Threat Stack Data Collection

Follow

 

Data Collected

The Threat Stack Agent collects and monitors the following data:

Data Type Overview Notes
Process Audit Information Subscribes to public-facing Linux kernel APIs to process starting, stopping, and making network connections. The kernel reports these as 'audit' events, and includes information from Docker and /proc. Threat Stack is not a kernel module.
User Information Login and command level activity of users. This includes user TTY timelines, file copies, privilege escalations, login failures, etc.  
File Integrity Monitoring Utilizing the Linux kernel's inotify and fanotify API, tracks and maps file access, modifications, deletions, or creations back to a process. If the kernel is not >= 2.6.37, fanotify is not available and we only track generic file events.
Vulnerability Assessment We pull the entire package manifest of all installed software (name and version numbers only) to our platform, which we scan for known vulnerable versions based on our database of CVEs.  For more information see the Vulnerability Assessment Feature article. 

AWS Data Collected

Threat Stack also collects information from your AWS accounts that you integrate with Threat Stack. The Threat Stack AWS integrations are read only policies for a cross account trust with Threat Stack. Threat Stack collects metadata about these resources. Resources are identified and listed by their Amazon Resource Name (ARN).

There are several integration options and when enabled these collect the following information:

Data Type Overview
EC2 Integration Receives, stores, and visualizes information about various EC2 resources. This includes information on running instances, with or without the Threat Stack agent installed.
CloudTrail Periodically downloads the full event JSON from the S3 storage bucket.
Configuration Auditing Performs daily or on demand audits of resources within several AWS services, such as: EC2, CloudTrail, IAM, RDS, S3.

These results and configuration information about these resources is limited to a listing of respective AWS ARN and whether this resource passed or failed a policy evaluation.

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.