Base Ruleset Compliance Matrix
Rulesets Overview
F5 Distributed Cloud App Infrastructure Protection (AIP) provides several rulesets to help you get started on your security journey – the Base Ruleset, the CloudTrail Base Ruleset, the Container ruleset, and the Windows ruleset. Distributed Cloud AIP recognizes that a base may not meet your organization's specific needs and created alternate compliance rulesets based on:
- HIPAA
- ISO 27001
- MPAA
- PCI
- SOC2
Distributed Cloud AIP also uses rules in the base ruleset to mitigate risky activity recognized by the MITRE ATTandCK Matrices.
Base Ruleset and Matching Compliance Rulesets
To help clarify how these other compliance rulesets compare to the host's Base Ruleset, we created comparison charts for each compliance ruleset.
HIPAA ISO 27001 MPAA PCI SOC2 MITRE
| Base Ruleset | Supports Criteria |
|---|---|
| Database: Connection from Command Line | N/A |
| Exploit: Kernel Module Activity | HIPAA 164.308(a)(5)(ii)(B) |
| Exploit: Process Activity from /dev/shm | N/A |
| Exploit: Process Activity from /tmp | HIPAA 164.308(a)(5)(ii)(B) |
| Exploit: Service Running as Root | HIPAA 164.308(a)(5)(ii)(B) |
| Exploit: Service Running Shell | N/A |
| File: Canary File Opens | HIPAA 164.312(b) |
| File: Cron File Modified | N/A |
| File: Kernel Parameters Configuration File Modified | N/A |
| File: PAM Configuration Modified | N/A |
| File: Secret File Opens | HIPAA 164.312(b) |
| File: SSH Authorized Keys File Modified | N/A |
| File: System Configuration File Changes | HIPAA 164.312(b) |
| File: System File Changes | HIPAA 164.312(b) |
| File: System Logs Deleted | HIPAA 164.312(b) |
| Host: Cloud Metadata Interface Communication | N/A |
| Host: Data Compression or Decompression Observed | N/A |
| Host: Data Encoding or Decoding Observed | N/A |
| Host: Data Encryption or Decryption Observed | N/A |
| Host: Excessive Root Login Failures from LAN | HIPAA 164.308(a)(5)(ii)(C) |
| Host: Excessive User Login Failures from WAN | N/A |
| Host: Excessive User Login Failures from LAN | HIPAA 164.308(a)(5)(ii)(C) |
| Host: Execution of Hidden File | N/A |
| Host: New Group Added | N/A |
| Host: New User Added | HIPAA 164.308(a)(3)(ii)(A) |
| Host: Possible Cryptomining Software | N/A |
| Host: SSH Command to Setup SOCKS Proxy | N/A |
| Host: SSHD SOCKS Proxy Traffic Observed | N/A |
| Kubernetes: Administrative Tool Usage | N/A |
| Network: Inbound Connection (Accepts) from LAN | HIPAA 164.312(b) |
| Network: Inbound Connection (Accepts) from WAN | HIPAA 164.312(b) |
| Network: Outbound Connection (Connects) to LAN | HIPAA 164.312(b) |
| Network: Outbound Connection (Connects) to WAN | HIPAA 164.312(b) |
| Threat Intelligence: Inbound Connection (Accepts) from WAN | N/A |
| Threat Intelligence: Outbound Connection (Connects) to WAN | N/A |
| User: Data Movement inside LAN | HIPAA 164.312(b) |
| User: Multiple Sudo Failures | N/A |
| User: Possible Data Download | HIPAA 164.312(b) |
| User: Possible Data Exfiltration | HIPAA 164.312(b) |
| User: Potentially Suspicious Command Usage v2 | HIPAA 164.308(a)(5)(ii)(B) |
| User: Privilege Escalation Attempt via Sudo Vulnerability | N/A |
| User: Privilege Escalation Via Sudoedit Vulnerability | N/A |
| User: Privilege Escalations | HIPAA 164.308 (a)(4)(i) |
| User: Root Login from LAN | HIPAA 164.308(a)(5)(ii)(C) |
| User: Root Login from WAN | HIPAA 164.308(a)(5)(ii)(C) |
| User: Software Installation via Package Manager | N/A |
| User: Switch User to Non-Root User | N/A |
| User: System Time Changes | N/A |
| User: Terminated Employee Activity | N/A |
| User: User Login from LAN | HIPAA 164.308(a)(5)(ii)(C) |
| User: User Login from WAN | HIPAA 164.308(a)(5)(ii)(C) |
| Base Ruleset | Supports Criteria |
|---|---|
| Database: Connection from Command Line | N/A |
| Exploit: Kernel Module Activity | ISO 27001 A.12.2.1 |
| Exploit: Process Activity from /dev/shm | N/A |
| Exploit: Process Activity from /tmp | ISO 27001 A.12.2.1 |
| Exploit: Service Running as Root | ISO 27001 A.12.2.1 |
| Exploit: Service Running Shell | ISO 27001 A.12.2.1 |
| File: Canary File Opens | ISO 27001 A.18.2 and A.18.1.4 |
| File: Cron File Modified | N/A |
| File: Kernel Parameters Configuration File Modified | N/A |
| File: PAM Configuration Modified | N/A |
| File: Secret File Opens | ISO 27001 A.18.2 and A.18.1.4 |
| File: SSH Authorized Keys File Modified | N/A |
| File: System Configuration File Changes | ISO 27001 A.18.2 and A.18.1.4 |
| File: System File Changes | ISO 27001 A.18.2 and A.18.1.4 |
| Host: Cloud Metadata Interface Communication | N/A |
| Host: Data Compression or Decompression Observed | N/A |
| Host: Data Encoding or Decoding Observed | N/A |
| Host: Data Encryption or Decryption Observed | N/A |
| Host: Excessive Root Login Failures from LAN | ISO 27001 A.12.4.1 |
| Host: Excessive Root Login Failures from WAN | N/A |
| Host: Excessive User Login Failures from LAN | ISO 27001 A.12.4.1 |
| Host: Execution of Hidden File | N/A |
| Host: New Group Added | N/A |
| Host: New User Added | ISO 27001 A.9.2 |
| Host: Possible Cryptomining Software | N/A |
| Host: SSH Command to Setup SOCKS Proxy | N/A |
| Host: SSHD SOCKS Proxy Traffic Observed | N/A |
| Kubernetes: Administrative Tool Usage | N/A |
| Network: Inbound Connection (Accepts) from LAN | ISO 27001 A.13.1.1 |
| Network: Inbound Connection (Accepts) from WAN | ISO 27001 A.13.1.1 |
| Network: Outbound Connection (Connects) to LAN | ISO 27001 A.13.1.1 |
| Network: Outbound Connection (Connects) to WAN | ISO 27001 A.13.1.1 |
| Threat Intelligence: Inbound Connection (Accepts) from WAN | ISO 27001 A.13.1.1 |
| Threat Intelligence: Outbound Connection (Connects) to WAN | ISO 27001 A.13.1.1 |
| User: Data Movement inside LAN | ISO 27001 A.18.2 and A.18.1.4 |
| User: Multiple Sudo Failures | N/A |
| User: Possible Data Download | ISO 27001 A.18.2 and A.18.1.4 |
| User: Possible Data Exfiltration | ISO 27001 A.18.2 and A.18.1.4 |
| User: Potentially Suspicious Command Usage v2 | ISO 27001 A.12.2.1 |
| User: Privilege Escalation Attempt via Sudo Vulnerability | N/A |
| User: Privilege Escalation Via Sudoedit Vulnerability | N/A |
| User: Privilege Escalations | ISO 27001 A.9.2.3 |
| User: Root Login from LAN | ISO 27001 A.12.4.1 |
| User: Root Login from WAN | ISO 27001 A.12.4.1 |
| User: Software Installation via Package Manager | N/A |
| User: Switch User to Non-Root User | N/A |
| User: System Time Changes | N/A |
| User: Terminated Employee Activity | N/A |
| User: User Login from LAN | ISO 27001 A.12.4.1 |
| User: User Login from WAN | ISO 27001 A.12.4.1 |
| Base Ruleset | Supports Criteria |
|---|---|
| Database: Connection from Command Line | N/A |
| Exploit: Kernel Module Activity | MPAA DS-9.3 |
| Exploit: Process Activity from /dev/shm | N/A |
| Exploit: Process Activity from /tmp | MPAA DS-9.3 |
| Exploit: Service Running as Root | MPAA DS-9.3 |
| Exploit: Service Running Shell | MPAA DS-9.3 |
| File: Canary File Opens | N/A |
| File: Cron File Modified | N/A |
| File: Kernel Parameters Configuration File Modified | N/A |
| File: PAM Configuration Modified | N/A |
| File: Secret File Opens | N/A |
| File: SSH Authorized Keys File Modified | N/A |
| File: System Configuration File Changes | N/A |
| File: System File Changes | N/A |
| Host: Cloud Metadata Interface Communication | N/A |
| Host: Data Compression or Decompression Observed | N/A |
| Host: Data Encoding or Decoding Observed | N/A |
| Host: Data Encryption or Decryption Observed | N/A |
| Host: Excessive Root Login Failures from LAN | N/A |
| Host: Excessive Root Login Failures from WAN | N/A |
| Host: Excessive User Login Failures from LAN | N/A |
| Host: Execution of Hidden File | N/A |
| Host: New Group Added | N/A |
| Host: New User Added | MPAA DS-3.1 |
| Host: Possible Cryptomining Software | N/A |
| Host: SSH Command to Setup SOCKS Proxy | N/A |
| Host: SSHD SOCKS Proxy Traffic Observed | N/A |
| Kubernetes: Administrative Tool Usage | N/A |
| Network: Inbound Connection (Accepts) from LAN | N/A |
| Network: Inbound Connection (Accepts) from WAN | N/A |
| Network: Outbound Connection (Connects) to LAN | N/A |
| Network: Outbound Connection (Connects) to WAN | N/A |
| Threat Intelligence: Inbound Connection (Accepts) from WAN | N/A |
| Threat Intelligence: Outbound Connection (Connects) to WAN | N/A |
| User: Data Movement inside LAN | N/A |
| User: Multiple Sudo Failures | N/A |
| User: Possible Data Download | MPAA DS-9.3 |
| User: Possible Data Exfiltration | N/A |
| User: Potentially Suspicious Command Usage v2 | MPAA DS-9.3 |
| User: Privilege Escalation Attempt via Sudo Vulnerability | N/A |
| User: Privilege Escalation Via Sudoedit Vulnerability | N/A |
| User: Privilege Escalations | MPAA DS-3.1 |
| User: Root Login from LAN | MPAA DS-3.1 and MPAA DS-3:2 |
| User: Root Login from WAN | MPAA DS-3.1 and MPAA DS-3:2 |
| User: Software Installation via Package Manager | N/A |
| User: Switch User to Non-Root User | N/A |
| User: System Time Changes | N/A |
| User: Terminated Employee Activity | MPAA DS-9.3 |
| User: User Login from LAN | MPAA DS-3.1 and MPAA DS-3:2 |
| User: User Login from WAN | MPAA DS-3.1 and MPAA DS-3:2 |
| Base Ruleset | Supports Criteria |
|---|---|
| Database: Connection from Command Line | N/A |
| Exploit: Kernel Module Activity | PCI 11.5 |
| Exploit: Process Activity from /dev/shm | N/A |
| Exploit: Process Activity from /tmp | PCI 10.6 |
| Exploit: Service Running as Root | PCI 10.1, 10.2, 10.3 |
| Exploit: Service Running Shell | PCI 10.6 |
| File: Canary File Opens | PCI 11.5 |
| File: Cron File Modified | N.A |
| File: Kernel Parameters Configuration File Modified | N/A |
| File: PAM Configuration Modified | N/A |
| File: Secret File Opens | PCI 11.5 |
| File: SSH Authorized Keys File Modified | N/A |
| File: System Configuration File Changes | PCI 11.5 |
| File: System File Changes | PCI 11.5 |
| Host: Cloud Metadata Interface Communication | N/A |
| Host: Data Compression or Decompression Observed | N/A |
| Host: Data Encoding or Decoding Observed | N/A |
| Host: Data Encryption or Decryption Observed | N/A |
| Host: Excessive Root Login Failures from LAN | PCI 10.2 and 10.3 and 11.4 |
| Host: Excessive Root Login Failures from WAN | N/A |
| Host: Excessive User Login Failures from LAN | PCI 10.2 and 10.3 and 11.4 |
| Host: Execution of Hidden File | N/A |
| Host: New Group Added | N/A |
| Host: New User Added | PCI 10.2 |
| Host: Possible Cryptomining Software | N/A |
| Host: SSH Command to Setup SOCKS Proxy | N/A |
| Host: SSHD SOCKS Proxy Traffic Observed | N/A |
| Kubernetes: Administrative Tool Usage | N/A |
| Network: Inbound Connection (Accepts) from LAN | PCI 11.4 |
| Network: Inbound Connection (Accepts) from WAN | PCI 11.4 |
| Network: Outbound Connection (Connects) to LAN | PCI 11.4 |
| Network: Outbound Connection (Connects) to WAN | PCI 11.4 |
| Threat Intelligence: Inbound Connection (Accepts) from WAN | PCI 11.4 |
| Threat Intelligence: Outbound Connection (Connects) to WAN | PCI 11.4 |
| User: Data Movement inside LAN | N/A |
| User: Multiple Sudo Failures | N/A |
| User: Possible Data Download | PCI 10.2 and 11.4 |
| User: Possible Data Exfiltration | PCI 10.2 and 11.4 |
| User: Potentially Suspicious Command Usage v2 | PCI 10.6 |
| User: Privilege Escalation Attempt via Sudo Vulnerability | N/A |
| User: Privilege Escalation Via Sudoedit Vulnerability | N/A |
| User: Privilege Escalations | PCI 10.2 |
| User: Root Login from LAN | PCI 10.2, 10.3, and 11.4 |
| User: Root Login from WAN | PCI 10.2, 10.3, and 11.4 |
| User: Software Installation via Package Manager | N/A |
| User: Switch User to Non-Root User | N/A |
| User: System Time Changes | PCI 10.4 |
| User: Terminated Employee Activity | N/A |
| User: User Login from LAN | PCI 10.2, 10.3, and 11.4 |
| User: User Login from WAN | PCI 10.2, 10.3, and 11.4 |
| Base Ruleset | Supports Criteria |
|---|---|
| Database: Connection from Command Line | N/A |
| Exploit: Kernel Module Activity | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) |
| Exploit: Process Activity from /dev/shm | N/A |
| Exploit: Process Activity from /tmp | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) |
| Exploit: Service Running as Root | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) |
| Exploit: Service Running Shell | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) |
| File: Canary File Opens | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) |
| File: Cron File Modified | N/A |
| File: Kernel Parameters Configuration File Modified | N/A |
| File: PAM Configuration Modified | N/A |
| File: Secret File Opens | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) |
| File: SSH Authorized Keys File Modified | N/A |
| File: System Configuration File Changes | SOC-2 (CC 3.4, 4.1, 4.2, 5.3, 6.1, 7.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) |
| File: System File Changes | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) |
| Host: Cloud Metadata Interface Communication | N/A |
| Host: Data Compression or Decompression Observed | N/A |
| Host: Data Encoding or Decoding Observed | N/A |
| Host: Data Encryption or Decryption Observed | N/A |
| Host: Excessive Root Login Failures from LAN | SOC-2 (CC 4.1, 6.1, 6.3, and 6.6) |
| Host: Excessive User Login Failures from WAN | N/A |
| Host: Excessive User Login Failures from LAN | N/A |
| Host: Execution of Hidden File | N/A |
| Host: New Group Added | N/A |
| Host: New User Added | SOC-2 (CC 4.1, 4.2, 5.3, 6.1, 7.2, 7.3, 7.4, 7.5, 8.1 & C 1.2) |
| Host: Possible Cryptomining Software | N/A |
| Host: SSH Command to Setup SOCKS Proxy | N/A |
| Host: SSHD SOCKS Proxy Traffic Observed | N/A |
| Kubernetes: Administrative Tool Usage | N/A |
| Network: Inbound Connection (Accepts) from LAN | SOC-2 (CC 3.2, 3.3, 3.4, 4.1, 4.2, 6.6, 7.2, 7.3, 7.4, & 7.5) |
| Network: Inbound Connection (Accepts) from WAN | SOC-2 (CC 3.2, 3.3, 4.1, 4.2, 6.6, 7.2, 7.3, 7.4, & 7.5) |
| Network: Outbound Connection (Connects) to LAN | SOC-2 (CC 3.2, 3.3, 3.4, 4.1, 4.2, 6.6, 7.2, 7.3, 7.4, & 7.5) |
| Network: Outbound Connection (Connects) to WAN | SOC-2 (CC 3.2, 3.3, 3.4, 4.1, 4.2, 6.6, 7.2, 7.3, 7.4, & 7.5) |
| Threat Intelligence: Inbound Connection (Accepts) from WAN | SOC-2 (CC 3.2, 3.3, 3.4, 4.1, 4.2, 6.6, 7.2, 7.3, 7.4, & 7.5) |
| Threat Intelligence: Outbound Connection (Connects) to WAN | SOC-2 (CC 3.2, 3.3, 3.4, 4.1, 4.2, 6.6, 7.2, 7.3, 7.4, & 7.5) |
| User: Data Movement inside LAN | N/A |
| User: Multiple Sudo Failures | N/A |
| User: Possible Data Download | SOC-2 (CC 1.3, 3.2, 3.3, 3.4, 4.1, 4.2, 5.1, 5.2, 6.1, 6.6, 7.3, 7.4, 7.5, & 8.1) |
| User: Possible Data Exfiltration | SOC-2 (CC 1.3, 3.2, 3.3, 4.1, 4.2, 5.1, 5.2, 6.1, 6.6, 7.3, 7.4, 7.5, & 8.1) |
| User: Potentially Suspicious Command Usage v2 | SOC-2 (CC 3.4, 4.1, 4.2, 6.1, 7.2, 7.3, 7.4, 7.5, & 8.1) |
| User: Privilege Escalation Attempt via Sudo Vulnerability | N/A |
| User: Privilege Escalation Via Sudoedit Vulnerability | N/A |
| User: Privilege Escalations | SOC-2 (CC 4.1, 6.1, 6.3, & 6.7) |
| User: Root Login from LAN | SOC-2 (CC 4.1, 6.1, 6.3, and 6.6) |
| User: Root Login from WAN | SOC-2 (CC 4.1, 6.1, 6.3, and 6.6) |
| User: Software Installation via Package Manager | N/A |
| User: Switch User to Non-Root User | N/A |
| User: System Time Changes | SOC-2 (CC 3.4) |
| User: Terminated Employee Activity | N/A |
| User: User Login from LAN | SOC-2 (CC 6.1) |
| User: User Login from WAN | SOC-2 (CC 6.1) |
| Base Ruleset | MITRE Criteria |
|---|---|
| Database: Connection from Command Line | T1567 |
| Exploit: Kernel Module Activity | T1014, T1547 |
| Exploit: Process Activity from /dev/shm | T1203 |
| Exploit: Process Activity from /tmp | T1203 |
| Exploit: Service Running as Root | T1190 |
| Exploit: Service Running Shell | T1059 |
| File: Canary File Opens | N/A |
| File: Cron File Modified | T1053 |
| File: Kernel Parameters Configuration File Modified | T1547, T1485, T1014, T1547 |
| File: PAM Configuration Modified | T1556, T1485 |
| File: Secret File Opens | N/A |
| File: SSH Authorized Keys File Modified | T1485, T1098 |
| File: System Configuration File Changes | T1574, T1548, T1546, T1531, T1485, T1087, T1068 |
| File: System File Changes | T1485 |
| Host: Cloud Metadata Interface Communication | T1552 |
| Host: Data Compression or Decompression Observed | T1560, T1204, T1074 |
| Host: Data Encoding or Decoding Observed | T1560, T1140, T1132, T1048 |
| Host: Data Encryption or Decryption Observed | T1486, T1140 |
| Host: Excessive Root Login Failures from LAN | T1110 |
| Host: Excessive User Login Failures from WAN | T1110, T1595 |
| Host: Excessive User Login Failures from LAN | T1110 |
| Host: Execution of Hidden File | T1564 |
| Host: New Group Added | N/A |
| Host: New User Added | T1136 |
| Host: Possible Cryptomining Software | T1496, T1041 |
| Host: SSH Command to Setup SOCKS Proxy | T1572, T1571, T1095, T1020 |
| Host: SSHD SOCKS Proxy Traffic Observed | T1572, T1571, T1095, T1020 |
| Kubernetes: Administrative Tool Usage | N/A |
| Network: Inbound Connection (Accepts) from LAN | N/A |
| Network: Inbound Connection (Accepts) from WAN | N/A |
| Network: Outbound Connection (Connects) to LAN | N/A |
| Network: Outbound Connection (Connects) to WAN | N/A |
| Threat Intelligence: Inbound Connection (Accepts) from WAN | T1595, T1040 |
| Threat Intelligence: Outbound Connection (Connects) to WAN | T1048, T1041, T1020 |
| User: Data Movement inside LAN | T1570 |
| User: Multiple Sudo Failures | N/A |
| User: Possible Data Download | T1204, T1105 |
| User: Possible Data Exfiltration | T1567, T1074, T1048, T1041, T1020 |
| User: Potentially Suspicious Command Usage v2 | T1570, T1048, T1040 |
| User: Privilege Escalation Attempt via Sudo Vulnerability | T1548, T1203, T1068 |
| User: Privilege Escalation Via Sudoedit Vulnerability | T1548, T1203, T1068 |
| User: Privilege Escalations | T1548, T1068 |
| User: Root Login from LAN | T1078, T1021 |
| User: Root Login from WAN | T1078,T1021 |
| User: Software Installation via Package Manager | T1204, T1105 |
| User: Switch User to Non-Root User | N/A |
| User: System Time Changes | N/A |
| User: Terminated Employee Activity | N/A |
| User: User Login from LAN | T1078, T1021 |
| User: User Login from WAN | T1078, T1021 |