following rules: Updated the policy for Ransomware Filenames Detectedrule. Improved condition for Contact K8S API Server From Containerrule.
| 0.135.0 |
January 15, 2024 | Rule Changes | 0.134.4 |
January 12, 2024 | Rule Changes Reduced false positives for the following rules: Improved tags for Workload Rules - Financial Theft. Improve output for Workload Rules - Event Summary - End of Enabled rules.
| 0.134.3 |
January 11, 2024 | Rule Changes Reduced false positives for the following rules: Kernel startup modules changed
Possible Backdoor using BPF
Suspicious Cron Modification
Fileless Malware Detected (memfd)
Improved tags for Suspicious Operations with Firewalls rule. Improved output for Workload Rules - Event Summary. Updated Indicators of Compromise (IoCs) rulesets with new findings.
| 0.134.2 |
January 10, 2024 | Rule Changes Reduced false positives for the following rules: Kernel startup modules changed
Possible backdoor using BPF
Launch Root User Container
Packet socket created in container
Suspicious Operations with Firewalls
Improved tags for Workload Rules. Updated Indicators of Compromise (IoCs).
Default Policy Changes | 0.134.1 |
January 09, 2024 | Rule Changes Improved output for Workload Rules - Event Summary. Imoroved condition for the following rules: Get Federation Token with Admin PolicyRansomware Filenames Detected
Detect malicious cmdlines
nsenter Container Escape
Mount Launched in Privileged Container
Put Bucket ACL for AllUsers
Default Policy Changes Updated policies for the following rules: AWS CLI used with endpoint url parameter rule
Ransomware Filenames Detected
Azure Blob Created, Azure Blob Deleted
| 0.134.0 |
January 08, 2024 | Rule Changes | 0.133.14 |
January 05, 2024 | Rule Changes Reduced for the following rules: Modification of pam.d detected
Possible Backdoor using BPF
Suspicious Cron Modification
PTRACE attached to process
Updated the IoCs Ruleset with new findings. Improved condition for the Ransomware Filenames Detectedrule.
| 0.133.13 |
January 04, 2024 | Rule Changes Reduced false positives for the following rules: Modification of pam.d detected
Non sudo setuid
Execution from /tmp
Suspicious Cron Modification
Suspicious Cron Modification
Set Setuid or Setgid bit
Read sensitive file untrusted
Updated the IoCs Ruleset with new findings. Added the Ransomware Filenames Detectedrule.
Default Policy Changes | 0.133.12 |
January 03, 2024 | | 0.133.11 |
