Event Based Rules Syntax

Threat Stack collects raw event data from the Agents installed on your machines and delivers it to the Threat Stack Cloud Security PlatformⓇ (CSP) to be processed. Then, we utilize the Base Ruleset and any rules you created to trigger alerts based on information you want reported.

This article explains the types of event rules and the syntax associated with the events. This information will enable you to search for events more efficiently, and make better suppressions and rule filters to refine the information you see inside of Threat Stack.

Rule Categories

Threat Stack provides the following rule categories based on the following event types.

Types Event type rules process....
Audit Syscall events from the audit framework
CloudTrail AWS CloudTrail events
File Local file system events for file integrity monitoring
Host Events triggered from host logs
Windows Windows Agent events
Login Local login events
Threat Intel IP reputation events
Kubernetes Audit Kubernetes orchestration events
Kubernetes Configuration Kubernetes configuration events

Search Syntax Best Practices

This section includes best practices that apply to searching across all event types:

  • The search field is case sensitive.
  • You can use parentheses when searching multiples of the same:
    • parameters
    • key value pairs
  • The Alert Details section enables a Add to Search option. It adds key values to your search with the correct syntax.
  • The server syntax for “agent” is consistent across all event types for rules. It searches for the "hostname".

Note

Threat Stack uses the CloudTrail native case for compatibility reasons. This means the test filter is case sensitive and uppercase letters will cause the test filter not to match even if a suppression or rule filter is actually correct.

Audit Event Syntax

Audit event syntax contains a readable, parseable version of Linux syscalls. This provides a comprehensive look into all local actions taken by your operating system.

To search an audit event, enter event_type = “audit” into the search field. You can use AND or OR operators to add key values to your search.

Notable key value pairs for audit events include:

Title (Type) Key Value Pairs
Made Connection (type = “connect”) src_addr, src_port, dst_port, ip, port, service, exe, user, group, PID, PPID, command, session
Accepted connection (type = “accept”) src_addr, src_port, ip, port, exe, user, group, PID, PPID, command, session
Start (type = “start”) exe, cwd, user, group, PID, PPID command, session, arguments
Bind Name to Socket (type = “bind”) ip, port, exe, user, group, PID, PPID, command, session
Listen for socket connections (type = “listen”) exe, user, group, PID, PPID, command, session
Load a kernel module (type = “finit_module”) exe, user, group, PID, PPID, command, session
Get & set socket options (type = “setsockopt”) exe, user, group, PID, PPID, command, session, tty

IP and Port fields are derived fields and are different for “connect” and “accept” events.

Title (Type) Key Value Pairs Threat Stack Use Notes
Connect IP and dst_port The IP field is the destination ip of the connection. The port is the destination port (dst_port).  
Accept IP and dst_port The IP field is the source IP of the remote connection. The port is the ephemeral (negotiated) return port for the tcp connection. Network events are TCP connections only and do not include UDP connections.
CloudTrail Event Syntax

To search for a CloudTrail event, enter event_type = “cloudtrail” into the search field.

Due to the large number of CloudTrail events and key value pairs available and generated, Threat Stack does not index them all. This means, you cannot search every potential value pair. In rare cases, there could be information you want to search, filter, or suppress where you would need to contact us to implement.

Warning

CloudTrail is case sensitive for key value pairs. Examples include “eventSource”, “eventName”, “user”, and “arnRole”.

Using operators such as “like”, “ends_with”, or “starts_with”, automatically make queries lowercase within Threat Stack which causes the search to fail. This only pertains to event searches not to rule cloning and creation, rule filters, or suppressions.

Notable CloudTrail Keys
server
region
requestID
eventID
arnRole
accountId
timestamp
event_type
ip
eventName
eventSource
eventSourceType

Note

AWS does not provide a CloudTrail validation API endpoint. This means Threat Stack cannot distinguish between key value pairs that are not indexed or invalid key value pairs.

File Event Syntax

To search for a file integrity monitoring event, enter event_type = ”file” into the search field.

Common search would be by filename, command, argument, or user.

Title (type) Key Value Pairs
File (event_type = “file”) filename, command, arguments, or user
Host Event Syntax

To search for host events, enter event_type = ”host” into the search field.

  • Login sessions: open and close
  • Privilege escalations: successful and failed
  • Failed login sessions
Key Value Pairs
users
group
src_ip

Search by users, group (have to know exactly what you are looking for syntax wise “authentication-success” or “authentication_failed” or “invalid_login” otherwise the search will fail), or source IP (src_ip).

Note

Threat Stack differentiates between “privilege escalation failed” and a “failed login session”.

You can also search for the “sigid”. It can differentiate within privilege escalation.

Windows Event Syntax

To search for Windows events, enter event_type = ”winsec” into the search field.

Key Value Pairs
exe
parent_name
command
dst_ip
src_ip
Login Event Syntax

To search for login events, enter event_type = ”login” into the search field.

Common searches for login events include “src_ip”, "server" or “src_host”. Logout events are covered as Host events.

Key Value Pairs
src_host
agent
src_ip
Threat Intel Event Syntax

Threat Intel refers to Threat Intelligence. You can search for Threat Intel events using event_type = “threatintel” in the search field.

There are three important key value pairs: “threatintel_source”, ‘threatintel_reason”, and “ip”. You can determine what list it came from (source), what is the reputation (reason), and the location it came from (ip).

Key Value Pairs
user, command, arguments, port
threatintel_source, threatintel_reason, ip
Kubernetes Audit Event Syntax

To search for Kubernetes audit events, enter event_type = ”kubernetesAudit” into the search field.

Key Value Pairs
action (Orchesttration action taken on cluster)
resource.type (Type of resource: pod, node, namespace)
Kubernetes Configuration Event Syntax

To search for Kubernetes configuration events, enter event_type = ”kubernetesConfig” into the search field.

Key Value Pairs
namespace
role_name
role_type
verbs
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request