Threat Stack is a behavior based anomaly detection platform, based on telemetry delivered into the platform from various sources, including host and infrastructure.
What is an Alert?
Alerts are behavior anomalies elevated from the stream of raw telemetry by rule filters.
Alerts contain two main components :
- Alert Title - the name and substitutions (dynamic content) that adds context to the alert.
- Contributing Events - the raw telemetry that caused the anomaly to happen
NOTE: The dynamic content should match the aggregation fields selected for the alert. The aggregation fields define the uniqueness of the alerts. See the "Life Cycle of an Alert" article for additional information on aggregations.
Why would an alert trigger?
Alerts trigger when Threat Stack detects a behavior anomaly deemed inappropriate based on rules that you enabled or created.
Rules require a filter to match behaviors against raw telemetry.
- Telemetry describes events and behavior anomalies.
- Rules describe the behaviors that you want to catch from the raw telemetry stream.
Example rule filter:
|Behavior to Catch||Rule Filter|
|Privilege escalations||command = “sudo”|
|User access||Event_type = “login”|
NOTE: If a rule displays alerts for behavior you consider “baseline” or “normal”, you can create a suppression filter to have it no longer report that behavior. See the “How do I suppress Alerts?” article.
Threat Stack includes three levels of elevation of behaviors to indicate the severity of the alert:
1. Severity 1: (Sev 1) the highest elevation of behaviors
Use for behaviors and scenarios that should wake you up in the middle of the night. Only use for behavior anomalies where an action and remediation runbook exists.
2. Severity 2: (Sev 2) the second highest elevation of behaviors
Behaviors that you want to monitor & review with stakeholders to improve over time.
3. Severity 3: (Sev 3) the third highest for behaviors users
Behaviors that companies log for compliance or forensics purposes.
NOTE: *Severity 3 alerts are automatically dismissed after 30 days.
Where do I find Alerts in the Threat Stack Application?
You find alerts and their information on the Alerts page. On the Alerts page you will see:
- Alerts sorted by severity, type, or active & dismissed
- Alerts Trends over time
On the ALERTS page, you can:
- Select an alert to review the alert details
- Suppress an alert
- Dismiss an alert
See the “Life Cycle of An Alert” article for a full alert use case.
Related articles include: