Rule Creation Overview

Threat Stack collects raw event data from the Agents installed on your machines and delivers it to the Threat Stack Cloud Security PlatformⓇ (CSP) to be processed. Threat Stack uses the rules you create to initiate alerts based on the information you want reported. Your defined suppressions determine whether you are notified about behavior you consider normal.

Rulesets can be considered buckets, inside of which rules are built. Suppressions are then associated with the rule directly. In most cases, a server must be associated with a ruleset bucket in order for an alert to be initiated by a rule (This currently excludes CloudTrail rules which rely on tags).

The following rule types can be configured in the Threat Stack CSP.

Rule_types.png

Host Rule (Linux or Windows)

Host rules monitor events generated from general activity in the Operating System (OS). Examples include kernel activity, network activity, and user activity. For additional information about configuring a host rule, see:

File Integrity Rule

File rules are for monitoring file changes and integrity of the files themselves. In addition to creating the rule, you need to define the path and the events to monitor.

Examples include file opens, file deletes, configuration file changes, and system file changes. For additional information about configuring a file integrity rule, see Creating a File Integrity Rule.

CloudTrail Rule

A CloudTrail rule is a rule built specifically to monitor your connected Amazon Web Services (AWS) CloudTrail service.

Examples of CloudTrail rules include IAM policy changes, too many API calls, and access denied. For additional information about configuring a CloudTrail rule, see Get Started with CloudTrail Alerting.

Threat Intelligence Rule

Threat Stack provides a database of known threats and helps you reference them to keep you safe. 

Examples of Threat Intelligence rules are inbound or outbound IP connections, or system vulnerabilities unveiled after an Agent scan. For additional information about configuring a threat intelligence rule, see Creating Threat Intelligence Rule Types.

Clone Existing Rule

This is an opportunity to clone current rules and alter them, or update them to catch new events. For additional information, see Clone Existing Rule.

Kubernetes Audit Rule

Kubernetes Audit rules monitor events generated from orchestration activity related to node/pod/container actions, such as creations and modifications. For additional information about configuring a Kubernetes Audit rule, see Creating a Kubernetes Audit Rule.

Kubernetes Configuration Rule

Kubernetes Config rules monitor role, role bindings, and cluster role bindings events generated periodically. For additional information about configuring a Kubernetes Configuration rule, see Creating a Kubernetes Configuration Rule.

Was this article helpful?
0 out of 0 found this helpful