Threat Stack collects raw event data from the agents installed on your machines and delivers it to our application for processing. Then we use the Base Rule Set and any rules that you created to fire alerts based on information you want to get detail on.
This article explains the types of event rules and the syntax associated with the events. This information will enable you to search for events more efficiently and make better suppressions and rule filters to refine the information you see inside of Threat Stack.
Threat Stack provides the following rule categories based on the following event types.
|Types||Event type rules process....|
|Audit||Syscall events from the audit framework|
|CloudTrail||AWS CloudTrail events|
|File||Local file system events for file integrity monitoring|
|Host||Events triggered from host logs|
|Login||Local login events|
|Threat Intel||IP reputation events|
Search Syntax Best Practices
This section includes best practices that apply to searching across all event types:
- The search field is case sensitive, all event types must be lowercase.
- You can use parentheses when searching multiples of the same:
- key value pairs
Threat Stack uses the CloudTrail native case for compatibility reasons. This means the test filter is case sensitive and uppercase letters will cause the test filter not to match even if a suppression or rule filter is actually correct.
Audit Event Syntax
Audit event syntax contains a readable, parseable version of linux syscalls. This provides a comprehensive look into all local actions taken by your operating system.
To search an audit event, enter `event_type = “audit”` into the search field. You can use AND or OR operators to add key values to your search.
Notable key values pairs for audit events include:
|Title (Type)||Key Value Pairs|
|Made Connection (type = “connect”)||src_addr, src_port, dst_port, ip, port, service, exe, user, group, PID, PPID, command, session|
|Accepted connection (type = “accept”)||src_addr, src_port, ip, port, exe, user, group, PID, PPID, command, session|
|Start (type = “start”)||exe, cwd, user, group, PID, PPID command, session, arguments|
|Bind Name to Socket (type = “bind”)||ip, port, exe, user, group, PID, PPID, command, session|
|Listen for socket connections (type = “listen”)||exe, user, group, PID, PPID, command, session|
|Load a kernel module (type = “finit_module”)||exe, user, group, PID, PPID, command, session|
|Get & set socket options (type = “setsockopt”)||exe, user, group, PID, PPID, command, session, tty|
IP and Port fields are derived fields and are different for “connect” and “accept” events.
|Title (Type)||Key Value Pairs||Threat Stack Use||Notes|
|Connect||IP and dst_port||The IP field is the destination ip of the connection. The port is the destination port (dst_port).|
|Accept||IP and dst_port||The IP field is the source IP of the remote connection. The port is the ephemeral (negotiated) return port for the tcp connection.||Network events are TCP connections only and do not include UDP connections.|
CloudTrail Event Syntax
To search for a CloudTrail event, enter event_type = “cloudtrail” into the search field.
Due to the large number of CloudTrail events and key value pairs available and generated, Threat Stack does not index them all. This means, you cannot search every potential value pair. In rare cases, this means there could be information that you want to search, filter, or suppress that you would need to contact us to implement.
CloudTrail is case sensitivity for key value pairs, examples include “eventSource”, “eventName”, “user”, and “arnRole”.
Using operators such as “like”, “ends_with”, or “starts_with”, automatically make queries lowercase within Threat Stack which causes the search to fail. This only pertains to event searches not to rule cloning and creation, rule filters, or suppressions.
|Notable CloudTrail Keys|
AWS does not provide a CloudTrail validation API endpoint. This means that Threat Stack cannot distinguish between key value pairs that are not indexed or invalid key value pairs.
File Event Syntax
To search for a file integrity monitoring event, enter event_type = ”file” into the search field.
Common search would be by filename, command, argument, or user.
|Title (type)||Key Value Pairs|
|File (event_type = “file”)||filename, command, arguments, or user|
Host Event Syntax
To search for host events, enter event_type = ”host” into the search field.
- Login sessions: open and close
- Privilege escalations: successful and failed
- Failed login sessions
|Key Value Pairs|
Search by users, group (have to know exactly what you are looking for syntax wise “authentication-success” or “authentication_failed” or “invalid_login” otherwise the search will fail), or source IP (src_ip).
Threat Stack differentiates between “privilege escalation failed” and a “failed login session”.
You can also search for the “sigid”, it can differentiate within privilege escalation.
Login Event Syntax
To search for login events, enter event_type = ”login” into the search field.
Common searches for login events include “src_ip” or “server” “src_host”. Logout events are covered as Host events.
|Key Value Pairs|
Key value pair, key is the field and the value is the dynamic so for “src_ip” the value is the notated address. If you search “agent” you are searching "hostname”.
Threat Intel Event Syntax
Threat Intel refers to Threat Intelligence, you can search for Threat Intel events using event_type = “threatintel” in the search field.
Three important key value pairs: “threatintel_source”, ‘threatintel_reason”, and “ip” - people want to know what list it came from (source), what is the reputation (reason), and the location it came from (ip).
|Key Value Pairs|
|user, command, arguments, port|
|threatintel_source, threatintel_reason, ip|