Distributed Cloud AIP Data Collection


For information about the type of data F5 Distributed Cloud App Infrastructure Protection (AIP) collects through the Distributed Cloud AIP Cloud Security Platform, see Distributed Cloud AIP User and Event Data Collection.

Data Collected

The Distributed Cloud AIP Agent only collects security metadata from your environment. Your team controls where Agents are deployed, which Agents to adopt, and the AWS accounts with which to integrate.

The Distributed Cloud AIP Agent collects and monitors the following data:

Data Type Overview Notes
Process Audit Information Subscribes to public-facing Linux kernel APIs to process starting, stopping, and making network connections. The kernel reports these as 'audit' events, and includes information from Docker and /proc. Distributed Cloud AIP is not a kernel module.
User Information Login and command level activity of users. This includes user TTY timelines, file copies, privilege escalations, login failures, etc.  
File Integrity Monitoring Utilizing the Linux kernel's inotify and fanotify API, tracks and maps file access, modifications, deletions, or creations back to a process. If the kernel is not >= 2.6.37, fanotify is not available and we only track generic file events.
Vulnerability Assessment We pull the entire package manifest of all installed software (name and version numbers only) to our platform, which we scan for known vulnerable versions based on our database of CVEs.  For more information, see Vulnerability Assessment Feature

AWS Data Collected

Distributed Cloud AIP also collects information from your Amazon Web Services (AWS) accounts that you integrate with Distributed Cloud AIP. The Distributed Cloud AIP AWS integrations are read only policies for a cross account trust with Distributed Cloud AIP. Distributed Cloud AIP collects metadata about these resources. Resources are identified and listed by their Amazon Resource Name (ARN).

There are several integration options. When enabled, these collect the following information:

Data Type Overview
EC2 Integration Receives, stores, and visualizes information about various EC2 resources. This includes information on running instances, with or without the Distributed Cloud AIP Stack Agent installed.
CloudTrail Periodically downloads the full event JSON from the S3 storage bucket.
Configuration Auditing (legacy product) Performs daily or on demand audits of resources within several AWS services, such as: EC2, CloudTrail, IAM, RDS, S3.

These results and configuration information about these resources is limited to a listing of respective AWS ARN and whether this resource passed or failed a policy evaluation.

Was this article helpful?
2 out of 2 found this helpful