Update v8.17.1
editUpdate v8.17.1
editThis section lists all updates associated with version 8.17.1 of the Fleet integration Prebuilt Security Detection Rules.
| Rule | Description | Status | Version |
|---|---|---|---|
Detects when an AWS IAM login profile is added to a root user account and is self-assigned. Adversaries, with temporary access to the root account, may add a login profile to the root user account to maintain access even if the original access key is rotated or disabled. |
new |
1 |
|
AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session |
Identifies multiple AWS Bedrock executions in a one minute time window without guardrails by the same user in the same account over a session. Multiple consecutive executions implies that a user may be intentionally attempting to bypass security controls, by not routing the requests with the desired guardrail configuration in order to access sensitive information, or possibly exploit a vulnerability in the system. |
new |
1 |
Unusual High Denied Sensitive Information Policy Blocks Detected |
Detects repeated compliance violation BLOCKED actions coupled with specific policy name such as sensitive_information_policy, indicating persistent misuse or attempts to probe the model’s denied topics. |
new |
1 |
Detects repeated compliance violation BLOCKED actions coupled with specific policy name such as topic_policy, indicating persistent misuse or attempts to probe the model’s denied topics. |
new |
1 |
|
Detects repeated compliance violation BLOCKED actions coupled with specific policy name such as word_policy, indicating persistent misuse or attempts to probe the model’s denied topics. |
new |
1 |
|
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM |
update |
5 |
|
Detects repeated high-confidence BLOCKED actions coupled with specific Content Filter policy violation having codes such as MISCONDUCT, HATE, SEXUAL, INSULTS', PROMPT_ATTACK, VIOLENCE indicating persistent misuse or attempts to probe the model’s ethical boundaries. |
update |
5 |
|
Possible Consent Grant Attack via Azure-Registered Application |
Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents. |
update |
213 |
This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization’s security posture and leave you exposed for future attacks. |
update |
206 |
|
Detects a high number of unique private repo clone events originating from a single personal access token within a short time period. |
update |
204 |
|
This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it’s validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization. |
update |
203 |