Update v8.16.3

edit

This section lists all updates associated with version 8.16.3 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

AWS IAM Login Profile Added for Root

Detects when an AWS IAM login profile is added to a root user account and is self-assigned. Adversaries, with temporary access to the root account, may add a login profile to the root user account to maintain access even if the original access key is rotated or disabled.

new

1

AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session

Identifies multiple AWS Bedrock executions in a one minute time window without guardrails by the same user in the same account over a session. Multiple consecutive executions implies that a user may be intentionally attempting to bypass security controls, by not routing the requests with the desired guardrail configuration in order to access sensitive information, or possibly exploit a vulnerability in the system.

new

1

Unusual High Denied Sensitive Information Policy Blocks Detected

Detects repeated compliance violation BLOCKED actions coupled with specific policy name such as sensitive_information_policy, indicating persistent misuse or attempts to probe the model’s denied topics.

new

1

Unusual High Denied Topic Blocks Detected

Detects repeated compliance violation BLOCKED actions coupled with specific policy name such as topic_policy, indicating persistent misuse or attempts to probe the model’s denied topics.

new

1

Unusual High Word Policy Blocks Detected

Detects repeated compliance violation BLOCKED actions coupled with specific policy name such as word_policy, indicating persistent misuse or attempts to probe the model’s denied topics.

new

1

AWS IAM User Created Access Keys For Another User

An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM CreateAccessKey API operation to create new programmatic access keys for another IAM user.

update

5

Unusual High Confidence Content Filter Blocks Detected

Detects repeated high-confidence BLOCKED actions coupled with specific Content Filter policy violation having codes such as MISCONDUCT, HATE, SEXUAL, INSULTS', PROMPT_ATTACK, VIOLENCE indicating persistent misuse or attempts to probe the model’s ethical boundaries.

update

5

Possible Consent Grant Attack via Azure-Registered Application

Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.

update

213

GitHub Protected Branch Settings Changed

This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization’s security posture and leave you exposed for future attacks.

update

206

High Number of Cloned GitHub Repos From PAT

Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.

update

204

GitHub Repository Deleted

This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it’s validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.

update

203