Rule Creation Overview


Threat Stack collects raw event data from the agents installed on your machines and delivers it to our back end to be processed. We use the rules you create to fire alerts based on information you want to get detail on. We also use your defined suppressions to not show you the things you are comfortable not being alerted on.

Rulesets can be considered buckets, which rules are built inside of. Suppressions are then associated with the rule directly. In most situations, a server must be associated with a Ruleset bucket in order for an alert to be fired by a rule. (This currently excludes CloudTrail rules which rely on tags.)

Working with the Rules sidebar


Host Rule

Host rules monitor events generated from general activity in the OS. 

Examples are things like Kernel activity, Network activity, and User activity. Click here for more


File Rule

File rules are for monitoring file changes and integrity of the files themselves. In addition to creating the rule, you need to define the path and the events to monitor. 

Examples: File opens, Deletes, Modifies, and more. Click here for more


CloudTrail Rule

A CloudTrail rule is a rule built specifically to monitor your connected AWS CloudTrail service. 

Example CloudTrail rules: IAM policy changes, Too many API calls, and Access denied. Click here for more


Threat Intelligence Rule

Threat Stack provides a database of known threats and helps you reference them to keep you safe. 

Examples of Threat Intelligence rules are inbound or outbound IP connections, or system vulnerabilities unveiled after an agent scan. Click here for more


Clone Existing Rule

This is an opportunity to clone current rules and alter them, or update them to catch new events. Click here for more



Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Article is closed for comments.