Base Ruleset Compliance Matrix

 

Rulesets Overview

Threat Stack provides several rulesets to help you get started on your security journey – the Base Ruleset, the CloudTrail Base Ruleset, the Container ruleset, and the Windows ruleset. Threat Stack recognizes that a base may not meet your organization's specific needs and created alternate compliance rulesets based on:

  • HIPAA
  • ISO 27001
  • MPAA
  • PCI
  • SOC2

Threat Stack also uses rules in the base ruletset to mitigate risky activity recognized by the MITRE ATTandCK Matrices.

Base Ruleset and Matching Compliance Rulesets

To help clarify how these other compliance rulesets compare to the host's Base Ruleset, we created comparison charts for each compliance ruleset.

HIPAA ISO 27001 MPAA PCI SOC2 MITRE
Base Ruleset Supports Criteria 
Database: Connection from Command Line N/A
Exploit: Kernel Module Activity HIPAA 164.308(a)(5)(ii)(B)
Exploit: Process Activity from /dev/shm N/A
Exploit: Process Activity from /tmp HIPAA 164.308(a)(5)(ii)(B)
Exploit: Service Running as Root HIPAA 164.308(a)(5)(ii)(B)
Exploit: Service Running Shell N/A
File: Canary File Opens HIPAA 164.312(b)
File: Cron File Modified N/A
File: Kernel Parameters Configuration File Modified N/A
File: PAM Configuration Modified N/A
File: Secret File Opens HIPAA 164.312(b)
File: SSH Authorized Keys File Modified N/A
File: System Configuration File Changes HIPAA 164.312(b)
File: System File Changes HIPAA 164.312(b)
File: System Logs Deleted HIPAA 164.312(b)
Host: Cloud Metadata Interface Communication N/A
Host: Data Compression or Decompression Observed N/A
Host: Data Encoding or Decoding Observed N/A
Host: Data Encryption or Decryption Observed N/A
Host: Excessive Root Login Failures from LAN HIPAA 164.308(a)(5)(ii)(C)
Host: Excessive User Login Failures from WAN N/A
Host: Excessive User Login Failures from LAN HIPAA 164.308(a)(5)(ii)(C)
Host: Execution of Hidden File N/A
Host: New Group Added N/A
Host: New User Added HIPAA 164.308(a)(3)(ii)(A)
Host: Possible Cryptomining Software N/A
Host: SSH Command to Setup SOCKS Proxy N/A
Host: SSHD SOCKS Proxy Traffic Observed N/A
Kubernetes: Administrative Tool Usage N/A
Network: Inbound Connection (Accepts) from LAN HIPAA 164.312(b)
Network: Inbound Connection (Accepts) from WAN HIPAA 164.312(b)
Network: Outbound Connection (Connects) to LAN HIPAA 164.312(b)
Network: Outbound Connection (Connects) to WAN HIPAA 164.312(b)
Threat Intelligence: Inbound Connection (Accepts) from WAN N/A
Threat Intelligence: Outbound Connection (Connects) to WAN N/A
User: Data Movement inside LAN HIPAA 164.312(b)
User: Multiple Sudo Failures N/A
User: Possible Data Download HIPAA 164.312(b)
User: Possible Data Exfiltration HIPAA 164.312(b)
User: Potentially Suspicious Command Usage v2 HIPAA 164.308(a)(5)(ii)(B)
User: Privilege Escalation Attempt via Sudo Vulnerability N/A
User: Privilege Escalation Via Sudoedit Vulnerability N/A
User: Privilege Escalations HIPAA 164.308 (a)(4)(i)
User: Root Login from LAN HIPAA 164.308(a)(5)(ii)(C)
User: Root Login from WAN HIPAA 164.308(a)(5)(ii)(C)
User: Software Installation via Package Manager N/A
User: Switch User to Non-Root User N/A
User: System Time Changes N/A
User: Terminated Employee Activity N/A
User: User Login from LAN HIPAA 164.308(a)(5)(ii)(C)
User: User Login from WAN HIPAA 164.308(a)(5)(ii)(C)

Related Articles

Was this article helpful?
0 out of 0 found this helpful