- Added three Runtime Monitoring detections (Persistence, PrivilegeEscalation, DefenseEvasion) that trigger on sensitive file modifications in EC2, EKS, and ECS workloads.
- Monitors five file operations (open‑for‑write, rename, symlink, link, unlink) to detect post‑compromise activity while reducing false positives via correlation analysis.
- Available to all GuardDuty customers with Runtime Monitoring enabled, includes MITRE ATT&CK mapping and a 30‑day free trial for new users.