How Does Threat Stack Collect Data and What Data is Collected?


What does Threat Stack Agent Monitor ?

  • Linux kernel activity is monitored with tsauditd, which subscribes to public-facing kernel APIs (we are *not* a kernel module). This is for processes starting, stopping, and making network connections.

  • File system activity is monitored with the Linux kernel's inotify and fanotify APIs, which allows the agent to subscribe to specific files and directory trees.

  • Login/logout activity is monitored via standard Linux wtmp and btmp.

  • Additional details for individual events (metadata) is pulled out of /proc. If enabled on the account, network flow data is collected with conntrack. Disabled in the agent and account by default.

What does Threat Stack Agent Collect ?

  • Process Information: Threat Stack collects process audit information such as processes starting, stopping, and making network connections. These are reported at 'audit' events in the user kernel.

  • User Information: Threat Stack collects command level activity of users. This includes user TTY timelines, file copies, privilege escalations, login failures etc.

  • File and Directory monitoring: Threat Stack will report information on file or directory changes with regards to file activities such as OPEN, CLOSE, MODIFY, DELETE, etc.  Utilizing both the kernel's inotify and fanotify API, Threat Stack is able to track and map file access, modifications, deletions, or creations back to a process. (Note : if the kernel is not >= 2.6.37, fanotify will not be available; in turn - we cannot map the file events back to an actual process, just generic file events).

Threat Stack drops noisy events at the backend, such as date, who etc.  Threat Stack also does NOT run arbitrary commands, actively open files (other than the above described well-known, standard Linux system files), look at network traffic or create file hashes.  Since we only collect meta Syscall information, the chances of us collecting any PII or PHI information is very minimal to non-existent.  Furthermore, Threat Stack agent only makes one out-bound TCP connection to our backend analytics service and we do not make any in-bount TCP connections into our agent. 

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request



Article is closed for comments.