Introducing Threat Stack Support for AWS Fargate

New Threat Stack Fargate Agent

As a customer, the same basic mechanics of your Threat Stack workflows apply to AWS Fargate metadata for alert generation, rule customization, threat hunting, and more. Simply deploy the Agent, ensure network connectivity, and security data starts flowing into your Threat Stack platform.

Our Fargate Agent runs as a sidecar and is defined as part of your Fargate task definition on Amazon ECS. The Agent monitors two key aspects of your Fargate runtime environment:

1. Process activity inside Fargate containers
2. Network flow data within, and external to, Fargate tasks

Threat Stack provides further context into Fargate with a full, real-time view into AWS CloudTrail logs. Applications that Fargate tasks are supporting receive additional runtime protection through Threat Stack Application Security Monitoring for Node.js, Python, and Ruby code. While we consolidate your view of this data on Threat Stack’s platform, it is additive to native AWS security controls for your Amazon VPC and AWS IAM permissions.

Fargate Metadata in the Threat Stack Platform

Threat Stack provides default detections for Fargate activities, including:

• Interactive sessions
• SSHD binaries
• Data exfiltration attempts
• Unexpected network connections

These detection rules fire real-time alerts, such as the following for an unexpected inbound network connection:

The underlying logic supporting this rule is easily customizable. Here’s a simplified example:

Threat Stack also provides a detailed window into all event data to support forensics investigations. For example, customers can easily refine searches to see all process activity for a given task within a defined time period:

Each event is backed by supporting details, which users can surface in the UI. For example, you can drill into the first event in the image above to see the complete event JSON: