The Threat Stack Windows and Linux Agent contextualizes security data from deep within the operating system, and sends it to the Threat Stack Cloud Security Platform® for processing.Book Your Demo
We monitor all user or group modifications to help you catch privilege escalations, attempts by unapproved sudo users, abnormal login or user access attempts, and other risky activity.
We watch for abnormal process events, deviations in the use of authorized ports and services, and other activity that could indicate malware or other dangerous command and control activity.
We alert you to risky activity on critical credential and configuration files, special system directories, and data exfiltration on sensitive files.
We identify changes to application services like web servers, database server binds, or proxy nodes, and other critical system service changes.
At a high level, the Threat Stack Agent is deployed in minutes to collect real-time security audit data from the operating system, handle file integrity monitoring (FIM), and capture user-space events. Threat Stack currently supports various versions of the following operating systems:
The Threat Stack Agent offers multiple deployment options, so you can add security without slowing DevOps velocity. Install the agent in minutes, with no additional infrastructure, via the following methods:
The agent captures all security audit signals by default from native OS subsystems like Linux Audit or the Windows Event Log. Agent data is enriched in the Threat Stack Cloud Security Platform®, where it's combined with metadata from EC2 instances, AWS management console activity, and more. This approach provides context-rich data that informs proactive security measures like threat hunting and predictive analytics, as well as the precision needed when reacting to an active cyber attack.
Most of the time, the agent is simply gathering data and securely sending it to the Threat Stack platform. More processing happens platform-side, where events are parsed and alerts are fired. In the platform, all of the alerting is based on rules. Several hundred rules come out-of-the-box, and they are all directly customizable so you can ensure that security monitoring is fully tuned and optimized for specific workloads and compliance requirements. On the back end, raw event data is exportable off the platform and into your own S3 bucket.
Host context gives you the data needed to eliminate false negatives and drive security alerting that's data rich and actionable. Here are some common examples that the Threat Stack Agent is well positioned to capture: