Base Rule Set Compliance Matrix

Follow

Threat Stack provides a Base Rule Set to help you get started on your security journey. We recognize that the Base Rule Set may not meet your organizations' specific needs and so we created alternate compliance rule sets based on:

  • HIPAA
  • SOC2
  • PCI
  • FFIEC

NOTE: We also have a collection of miscellaneous rules at the end of this article.

To help clarify how these other compliance rule sets compare to the Base Rule Set, we created comparison charts for each compliance rule set.

HIPAA Rule Set

Base Rule Set HIPAA
Application: Services running as root  
Exploits : Kernel Module Activity HIPAA Compliance 164.308(a)(5)(ii)(B)
Exploits : Process Activity from /tmp HIPAA Compliance 164.308(a)(5)(ii)(B)
Exploits : Services running Shell HIPAA Compliance 164.308(a)(5)(ii)(B)
Files : Configuration File Changes HIPAA Compliance 164.312(b) Integrity
Files : System File Changes HIPAA Compliance 164.312(b) Integrity
Files: Secret File Opens  
Host : New user added HIPAA Compliance 164.308(a)(3)(ii)(A)
Network:LAN-WAN Access HIPAA Compliance 164.312(b)
Threat Intelligence: Outbound HIPAA Compliance 164.312(b)
Users : File Transfers HIPAA Compliance 164.312(b)
Users : Login Failures HIPAA Compliance 164.308(a)(5)(ii)(C)
Users : Logins HIPAA Compliance 164.308(a)(5)(ii)(C)
Users : Privilege Escalations HIPAA Compliance 164.308 (a)(4)(i)
Users : Root Logins from WAN HIPAA Compliance 164.308(a)(5)(ii)(C) & 164.312(a)(2)(i)
Users: File Permission Changes HIPAA Compliance 164.312(b)
Users: Manual Package Installs HIPAA Compliance 164.308(a)(5)(ii)(B)
Users: Security Tool Usage HIPAA Compliance 164.308(a)(5)(ii)(B)
Users: Manual File Edits HIPAA Compliance 164.312(b)
Application: Cassandra Config File Access  
Application: ES Admin port access  
Files: Application Directory  
Files: Audit Logs HIPAA Compliance 164.312(b)
Files: Canary File Opens  
Files: Code Execution  
Host : Insecure Port Usage  
Network : Connection Accepts  
Network : Connection Binds  
Users : Logins from non Jump Host  
Users : Logins from WAN  
Users: Ex-Employee Activity  

SOC2 Rule Set

Base Rule Set SOC2
Application: Services running as root  
Exploits : Kernel Module Activity SOC-2 Common Criteria CC 4.1, 5.1, 6.1, 6.2 & 7.4
Exploits : Process Activity from /tmp SOC-2 Common Criteria CC 4.1, 5.1, 6.1, 6.2 & 7.4
Exploits : Services running Shell SOC-2 Common Criteria CC 4.1, 5.1, 6.1, 6.2 & 7.4
Files : Configuration File Changes SOC-2 Common Criteria CC 4.1, 5.1, 6.1, 6.2 & 7.4
Files : System File Changes SOC-2 Common Criteria CC 4.1, 5.1, 6.1, 6.2 & 7.4
Files: Secret File Opens  
Host : New user added  
Network:LAN-WAN Access  
Threat Intelligence: Outbound SOC-2 Common Criteria CC 4.1, 5.1, 6.1, 6.2 & 7.4
Users : File Transfers SOC-2 Common Criteria CC 1.1, 3.1, 3.2, 4.1, 5.1, 5.7, 6.1, 6.2, 7.4, PI 1.3 & C 1.3
Users : Login Failures  
Users : Logins  
Users : Privilege Escalations SOC-2 Common Criteria CC 4.1, 5.1, 5.3, 5.4, 5.7 & C 1.2
Users : Root Logins from WAN SOC-2 Common Criteria CC 4.1, 5.1, 5.3, 5.4 & 5.6
Users: File Permission Changes SOC-2 Common Criteria CC 4.1, 5.1, 6.1, 6.2 & 7.4
Users: Manual Package Installs SOC-2 Common Criteria CC 4.1, 5.1, 6.1, 6.2 & 7.4
Users: Security Tool Usage SOC-2 Common Criteria CC 4.1, 5.1, 6.1, 6.2 & 7.4
Users: Manual File Edits SOC-2 Common Criteria CC 4.1, 5.1, 6.1, 6.2 & 7.4
Application: Cassandra Config File Access  
Application: ES Admin port access  
Files: Application Directory  
Files: Audit Logs SOC-2 Common Criteria CC 4.1, 5.1, 6.1, 6.2 & 7.4
Files: Canary File Opens  
Files: Code Execution  
Host : Insecure Port Usage  
Network : Connection Accepts  
Network : Connection Binds  
Users : Logins from non Jump Host  
Users : Logins from WAN  
Users: Ex-Employee Activity  

PCI Rule Set

Base Rule Set PCI
Application: Services running as root  
Exploits : Kernel Module Activity  
Exploits : Process Activity from /tmp  
Exploits : Services running Shell  
Files : Configuration File Changes PCI Compliance 11.5
Files : System File Changes PCI Compliance 11.5
Files: Secret File Opens  
Host : New user added  
Network:LAN-WAN Access PCI Compliance 11.4
Threat Intelligence: Outbound PCI Compliance 11.4
Users : File Transfers  
Users : Login Failures PCI Compliance 10.2, 10.3, 11.4
Users : Logins PCI Compliance 10.1, 10.2, 10.3, 11.4
Users : Privilege Escalations PCI Compliance 10.2, 10.3
Users : Root Logins from WAN PCI Compliance 10.1, 10.2, 10.3, 11.4
Users: File Permission Changes  
Users: Manual Package Installs  
Users: Security Tool Usage  
Users: Manual File Edits  
Application: Cassandra Config File Access  
Application: ES Admin port access  
Files: Application Directory  
Files: Audit Logs PCI Compliance 10.1, 10.2, 10.5
Files: Canary File Opens  
Files: Code Execution  
Host : Insecure Port Usage  
Network : Connection Accepts PCI Compliance 11.4
Network : Connection Binds  
Users : Logins from non Jump Host PCI Compliance 11.4
Users : Logins from WAN  
Users: Ex-Employee Activity  

FFIEC Rule Set

Base Rule Set FFIEC
Application: Services running as root  
Exploits : Kernel Module Activity FFIEC Compliance II.A, II.B, II.C & II.D
Exploits : Process Activity from /tmp FFIEC Compliance II.A, II.B, II.C & II.D
Exploits : Services running Shell FFIEC Compliance II.A, II.B, II.C & II.D
Files : Configuration File Changes FFIEC Compliance II.A, II.B, II.C & II.D
Files : System File Changes FFIEC Compliance II.A, II.B, II.C & II.D
Files: Secret File Opens  
Host : New user added  
Network:LAN-WAN Access  
Threat Intelligence: Outbound FFIEC Compliance II.A, II.B, II.C & II.D
Users : File Transfers FFIEC Compliance II.A, II.B, II.C & II.D
Users : Login Failures  
Users : Logins  
Users : Privilege Escalations FFIEC Compliance II.A, II.B, II.C & II.D
Users : Root Logins from WAN FFIEC Compliance II.A, II.B, II.C & II.D
Users: File Permission Changes FFIEC Compliance II.A, II.B, II.C & II.D
Users: Manual Package Installs FFIEC Compliance II.A, II.B, II.C & II.D
Users: Security Tool Usage FFIEC Compliance II.A, II.B, II.C & II.D
Users: Manual File Edits FFIEC Compliance II.A, II.B, II.C & II.D
Application: Cassandra Config File Access  
Application: ES Admin port access  
Files: Application Directory  
Files: Audit Logs FFIEC Compliance II.A, II.B, II.C & II.D
Files: Canary File Opens  
Files: Code Execution  
Host : Insecure Port Usage  
Network : Connection Accepts  
Network : Connection Binds  
Users : Logins from non Jump Host  
Users : Logins from WAN  
Users: Ex-Employee Activity  

MISC - No Specified Rule Set

No Specified Base Rule
HIPAA Compliance 164.308(a)(5)(ii)(B): Exploits - Service Account Command Running As Root
HIPAA Compliance: 164.312(b): Patient File Opens
 
 
SOC-2 Common Criteria CC 3.1, 3.3, 4.1 , 5.6, 6.1, 6.2 & C 1.3: Inbound Threat Intelligence Communication
SOC-2 Common Criteria CC CC 4.1, 5.1, 6.1, 6.2 & 7.4: Customer File Opens
 
PCI Compliance 10.4: System Clock Changed
PCI Compliance 11.4: Inbound Threat Intelligence Communication
PCI Compliance 11.5: Customer File Opens
 
FFIEC Compliance II.A, II.B, II.C & II.D: Customer File Opens
FFIEC Compliance II.A, II.B, II.C & II.D: Inbound Threat Intelligence Communication from {{ip}} on {{threatintel_reason}}

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.