Overview: AWS EC2 Tags

Follow

Amazon Web Services (AWS) allows users to assign tags to their AWS resources. Tags are simple labels that consist of a customer-defined key and value. Examples include “role:webserver” or “env:production.”

Once you integrate Threat Stack and AWS, the Threat Stack Cloud Security Platform® automatically ingests EC2 tag information. You can then use tags to apply specific rules to servers. This simplifies and speeds up tuning and deployment, and improves relevancy of alerts.

Prerequisites
View AWS EC2 Tags
 

Note

AWS EC2 tags are not available for CloudTrail or Configuration Audit rules.

To see which tags are applied to a rule, in the Create Rule or Edit Rule dialog, click the Deployment interface.

Tip

If you do not see the Deployment interface, then your Threat Stack AWS EC2 Agent correlation is not enabled. Follow the steps in Automatically Integrate with AWS using CloudFormation to enable this integration.

View tags from rules:

ViewTagsFromRules.png

View tags from alerts:

ViewTagsFromAlerts.png

Add AWS EC2 Tags
 

Note

AWS EC2 tags are not available for CloudTrail or Configuration Audit rules.

Add AWS EC2 tags when you create a rule
  1. Log into Threat Stack.
  2. Click Rules. In the right view pane, the Rules page displays.


    RuleSetNewRule.png

  3. Click the Rule Set to which to add the rule.
  4. Click the + New Rule button. In the right display pane the + Add Rule page displays.


    AddRulePage.png

  5. Do one of the following:
    • Select a type for your new rule (Host Rule, File Integrity Rule, or Threat Intelligence Rule).


      AddRuleNextDetails.png 

      1. Click the Next: Details button. The Add [Rule Type] Rule page displays.


        AddRuleDetails.png

      2. In the Rule Name (required) field, type the name of the rule. Threat Stack recommends using the rule’s purpose as a title.
      3. In the Alert Title (required) field, type the title of alerts tied to this rule. Threat Stack recommends using the rule name as the alert title.
      4. Click the Next: Filter button. The + Add Rule page displays the 3. [Rule Type] Filter Rule page.


        AddRuleFilter.png

      5. In the Apply the new rule to events that match this filter field, type the criteria by which the rule singles out events for further inspection by Threat Stack.
      6. Click the Next: Deployment button. The + Add Rule page displays the 4. Deployment Options page.

        Tip

        If you do not see the Deployment tab, then your Threat Stack AWS EC2 Agent correlation is not enabled. Follow the steps in Automatically Integrate with AWS using CloudFormation to enable this integration.

        AddRuleDeployPage.png

      7. Click the Applied tags field, and from the drop-down menu select one or more AWS EC2 tags to apply to the rule.

        Tip

        This field is pre-populated with all tags available on your AWS resources.

        AddRuleSelectTag.png

      8. Click the Apply Tags button.


        AddRuleApplyTag.png

        The rule creates and the tag(s) apply to the rule. Within 10 minutes Threat Stack will process the rule and the tag(s), and apply the rule to any of your AWS hosts with a matching tag.

    • Clone an existing rule.
      1. Select the Clone Existing Rule type button.


        CloneRuleNextDetails.png

      2. Click the Next: Details button. The Clone Existing Rules page displays.


        CloneSelectRule.png

      3. Select the existing rule(s) to clone.
      4. Click the Clone [no.] Rule button. The new rule creates. In the right view pane, the rule details display.


        CloneRuleDetailsDisplay.png

      5. In the Deployment section of the rule, click in the Applied tags field, and select one or more AWS EC2 tags to apply to the rule.

        Tip

        • If you do not see the Deployment section, then your Threat Stack AWS EC2 Agent correlation is not enabled. Follow the steps in Automatically Integrate with AWS using CloudFormation to enable this integration.
        • This field is pre-populated with all tags available on your AWS resources.

        CloneSelectTags.png

      6. Click the Apply Tags button.


        CloneApplyTags.png

        The rule creates and the tag(s) apply to the rule. Within 10 minutes Threat Stack will process the rule and the tag(s), and apply the rule to any of your AWS hosts with a matching tag.


Add AWS EC2 tags to an existing rule
  1. Log into Threat Stack.
  2. Click Rules. In the right view pane, the Rules page displays.


    AddExistSelectRule.png

  3. Select the rule to which to apply AWS EC2 tags. In the right view pane, the rule displays.
  4. In the Deployment section, click the Applied tags field, and select one or more AWS EC2 tags to apply to the rule.

    Tip

    • If you do not see the Deployment section, then your Threat Stack AWS EC2 Agent correlation is not enabled. Follow the steps in Automatically Integrate with AWS using CloudFormation to enable this integration.
    • This field is pre-populated with all tags available on your AWS resources.

    CloneSelectTags.png

  5. Click the Apply Tags button.


    CloneApplyTags.png

    The tags apply to the rule. Within 10 minutes Threat Stack will process the tag(s), and apply the rule to any of your AWS hosts with a matching tag.


Add AWS EC2 tags to a rule from an alert
  1. Log into Threat Stack.
  2. Click Alerts. In the right view pane, alerts display.


    AlertsScreen.png

  3. Select an alert for the rule to which you want to apply an AWS EC2 tag.


    AlertsEditRuleLink.png

  4. Click the Edit Rule link. The Edit [Rule Type] Rule dialog displays.


    AlertEditRuleDialog.png

  5. Click the Deployment tab. The Deployment page displays.

    Tip

    If you do not see the Deployment tab, then your Threat Stack AWS EC2 Agent correlation is not enabled. Follow the steps in Automatically Integrate with AWS using CloudFormation to enable this integration.

    AlertsDeploymentTab.png

  6. Click the Applied tags field, and from the drop-down menu select one or more AWS EC2 tags to apply to the rule.

    Tip

    This field is pre-populated with all tags available on your AWS resources.

    AlertsSelectTags.png

  7. Click the Apply Tags button.


    AlertsApplyTags.png

    The tags apply to the rule. Within 10 minutes Threat Stack will process the tags, and apply the rule to any of your AWS hosts with a matching tag.

Edit AWS EC2 Tags
 

You can change the AWS EC2 tags applied to rules at any time.

Edit AWS EC2 tags applied to a rule
  1. Log into Threat Stack.
  2. Click Rules. In the right view pane, the Rules page displays.


    EditRuleSelectTag.png

  3. Select the rule to which to edit AWS EC2 tag(s). In the right view pane, the rule displays.
  4. In the Deployment section, click the Applied tags field, and from the drop-down menu select one or more AWS EC2 tags to apply to the rule.

    Tip

    This field is pre-populated with all tags available on your AWS resources.

  5. Click the Apply Tags button.


    EditRuleApplyTags.png

    The tags apply to the rule. Within 10 minutes Threat Stack will process the tag(s), and apply the rule to any of your AWS hosts with a matching tag.


Edit AWS EC2 tags applied to a rule from an alert
  1. Log into Threat Stack.
  2. Click Alerts. In the right view pane, alerts display.


    AlertsScreen.png

  3. Select an alert for the rule to which you want to edit AWS EC2 tag(s).


    AlertsEditRuleLink.png

  4. Click the Edit Rule link. The Edit [Rule Type] Rule dialog displays.


    AlertEditRuleDialog.png

  5. Click the Deployment tab. The Deployment page displays.


    AlertsDeploymentTab.png

  6. Click the Applied tags field, and select one or more AWS EC2 tags to apply to the rule.

    Tip

    This field is pre-populated with all tags available on your AWS resources.

    AlertsSelectTags.png

  7. Click the Apply Tags button.


    AlertsApplyTags.png

    The tags apply to the rule. Within 10 minutes Threat Stack will process the tags, and apply the rule to any of your AWS hosts with a matching tag.

Delete AWS EC2 Tags

You can delete an AWS EC2 tag associated with a rule at any time.

Note

You cannot remove a tag from your AWS resources by deleting it from a rule in Threat Stack.

Delete AWS EC2 tags applied to a rule
  1. Log into Threat Stack.
  2. Click Rules. In the right view pane, the Rules page displays.


    DeleteRuleDetails.png

  3. Select the rule from which to delete AWS EC2 tag(s). In the right view pane, the rule displays.
  4. In the Deployment section, in the Applied tags field, click the X button next to the tag(s) to delete.


    DeleteApplyTags.png

    The tags delete from the rule.

  5. Click the Apply Tags button. The tags apply to the rule. Within 10 minutes Threat Stack will process the tag(s), and apply the rule to any of your AWS hosts with a matching tag.

Delete AWS EC2 tags applied to a rule from an alert
  1. Log into Threat Stack.
  2. Click Alerts. In the right view pane, alerts display.


    AlertsScreen.png

  3. Select an alert for the rule from which you want to delete AWS EC2 tag(s).


    AlertsEditRuleLink.png

  4. Click the Edit Rule link. The Edit [Rule Type] Rule dialog displays.


    AlertEditRuleDialog.png

  5. Click the Deployment tab. The Deployment page displays.


    DeleteAlertTags.png

  6. In the Applied tags field, click the X button next to the tag(s) to delete. The tags delete from the rule.
  7. Click the Apply Tags button. The tags apply to the rule. Within 10 minutes Threat Stack will process the tags, and apply the rule to any of your AWS hosts with a matching tag.

Related FAQs

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.