Threat Stack collects raw event data from the agents installed on your machines and delivers it to our back end to be processed. We use the rules you create to fire alerts based on information you want to get detail on. We also use your defined suppressions to not show you the things you are comfortable not being alerted on.
Rulesets can be considered buckets, which rules are built inside of. Suppressions are then associated with the rule directly. In most situations, a server must be associated with a Ruleset bucket in order for an alert to be fired by a rule. (This currently excludes CloudTrail rules which rely on tags.)
Host rules monitor events generated from general activity in the OS.
Examples are things like Kernel activity, Network activity, and User activity. Click here for more
File rules are for monitoring file changes and integrity of the files themselves. In addition to creating the rule, you need to define the path and the events to monitor.
Examples: File opens, Deletes, Modifies, and more. Click here for more
A CloudTrail rule is a rule built specifically to monitor your connected AWS CloudTrail service.
Example CloudTrail rules: IAM policy changes, Too many API calls, and Access denied. Click here for more
Threat Intelligence Rule
Threat Stack provides a database of known threats and helps you reference them to keep you safe.
Examples of Threat Intelligence rules are inbound or outbound IP connections, or system vulnerabilities unveiled after an agent scan. Click here for more
Clone Existing Rule
This is an opportunity to clone current rules and alter them, or update them to catch new events. Click here for more