What is the Threat Stack Monitor Plan ?
The following are the features that are available in monitor package
Monitoring and alerting
- User activity: Any activity that has interactive user session associated with it. Examples include
- Users logging in and escalating privileges to root
- Users copying files from prod to dev
- File integrity monitoring
- File OPENs
- File CREATEs
- File MODIFYs
- Vulnerability monitoring
- Daily alert report
- Daily vulnerability report
- Daily FIM report
- Daily compliance rule set
Note - Threat Stack will store all alerts and contributing events for one year from the time of generation of the alert.
How do you Enable Monitor Plan ?
Customers would enable monitor mode on the agent using --agent_type option. Additionally Threat Stack offers default monitor base rule set (screenshot below) that customers can get their agents associated to by default.
The following is the command that the customers would use in their deploy scripts for enabling the monitor mode and associating the monitor rule set
cloudsight setup --deploy-key=<key> --agent_type=m --ruleset=”Monitor Base Rule Set”
Monitor mode can be enabled only on agent versions 1.6.0 and above.