Base Rule Set Compliance Matrix

Follow

 

Rule Sets Overview

Threat Stack provides several base rule sets to help you get started on your security journey – the Base Rule Set, the CloudTrail Base Rule Set, and the container rule set. Threat Stack recognizes that a base may not meet your organization's specific needs and created alternate compliance rule sets based on:

  • HIPAA
  • ISO 27001
  • MPAA
  • PCI
  • SOC2
Base Rule Set and Matching Compliance Rule Sets

To help clarify how these other compliance rule sets compare to the host's Base Rule Set, we created comparison charts for each compliance rule set.

HIPAA ISO 27001 MPAA PCI SOC2
Base Rule Set Supports Criteria 
Database: Connection from Command Line N/A
Exploit: Kernel Module Activity HIPAA 164.308(a)(5)(ii)(B)
Exploit: Process Activity from /tmp HIPAA 164.308(a)(5)(ii)(B)
Exploit: Service Running as Root HIPAA 164.308(a)(5)(ii)(B)
Exploit: Service Running Shell N/A
File: Canary File Opens HIPAA 164.312(b)
File: Secret File Opens HIPAA 164.312(b)
File: System Configuration File Changes HIPAA 164.312(b)
File: System File Changes HIPAA 164.312(b)
File: System Logs Deleted HIPAA 164.312(b)
Host: Excessive Root Login Failures from LAN HIPAA 164.308(a)(5)(ii)(C)
Host: Excessive User Login Failures from LAN HIPAA 164.308(a)(5)(ii)(C)
Host: New User Added HIPAA 164.308(a)(3)(ii)(A)
Network: Inbound Connection (Accepts) from LAN HIPAA 164.312(b)
Network: Inbound Connection (Accepts) from WAN HIPAA 164.312(b)
Network: Outbound Connection (Connects) to LAN HIPAA 164.312(b)
Network: Outbound Connection (Connects) to WAN HIPAA 164.312(b)
Threat Intelligence: Inbound Connection (Accepts) from WAN N/A
Threat Intelligence: Outbound Connection (Connects) to WAN N/A
User: Data Movement inside LAN HIPAA 164.312(b)
User: Possible Data Download HIPAA 164.312(b)
User: Possible Data Exfiltration HIPAA 164.312(b)
User: Potentially Suspicious Command Usage HIPAA 164.308(a)(5)(ii)(B)
User: Privilege Escalations HIPAA 164.308 (a)(4)(i)
User: Root Login from LAN HIPAA 164.308(a)(5)(ii)(C)
User: Root Login from WAN HIPAA 164.308(a)(5)(ii)(C)
User: User Login from LAN HIPAA 164.308(a)(5)(ii)(C)
User: User Login from WAN HIPAA 164.308(a)(5)(ii)(C)
User: System Time Changes N/A
User: Terminated Employee Activity N/A
CloudTrail Base Rule Set and Matching Compliance Rule Sets

To help clarify how these other compliance rule sets compare to CloudTrail's Base Rule Set, we created comparison charts for each compliance rule set.

HIPAA ISO 27001 MPAA PCI SOC2
CloudTrail Rule Set Supports Criteria 
CloudTrail: Access Denied N/A
CloudTrail: CloudTrail Admin Activity N/A
CloudTrail: AWS Kinesis Service N/A
CloudTrail: AWS Support Case Changes N/A
CloudTrail: AWS Support Information Discovery N/A
CloudTrail: Certificate Manager Changes N/A
CloudTrail: Certificate Manager Information Discovery N/A
CloudTrail: Console Login by Root HIPAA 164.308(a)(5)(ii)(C)
CloudTrail: Console Login: MFA Not Used HIPAA 164.308(a)(5)(ii)(C)
CloudTrail: Console Login: Root Password Change HIPAA 164.308(a)(5)(ii)(D)
CloudTrail : DirectConnect Information Discovery N/A
CloudTrail: DirectConnect Policy Changes N/A
CloudTrail: DynamoDB Backup Created N/A
CloudTrail: DynamoDB Backup Deleted N/A
CloudTrail: DynamoDB Describe Database Components N/A
CloudTrail: DynamoDB List Database Components N/A
CloudTrail: DynamoDB Table Created N/A
CloudTrail: DynamoDB Table Deleted N/A
CloudTrail: EC2 KeyPair Changes HIPAA 164.312(c)(1)
CloudTrail: EC2 Security Group Changes HIPAA 164.312(c)(1)
CloudTrail: EC2 Information Discovery N/A
CloudTrail: EC2 RunInstances N/A
CloudTrail: EC2 Service Changes HIPAA 164.312(c)(1)
CloudTrail: EC2 Instance in Non-Standard Region HIPAA 164.312(c)(1)
CloudTrail: EC2 Started with Non-Standard Image ID HIPAA 164.312(c)(1)
CloudTrail: EC2 Started in Non-Standard VPC HIPAA 164.312(c)(1)
CloudTrail: EC2 Wide Open Security Group HIPAA 164.312(c)(1)
CloudTrail: ECS Account Setting Changes N/A
CloudTrail: ECS Attribute Changes N/A
CloudTrail: ECS Cluster Changes N/A
CloudTrail: ECS Container Instance Changes N/A
CloudTrail: ECS Resource Tag Changes N/A
CloudTrail: ECS Service Changes N/A
CloudTrail: ECS Task Definition Changes N/A
CloudTrail: ECS Task State Changes N/A
CloudTrail: ECS UpdateContainerAgent N/A
CloudTrail: EKS Cluster Changes N/A
CloudTrail: ELB Changes N/A
CloudTrail: ELB Information Discovery N/A
CloudTrail: ELB Listener Changes N/A
CloudTrail: ELB Rule Changes N/A
CloudTrail: ELB Target Changes N/A
CloudTrail: Glacier Vault Changes N/A
CloudTrail: Glacier Vault Information Discovery N/A
CloudTrail: IAM Access Key Changes N/A
CloudTrail: IAM Discovery N/A
CloudTrail: IAM GetAccountAuthorizationDetails N/A
CloudTrail: IAM Group Changes N/A
CloudTrail: IAM Instance Profile Changes N/A
CloudTrail: IAM Policy Changes N/A
CloudTrail: IAM Role Changes N/A
CloudTrail: IAM SAML Changes N/A
CloudTrail: IAM SSH Key Changes N/A
CloudTrail: IAM User Changes N/A
CloudTrail: KMS Key Activity N/A
CloudTrail: Lambda Function Created N/A
CloudTrail: Lambda Function Deleted N/A
CloudTrail: Lambda Permission Changes N/A
CloudTrail: RDS Changes N/A
CloudTrail: RDS Information Discovery N/A
CloudTrail: Route53 DNS Record Changes N/A
CloudTrail: Route53 DNS Zone Created N/A
CloudTrail: Route53 DNS Zone Deleted N/A
CloudTrail: Route53 ListHostedZones N/A
CloudTrail: S3 Bucket Policy Changes HIPAA 164.312(c)(1)
CloudTrail: S3 Create Bucket HIPAA 164.312(c)(1)
CloudTrail: S3 Delete Bucket HIPAA 164.312(c)(1)
CloudTrail: S3 File Tracking HIPAA 164.312(c)(1)
CloudTrail: SES Changes N/A
CloudTrail: SES Information Discovery N/A
CloudTrail: SNS Changes N/A
CloudTrail: SNS Information Discovery N/A
CloudTrail: SQS Changes N/A
CloudTrail: SQS Information Discovery N/A
CloudTrail: STS AssumeRole N/A
CloudTrail: STS GetCallerIdentity N/A
CloudTrail: STS GetFederationToken N/A
CloudTrail: STS GetSessionToken N/A
CloudTrail: VPC ACL Changes N/A
CloudTrail: VPC ACL Information Discovery N/A
CloudTrail: VPC Changes N/A
CloudTrail: VPC Information Discovery N/A
CloudTrail: VPC Interface Changes N/A
CloudTrail: VPC Interface Information Discovery N/A
CloudTrail: VPC Route Changes N/A
CloudTrail: VPC Subnet Changes N/A
CloudTrail: VPC Subnet Information Discovery N/A
Container Rule Sets

Container rule sets do not compare to the Threat Stack base rule set. The table below lists the individual rules and, if necessary, their compliance standard.

Docker CIS Docker Kubernetes
Docker
Docker: File: Docker Container File Change
Docker: File: Docker Configuration Change
Docker: File: Docker Executable Change
Docker: Network: Outbound Connection (Connects)
Docker: User: Privileged Commands
Docker: User: Push or Pull Commands
Docker: User: User Commands
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.