Threat Stack Agent Event Stream Use Cases

Follow

 

Threat Stack Agent & Event Stream Data Overview

This article is designed to help you understand the extensive capabilities of the event stream data collected by the Threat Stack Agent. The examples in this article can help you understand how to better monitor and alert on a few common cloud security use cases.

These are the fundamental ideas for how Threat Stack designed our security monitoring:

  • Event Processing - the Threat Stack Agent collects events around system, process, and user actions and streams them to the backend application.
  • Rule Based Identification - to isolate signal from noise, events are processed against system and user-defined Rule Sets to identify critical events of interest.
  • Alert Notification - identified issues generate alerts which generate notifications.
  • Alert Management - dismissing or suppressing alerts.

Use Cases

The Threat Stack Agents collects events around user activities, process, host and network events. Our application backend correlates the event stream data to provide a context for common security use cases.

User Access Monitoring

Use Case (1) Events of interest for any user and group modifications (Add/Remove/Modify) on production systems.

UAM1.png

UAM2.png

Use Case (2) Events for any user privilege escalations, a typical scenario is for customers to have an approved list of sudo users and wants alerting and log trail for any violations.

UAM-2.png

Use Case (3) Detect unauthorized changes on production system. Only the configuration management agent (Chef, Puppet, Ansible, Salt) is authorized for deploys/file copy/install; track any user violations for change operations.

UAM3.png

Use Case (4) Generate detailed events and an audit trail for all users' TTY sessions for activity monitoring.

UAM4.png

Use Case (5) Monitoring for any privileged application user accounts usage.

UAM5.png

Use Case (6) Abnormal user login/access attempts (rate or login/brute forcing/password attacks).

UAM6.png

 

System Integrity Monitoring

Use Case (1) An unauthorized system kernel module or package is loaded or initialized on production systems (indicators of rootkit, APT type malware).

SIM1.png

Use Case (2) Detect for deviations for any changes in authorized Ports/Services (Process binds/open).

SIM2.png

Use Case (3) Events for any new process connection states. Typically new ACCEPT/CONNECT, this indicates possible intrusion or command-and-control type of activities for unauthorized connectivity.

SIM3.png

Use Case (4) Track any unauthorized or abnormal process Start events by user or processes.

SIM4.png

Use Case (5) Audit trail activity for any critical file system changes/reads/transfers and permissions changes.

SIM5.png

File Integrity Monitoring

Use Case (1) Monitoring critical credential file access/modifications for misuse/abuse typically indicates insider threat activities.

FM1.png

Use Case (2) Monitor Critical system directories (/boot/, /lib , /usr/lib , /bin/ , /sbin, /etc) for new executables or binary replacement/modification typical indicates intrusion or command-and-control activities.

FIM2.png

Use Case (3) Monitor unauthorized modifications to system and application configuration files (e.g: sshd.conf, ntp.conf, resolv.conf Apache, MySQL, etc).

FIM3.png

Use Case (4) Monitor for any data exfiltration type of activities on critical identified files (OPEN, COPY, TRANSFER) - Insider threat scenarios typically related to stolen credential files, SSH Keys, certificates.

FIM4.png

Network Activity Monitoring

Use Case (1) Monitoring for any critical system services changes (NTP, DNS, Syslog) daemon re-configuration/port/destination or source changes.

NAM1.png

Use Case (2) Monitoring for any System Application Service changes (Apache, DB Server Binds, Proxy, Application Services).

NAM2.png

Use Case (3) Monitoring for insecure protocol usage for System access (Telent, FTP).

NAM3.png

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.