Rule Creation Overview

Follow

Threat Stack collects raw event data from the agents installed on your machines and delivers it to our back end to be processed. We use the rules you create to fire alerts based on information you want to get detail on. We also use your defined suppressions to not show you the things you are comfortable not being alerted on.

Rulesets can be considered buckets, which rules are built inside of. Suppressions are then associated with the rule directly. In most situations, a server must be associated with a Ruleset bucket in order for an alert to be fired by a rule. (This currently excludes CloudTrail rules which rely on tags.)

Working with the Rules sidebar

 

Host Rule

Host rules monitor events generated from general activity in the OS. 

Examples are things like Kernel activity, Network activity, and User activity. Click here for more

 

File Rule

File rules are for monitoring file changes and integrity of the files themselves. In addition to creating the rule, you need to define the path and the events to monitor. 

Examples: File opens, Deletes, Modifies, and more. Click here for more

 

CloudTrail Rule

A CloudTrail rule is a rule built specifically to monitor your connected AWS CloudTrail service. 

Example CloudTrail rules: IAM policy changes, Too many API calls, and Access denied. Click here for more

 

Threat Intelligence Rule

Threat Stack provides a database of known threats and helps you reference them to keep you safe. 

Examples of Threat Intelligence rules are inbound or outbound IP connections, or system vulnerabilities unveiled after an agent scan. Click here for more

 

Clone Existing Rule

This is an opportunity to clone current rules and alter them, or update them to catch new events. Click here for more

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.