Oracle Cloud Infrastructure Documentation

Editing Rule Settings in an OCI Detector Recipe

You can modify different sets of rule settings in Oracle-managed and user-managed recipes in Cloud Guard.

From the recipe level, for Oracle-managed detector recipes, you can change only the Conditional group specification, and (where applicable) Input setting. For user-managed detector recipes, you can change any configurable rule settings, including enabling or disabling a rule.

For complete information about what you can modify in Oracle-managed and user-managed (cloned) detector and responder recipes, from the recipe or target level, see Modifying Recipes at Recipe and Target Levels.

    1. Navigate to the details page for the detector recipe in which you want to edit a rule.
      For navigation steps,see Listing OCI Detector Recipes and Getting Their Details.
    2. Locate a rule that you want to modify, open its Actions menu Image of Action menu, and select Edit.

      For information about rule parameters, and best practice recommendations for changes from default settings, see the reference for the detector recipe type:

    3. To clone a rule:
      Note

      Not all detector recipe rules can be cloned:
      • Cloning of rules is only allowed in a cloned copy of the Oracle-managed Container Security.
      • On the Recipe details page, the Cloned column indicates the rule's cloning status:
        • Can't be cloned means you are not allowed to clone the rule.
        • Yes means that the rule can be cloned, but it has not yet been cloned.
        • No means that the rule can be cloned, and it has been cloned at least once.
      1. After you've located the rule, open its Actions menu Image of Action menu, and select Clone.
      2. In the Clone detector rule dialog box:
        Note

        If cloning results in two rules that trigger an alert for the same event, Cloud Guard creates a problem only for the rule that was most recently changed. Ensure that your cloned rules do not overlap in the scope of conditions that trigger a problem.
        1. Change the rule name.

          Best practice is to give the cloned rule a name that identifies both the rule from which it was cloned, and the purpose for which you cloned it.

        2. Make any other changes you want to in the rule parameters.

          Use the following steps to make your changes.

    4. If the recipe is user-managed, edit the following settings as needed.
      • Change the rule's Status to Enabled or. Disabled.
        Note

        When you disable a detector recipe rule, any problems that the rule has already triggered remain active on the Problems page. If you're certain that these problems pose no security risk, you can clear them all in one action. See Problem Lifecycle, especially the "Problem Reconciliation Process" section.
      • Set a different Risk Level (not available for Threat Detector recipe rules).
      • Edit the entries in the Labels box.

        Separate multiple labels with a semicolon (";").

    5. If the rule supports configuring a threshold at which the rule triggers a problem, you can change the threshold value by entering a different Input setting.
      For example, by default the "Password is too old" detector rule triggers a problem if a password has not been changed for more than 90. You can change this value to 60 if your organization policy is to change passwords every 60 days.
      • Sensitive Objects:
        • To remove an item from a list, click the "X" in the item's label.
        • To add an item to a list, open the list and select the new item.

          If your attempt to open the list shows "option not available" message, it means that all items available in the list are already added.

      • ...User... entries: Ensure that entries from managed or custom list match exactly User Name values from Fusion Apps.
    6. In the Conditional group section:
      • To set a condition on a parameter other than tags, follow these steps:
        1. In the Parameter list, select a parameter other than Tags.
        2. Select an Operator, a List, and a Value.
        3. To add another condition, click Another condition.
          Note

          Specifying multiple conditions acts as an AND operator. The rule is enforced only if all the conditions are met.
      • To set a condition on tags, follow these steps:
        1. In the Parameter list, select Tags.
        2. Select an Operator (In or Not In).
          • If you select In, the rule affects only items that are tagged with one of the tags that are in the list that you provide.
          • If you select Not In, the rule affects only items that are not tagged with one of the tags that are in the list that you provide.
        3. Click Select tags.
        4. In the Select tags dialog box, set a condition for defined or free-form tags:
          • To set a condition for defined tags, select a Tag namespace other than None, select a Tag key, and then select or enter the Tag value:
          • To set a condition for free-form tags, for Tag namespace, select None for Tag namespace, enter a Tag key, and then optionally enter the Tag value.
          • Add more tags as needed.
            Note

            When you specify multiple tags, the rule is enforced only if all the conditions are met.
    7. When you are finished modifying the detector rule, click Save.
    8. To change settings for another detector rule, repeat the previous steps, beginning with step 2.

  • For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

    Use the oci cloud-guard detector-recipe-detector-rule update command and required parameters to update a rule in a detector recipe:

    oci cloud-guard detector-recipe-detector-rule update --detector-recipe-id <detector_recipe_ocid> --detector-rule-id <detector_rule_id> [OPTIONS]

  • Use the UpdateDetectorRecipeDetectorRule operation to update a detector rule in a detector recipe.