On June 30, 2022, the F5 Advanced Infrastructure Protection (Threat Stack) engineering team conducted maintenance which resulted in changes that may have affected your organization temporarily. At this point in time, all issues have been remediated and no outstanding changes regarding these impacts remain. More information about impact and remediation is available below.
A platform change was applied which increased the number of file integrity monitoring rule alerts. As a result, customers may have experienced a temporary increase in alerts due to the broader scope of FIM events being processed. The changes to alerting on FIM events occurred in the platform and not on the host level (ie. no agent changes were made). The additional data being processed through the rules engine was already being collected by the agent and sent to the platform prior to the platform changes. This change has no impact on agent performance.
The platform change involved updates to our internal suppressions API to enable new future functionality. During the maintenance window, modifications to rule suppressions could result in the deletion of other suppressions for that specific rule.
Start: 9 AM EST
End:
The F5 Advanced Infrastructure Protection team added a suppression to the relevant FIM rules. The suppression applied to those FIM rules is command != null AND filename != null. This suppression restored the level of alerting to the state in which it was prior to the data platform maintenance.
As a result of this new functionality, this suppression can be removed for troubleshooting FIM events when a broader number of inotify events need to be collected for investigation.
The F5 Advanced Infrastructure Protection team restored suppressions for affected rules to their original state. The implementation of suppressions subject to this was completed at approximately 10 AM EST on Friday July 1, 2022.
We’re here to help. Please reach out to support@threatstack.com with any further assistance with any questions or concerns.