Advanced threat detection rules. Powered by Sysdig threat research.
Detection rules define the behaviors that indicate potential threats in cloud-native environments. Sysdig’s Threat Research Team (TRT) continuously curates and enhances these rules to protect against the latest cloud-native attacks. Get precision-tuned detections mapped to MITRE ATT&CK® and leading compliance frameworks.
Rule collections group related detection rules to help you quickly identify and mitigate specific types of cloud-native threats. Whether categorized by MITRE ATT&CK® tactic, compliance framework, or data source like AWS or Kubernetes, each collection delivers high-fidelity detections refined by Sysdig’s Threat Research Team to reduce noise and strengthen your security posture.
Falco Feeds by Sysdig keeps your runtime protection current — so you can detect faster, respond smarter, and stay secure as threats evolve.
Malicious Process Reaching K8S API Server Detected
Description:
Detect malicious process reaching the K8S API Server. Processes like peirates can be abused by attackers to send GET and POST requests to the K8s api server in order to move laterally within the cluster or exfiltrate sensitive data, such as secrets.
Mount on Container Path Detected
Description:
This rule detects mounting custom resources in a container path, which adversaries may exploit to inject malicious code into runtime environments. An attacker could deploy a backdoor by mounting a custom resource in the container path, gaining unauthorized access to the system.
Connection with Suspicious User Agent Detected
Description:
Detects connection with suspicious user agent, commonly used by threat actors for accessing command and control servers.
Backdoored library loaded into SSHD (CVE-2024-3094)
Description:
This rule detects possible CVE-2024-3094 exploitation when the SSH daemon process loads a vulnerable version of the liblzma library. An attacker could exploit this to interfere with authentication in sshd via systemd, potentially compromising sensitive data or escalating their privileges.
Possible Arbitrary Command Execution through CUPS (CVE-2024-47177)
Description:
DEPRECATED. This rule, previously created to detect a possible arbitrary command execution through CUPS, has been now deprecated as it will be replaced by the new generic rule Possible Arbitrary Command Execution through CUPS rule.
Possible Arbitrary Command Execution through CUPS
Description:
This rule detects foomatic-rip process executing common shell programs, which may indicate that an attacker has exploited CVE-2024-47176, combined with CVE-2024-47076 and CVE-2024-47175. The combination of these vulnerabilities may be leveraged by attackers to execute arbitrary commands remotely on the target machine without authentication. Ensure that this is expected behavior and CUPS has been patched for this vulnerability.
Possible Jynx Rootkit Detected
Description:
This rule identifies a critical installation step of the 'Jynx' rootkit, where the group ID of the /etc/ld.so.preload file is modified. This file is often exploited to load malicious libraries, thus changes to its permissions may be an indicator of potential rootkit activity.
Potential IngressNightmare Vulnerability Exploitation
Description:
This rule detects a possible exploitation of IngressNightmare vulnerability (CVE-2025-1974), where the NGINX process loads a shared library from the ProcFS. This execution may indicate a malicious actor attempting to exploit the vulnerability before executing other arbitrary code in the ingress controller container.