For information about the type of data Threat Stack collects through the Threat Stack Cloud Security PlatformⓇ, please see Threat Stack Cloud Security PlatformⓇ (CSP) Data Collection.
The Threat Stack Agent collects and monitors the following data:
|Process Audit Information||Subscribes to public-facing Linux kernel APIs to process starting, stopping, and making network connections. The kernel reports these as 'audit' events, and includes information from Docker and /proc.||Threat Stack is not a kernel module.|
|User Information||Login and command level activity of users. This includes user TTY timelines, file copies, privilege escalations, login failures, etc.|
|File Integrity Monitoring||Utilizing the Linux kernel's inotify and fanotify API, tracks and maps file access, modifications, deletions, or creations back to a process.||If the kernel is not >= 2.6.37, fanotify is not available and we only track generic file events.|
|Vulnerability Assessment||We pull the entire package manifest of all installed software (name and version numbers only) to our platform, which we scan for known vulnerable versions based on our database of CVEs.||For more information see the Vulnerability Assessment Feature article.|
AWS Data Collected
Threat Stack also collects information from your AWS accounts that you integrate with Threat Stack. The Threat Stack AWS integrations are read only policies for a cross account trust with Threat Stack. Threat Stack collects metadata about these resources. Resources are identified and listed by their Amazon Resource Name (ARN).
There are several integration options and when enabled these collect the following information:
|EC2 Integration||Receives, stores, and visualizes information about various EC2 resources. This includes information on running instances, with or without the Threat Stack agent installed.|
|CloudTrail||Periodically downloads the full event JSON from the S3 storage bucket.|
|Configuration Auditing||Performs daily or on demand audits of resources within several AWS services, such as: EC2, CloudTrail, IAM, RDS, S3.|
These results and configuration information about these resources is limited to a listing of respective AWS ARN and whether this resource passed or failed a policy evaluation.