Rule Creation Overview

Threat Stack collects raw event data from the Agents installed on your machines and delivers it to the Threat Stack Cloud Security PlatformⓇ (CSP) to be processed. Threat Stack uses the rules you create to initiate alerts based on the information you want reported. Your defined suppressions determine whether you are notified about behavior you consider normal.

Rulesets can be considered buckets, inside of which rules are built. Suppressions are then associated with the rule directly. In most cases, a server must be associated with a ruleset bucket in order for an alert to be initiated by a rule (This currently excludes CloudTrail rules which rely on tags).

The following rule types can be configured in the Threat Stack CSP.

Rule_types.png

Host Rule (Linux or Windows)

Host rules monitor events generated from general activity in the Operating System (OS). Examples include kernel activity, network activity, and user activity. For additional information about configuring a host rule, please review the following articles:

File Integrity Rule

File rules are for monitoring file changes and integrity of the files themselves. In addition to creating the rule, you need to define the path and the events to monitor.

Examples include file opens, file deletes, configuration file changes, and system file changes. For additional information about configuring a file integrity rule, please review the Creating a File Integrity Rule article.

CloudTrail Rule

A CloudTrail rule is a rule built specifically to monitor your connected Amazon Web Services (AWS) CloudTrail service.

Examples of CloudTrail rules include IAM policy changes, too many API calls, and access denied. For additional information about configuring a CloudTrail rule, please review the Get Started with CloudTrail Alerting article.

Threat Intelligence Rule

Threat Stack provides a database of known threats and helps you reference them to keep you safe. 

Examples of Threat Intelligence rules are inbound or outbound IP connections, or system vulnerabilities unveiled after an Agent scan. For additional information about configuring a threat intelligence rule, please review the Creating Threat Intelligence Rule Types article.

Clone Existing Rule

This is an opportunity to clone current rules and alter them, or update them to catch new events. For additional information, please review the Clone Existing Rule article.

Kubernetes Audit Rule

Kubernetes Audit rules monitor events generated from orchestration activity related to node/pod/container actions, such as creations and modifications. For additional information about configuring a Kubernetes Audit rule, please review the Creating a Kubernetes Audit Rule article.

Kubernetes Configuration Rule

Kubernetes Config rules monitor role, role bindings, and cluster role bindings events generated periodically. For additional information about configuring a Kubernetes Configuration rule, please review the Creating a Kubernetes Configuration Rule article.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request