Post banner
Compliance 3 Min Read

Working With Threat Stack Sample Compliance Rule Sets

The Threat Stack Cloud Security Platform® is an important tool for companies with cloud compliance initiatives, including HIPAA, PCI, SOC 2, and FFIEC. To help our customers with these initiatives, Threat Stack has released four new example rulesets with monitoring rules that map to each of these compliance frameworks. This post is an introduction to these rule sets, and explains how to:

  • Request the rule sets
  • Use the compliance rule sets
  • Customize compliance rules
  • Create new compliance rules

(If you’re not a customer, this post will give you an excellent insight into one of Threat Stack’s powerful characteristics — the ability to create, clone, and edit rules in order to reflect the specific nature of your environment.)

Requesting a Compliance Rule Set

The example Compliance Rule Sets may already be present in your Threat Stack “org.” If not, please contact your Customer Success Representative who will arrange to have them installed for you.

Using a Compliance Rule Set

To use one of the Compliance Rule Sets, you need to assign it to a server:

  1. Click on the rule set to see which servers are using it:


  1. Select the servers you would like to assign to the rule set, and click the large blue button to assign the selected servers to the rule set:


Customizing Compliance Rules

Like any Threat Stack rules, you can customize Compliance Rules. In some cases — File Integrity Monitoring (FIM) rules for example — you must customize a rule for it to function effectively.

Here is a FIM rule from the PCI Rule Set:


You need to replace the default File Integrity Path with an actual path on the instance, containing customer data, that should be monitored. You can add additional paths. Check the “Recursive?” box to monitor sub-directories within a path.

Creating New Compliance Rules

The Compliance Rules were created, in most cases, by cloning rules from the Base Rule Set and mapping them to specific requirements of a compliance scheme such as PCI or HIPAA. Accordingly, you can use this method to easily create new Compliance Rules, or even an entirely new Compliance Rule Set. Here’s how.

PCI 10.2 and 10.3 require that all actions performed by users with administrative privileges be audited. You can easily create a rule to audit this activity by cloning and modifying the “Users: Privilege Escalations” rule from the Base Rule Set:

  1. Click the “New Rule” button in the PCI Rule Set and select “Clone Existing Rule.”


  1. Click “Next: Details.”
  1. Search for a rule with the title “privilege,” and select the “Users: Privilege Escalations” rule from the Base Rule Set. Then click the “Clone 1 Rule” button:


  1. You must now edit the Rule Name, Alert Title, and Alert Description to map them to the applicable PCI requirements:


  1. Click “Update Rule.” The newly cloned and edited rule is added to the PCI Rule Set.

Final Words . . .

We hope you are now ready to use the Compliance Rule Sets, customize rules, and even create your own rules. If you have any questions, your Customer Success Representative is ready to help you use these rule sets effectively to help achieve your compliance objectives.

If you’re interested in learning more about how to achieve compliance in the cloud, download a free copy of our Compliance Playbook for Cloud Infrastructure.