Getting Started with Cloud Guard

Review Oracle Cloud Guard concepts, ensure you meet prerequisites, enable Cloud Guard initially, and then access Cloud Guard routinely.

Planning for Cloud Guard

Spending some time planning how Cloud Guard functionality is mapped onto your environment, before you enable and configure Cloud Guard, might save you some time later.

You can enable Cloud Guard and begin monitoring your environment immediately. All you need to do is specify a single target that maps to the top-level compartment in the branch of your Oracle Cloud Infrastructure that you want to monitor. Then, over time, you can customize the Cloud Guard configuration, based on your experience with processing the problems that Cloud Guard detects. You can continually customize the Cloud Guard configuration to optimize performance toward a two-part goal:

Not letting anything that represents a potential security risk go undetected.
Not detecting "too many" false positives - problems that do not actually represent potential security risks.

If you do some planning, you might be able to get a head start on this two-part goal. All you need to do is survey how the resources in your Oracle Cloud Infrastructure tenancy are organized into compartments.

Survey Your Environment

Examine the types of resources that are stored in different parts of the compartment hierarchy in your Oracle Cloud Infrastructure tenancy. Are there groups of resources in different parts of that compartment hierarchy that need to be monitored for in different ways, in order to detect different types of threats? Would the same problem, if detected in different compartments, represent different risk levels?

Cloud Guard lets you define different areas within your Oracle Cloud Infrastructure tenancy that can be monitored in different ways. The trade-off is that all compartments within a defined area are monitored in the same way.

Familiarize Yourself with Cloud Guard Terminology

Cloud Guard Concepts defines the terms that you learn as you work with Cloud Guard. To get started, the following list summarizes what you need to know to get started planning for Cloud Guard.

Target: Defines scope of what Cloud Guard checks. All compartments within a target are checked in the same way and you have the same options for processing problems that are detected.
Detector: Performs checks to identify potential security problems based on activities or configurations. Rules followed to identify problems are the same for all compartments in a target.
Responder: Specifies actions that Cloud Guard can take when detectors identify problems. Rules for how to process identified problems are the same for all compartments in a target.

Familiarize Yourself with Cloud Guard Detector Recipes

Look over the rules described in the sections of Detector Recipe Reference for different detectors. Within your environment:

Are there any compartments that you do not want Cloud Guard to monitor at all? If so, you have to define one or more targets in a way that excludes these compartments.
Do you think that you might want to set the risk level differently, or enable and disable rules differently, for resources in different parts of your Oracle Cloud Infrastructure compartment hierarchy? To configure detector rules differently for different compartments, you have to define separate targets for those compartments.
For example, for the "Bucket is public" configuration rule, the default risk level is "CRITICAL" and the rule is enabled by default. Should these settings be the same for all compartments?
You can disable responder recipe actions on problems that detectors identify. If you want actions for a particular responder rule to be enabled in some compartments, but disabled in others, you have to define separate targets for those compartments.
For example, the "Make Bucket Private" responder rule is enabled by default. Do you have some compartments in which all buckets are public by design, and so you can disable this rule?

Plan How Targets Will Map to Compartments

If at this point you don't think you need to define multiple targets, and you have completed the Prerequisites, you can proceed with Enabling Cloud Guard. You can always change your target configuration later, as the need arises.

If you think you need to set up targets to allow different compartments to be monitored differently, keep these guidelines in mind when mapping targets to compartments:

All of a target's compartments inherit that target's configuration. The detector and responder rule settings for a target apply to the top-level compartment assigned to that target, and to any subordinate compartments below it in the compartment hierarchy.
If you want to exclude some compartments from monitoring, create targets below the root level and do not include the root compartment in any target.
Target defined within an existing target overrides inherited configuration. Within an existing target, you can assign a compartment below the target's top-level compartment to a new target. You can change the detector and responder rule settings for the new target, and those settings now apply to the top-level compartment assigned to that target, and to all the subordinate compartments below it in the compartment hierarchy.

Carefully Choose Your Reporting Region

When you enable Cloud Guard, you are asked to choose a reporting region. Carefully consider these consequences of your reporting region choice:

The reporting region you select commits your organization to comply with all legal requirements of the country where the reporting region is hosted.
After Cloud Guard is enabled, you can't change the reporting region without disabling and re-enabling Cloud Guard.
All customizations, and existing problems (including their history) are lost when you disable Cloud Guard, so you would have to manually restore those customizations.
All API calls, except for READs, must be made on the reporting region.

Ensure that you make the best decision for your reporting region, before you begin Steps to Enable Cloud Guard.

Enabling Cloud Guard

Perform this task to enable Oracle Cloud Guard from the OCI Console.

Prerequisite: Complete the tasks in Prerequisites and Planning for Cloud Guard.

Two Strategies

You can use either of two basic approaches for enabling Cloud Guard:

Start with Default Configuration: You want Cloud Guard to start reporting problems as soon as possible after completing the enablement process.
Don't skip any optional selections during the enablement process.
Note

If you skip any of the optional selections during enablement process, Cloud Guard does not automatically start reporting problems after completing the enablement process. If you skip optional settings during enablement, Cloud Guard can't start reporting problems until you add detector recipes to the specified target. See Editing an OCI Target and Its Attached Recipes.
Customize Configuration First: You want to customize Cloud Guard's configuration before Cloud Guard starts reporting problems.
You can skip any or all optional selections during the enablement process.

Whichever approach you take to enable Cloud Guard, you can refine the Cloud Guard configuration as needed after enablement.

Steps to Enable Cloud Guard

Log in to the OCI Console as the Oracle Cloud Guard user you created in Prerequisites, in the "Creating the Cloud Guard User and Group" section.
Open the navigation menu and click Identity & Security. Under Cloud Guard, click any resource.

Note

If the page for the Cloud Guard resource that you clicked opens, Cloud Guard is already enabled.
On the Cloud Guard page, click the Enable Cloud Guard button at top right to open the Enable Cloud Guard dialog box.
The Cloud Guard policy panel displays a list of all the OCI policies that must be enabled in order for Cloud Guard to be fully functional. The column on the right shows:
- Not added if policy is NOT currently enabled.
- Added if policy IS currently enabled.
Unless you are re-enabling Cloud Guard after disabling, all the entries should be Not added.

Note

These policies are read-only privileges that allow Cloud Guard to monitor OCI resources within your tenancy. These policies you do not provide Cloud Guard with any manage privileges for the resources,

Exception: The manage cloudevents-rules policy allows Cloud Guard to create audit event subscription rules, which are critical for Cloud Guard to detect problems. Cloud Guard's activity detector rules work by ingesting and analyzing the audit events in your tenancy. Cloud Guard needs to create a cloud event-managed rule in your tenancy, so that it can subscribe to your audit events. The USE privilege is necessary to allow Cloud Guard to list NSG security rules.

The following IAM policies are automatically added to the "Cloud Guard Policies" policy group when you click Create policy at the bottom of Cloud Guard policy panel in the Enable Cloud Guard dialog box:
```
allow service cloudguard to manage cloudevents-rules in tenancy where target.rule.type='managed'
allow service cloudguard to read audit-events in tenancy
allow service cloudguard to read authentication-policies in tenancy
allow service cloudguard to read autonomous-database-family in tenancy
allow service cloudguard to read compartments in tenancy
allow service cloudguard to read compute-management-family in tenancy
allow service cloudguard to read database-family in tenancy
allow service cloudguard to read data-safe-family in tenancy
allow service cloudguard to read dynamic-groups in tenancy
allow service cloudguard to read groups in tenancy
allow service cloudguard to read instance-family in tenancy
allow service cloudguard to read keys in tenancy
allow service cloudguard to read load-balancers in tenancy
allow service cloudguard to read log-groups in tenancy
allow service cloudguard to read object-family in tenancy
allow service cloudguard to read policies in tenancy
allow service cloudguard to read tenancies in tenancy
allow service cloudguard to read users in tenancy
allow service cloudguard to read vaults in tenancy
allow service cloudguard to read virtual-network-family in tenancy
allow service cloudguard to read volume-family in tenancy
allow service cloudguard to use network-security-groups in tenancy
```
1. At the bottom of the Cloud Guard policy panel, click Create policy.
  
  If all required policies are successfully created, the entries in the column on the right are now Added.
2. If any of the entries in the column on the right still show to Not added, add those polices manually:
  Depending on how you are using the OCI Identity service, see:
  - IAM with Identity Domains
  - IAM without Identity Domains
Click Next to proceed to the Basic information panel.
1. Select a Reporting region.
  The reporting region must be a region that Cloud Guard supports. If Cloud Guard doesn't support the region you select, select a different region.
  Caution
  
  Give careful consideration to your reporting region selection:
  - The reporting region you select commits your organization to comply with all legal requirements of the country where the reporting region is hosted.
  - After Cloud Guard is enabled, you can't change the reporting region without disabling and re-enabling Cloud Guard.
  - All customizations, and existing problems (including their history) are lost when you disable Cloud Guard, so you would have to manually restore those customizations.
  - All API calls, except for READs, must be made on the reporting region.
2. Ensure that you record the name of the reporting region that you specify.
  
  In all configuration and troubleshooting tasks that you perform after enablement, you must specify the Cloud Guard reporting region, not the OCI home region.
  
  Note
  
  To look up the name of the reporting region, see Viewing the Reporting Region.
3. Specify Compartments to monitor in the OCI tenancy.
  Choose one of these options:
  - All to monitor all compartments.
  - Select compartments, and then select from the list, to monitor only compartments that you specify.
  - None to monitor no compartments. You might want to select None to simply view the contents of the detector recipes, before you enable any of them.
    
    Note
    
    Your selection here defines a target for Cloud Guard to monitor. To enable with the "Start with Default Configuration" option, don't select None.
4. (Optional) Select an Configuration detector recipe from the list.
  
  Note
  
  To enable with the "Start with Default Configuration" option, don't skip this selection.
5. (Optional) Select an Activity detector recipe from the list.
  
  Note
  
  To enable with the "Start with Default Configuration" option, don't skip this selection.
6. Click Enable.
  
  A progress bar replaces the Enable Cloud Guard button on the Cloud Guard page.
  
  Note
  
  If you have reached this point in a free tenancy, the enablement does not proceed.
When enablement completes, on the Cloud Guard page, click Go To Cloud Guard.

The Cloud Guard Overview page appears, and the guided tour starts. Gradually,

Note

If you followed the "Start with Default Configuration" approach in the enablement process, information on problems soon starts to appear in Cloud Guard. How soon the problem information starts to appear depends on your environment, your configuration of targets and detectors, and the number of problems that are occurring for Cloud Guard to detect.
Take the guided tour to familiarize yourself with the features on the Overview page.

What's Next

Note

Whichever approach you followed in the enablement process, Cloud Guard disables two OCI Configuration Detector rules by default in new tenancies. Disabling these rules initially is necessary to prevent Cloud Guard from generating an excessive number of problems that you would consider false positives. For more information about these rules, see:

Tip

Some of the detector rules that are enabled by default might produce an excessive number of problems in your particular environment. To be able to disable detector rules, you must clone the Oracle-managed detector recipe to create a user-managed version, See Cloning an OCI Detector Recipe.

To quickly clear problems that you now consider to be false positives, for each user-managed recipe rule that produces an excessive number of problems:

Determine the rule settings to change so that the rule no longer generates those false positives.
See the reference information for the rule in Detector Recipe Reference.
Modify the rule settings so that the rule no longer generates those false positives.
See Editing Rule Settings in an OCI Detector Recipe.
Disable the rule.
See Editing Rule Settings in an OCI Detector Recipe.
Re-enable the rule.
See Editing Rule Settings in an OCI Detector Recipe.

If you followed the "Start with Default Configuration" approach in the enablement process, information on problems soon starts to appear in Cloud Guard. How soon the problem information starts to appear depends on your environment, your configuration of targets and detectors, and the number of problems that are occurring for Cloud Guard to detect.
Note
If you followed the "Customize Configuration First" approach in the enablement process, no information on problems appears until you complete all of the configuration tasks that you skipped during enablement:
1. Define one or more targets. See Creating an OCI Target.
2. Optional: Clone Oracle-managed detector recipes. See Cloning an OCI Detector Recipe.
3. Optional: Customize detector recipes for your environment. See Editing a User-Managed OCI Detector Recipe.
4. Add detector recipes to each target. See Editing an OCI Target and Its Attached Recipes.
After Cloud Guard has started reporting problems:
- To fine-tune your Cloud Guard configuration to better serve the specific needs of your environment. see Customizing Cloud Guard's Base OCI Configuration.
- To interpret the summary information on detected problems, drill down into the details, and resolve specific problems, see Processing Reported Problems.
- To ensure that Cloud Guard is fully integrated with other OCI services, see Integrating Cloud Guard with Other Services.

Integrating Cloud Guard with Other Services

Ensure that configuration details necessary to support Cloud Guard integration with other services are in place.

After you have finished performing the tasks in Enabling Cloud Guard, plus some follow-up tasks if you use the Customize Configuration First strategy, all integrations with other services should be functioning smoothly.

When new services that support integration with Cloud Guard later become available, you need to ensure that your Cloud Guard configuration details correctly support the new service:

Cloud Guard targets must contain all the compartments where resources from the new service that Cloud Guard is to monitor are located.
The Cloud Guard detector recipes that contain the rules that are specific to the new service must be attached to those Cloud Guard targets.

Expand one of the following service names to see the steps to follow to ensure that your Cloud Guard configuration details correctly support the service.

Certificates Service

Prerequisite: Ensure that the Certificates service is already enabled and operating properly.

If Cloud Guard is NOT already enabled:
1. Enable Cloud Guard – see Enabling Cloud Guard.
  
  Follow steps for "Start with Default Configuration."
2. Ensure that you enable the OCI Activity Detector Recipe.
3. Ensure that you define a Cloud Guard target that covers the OCI compartments you want Cloud Guard to monitor for the Certificates service.
4. Ensure that the OCI Activity Detector Recipe is attached to the Cloud Guard target - see Viewing Details for a Target.
  
  If necessary, see Creating a Target or Modifying Recipes Added to a Target.
If Cloud Guard IS already enabled, ensure that your Cloud Guard tenancy has:
- Cloud Guard targets defined that include all the OCI compartments you want Cloud Guard to monitor for the Certificates service - see Viewing Details for a Target.
- The OCI Activity Detector Recipe (either Oracle-managed or user-managed) attached to each of those targets – see Viewing Details for a Target.
  If necessary, see Creating a Target or Modifying Recipes Added to a Target.
If necessary, refine the configuration of these rules listed in the OCI Activity Detector Recipe (either Oracle-managed or user-managed) - see Modifying Rule Settings in a Target's Recipes.
- CA bundle updated
- Certificate Authority (CA) deleted
- Intermediate Certificate Authority (CA) revoked
Your goal is to optimize the rule configurations so that you don't miss real problems, but you are not overwhelmed with false positives. It might be necessary to monitor problems generated from the Certificates service for a while, before you can determine whether any rule modifications are needed.
View problems generated from the Certificates service on the Cloud Guard Problems page - see Viewing the Problems List.
To see problems for the Certificates service only, filter the Problems list using Labels = Certificates.
Note

The Labels entry isn't case-sensitive, but you must match the characters in "certificates" exactly.

Data Safe Service

Prerequisite: Ensure that the Data Safe service is already enabled and operating properly. If you perform the following steps before the Data Safe service is enabled, Cloud Guard alerts you that you need to enable Data Safe, whenever it finds a database.

If Cloud Guard is NOT already enabled:
1. Enable Cloud Guard – see Enabling Cloud Guard.
  
  Follow steps for "Start with Default Configuration."
2. Ensure that you enable the OCI Configuration Detector Recipe.
3. Ensure that you define a Cloud Guard target that covers the OCI compartments you want Cloud Guard to monitor for the Data Safe service.
4. Ensure that the OCI Configuration Detector Recipe is attached to the Cloud Guard target - see Viewing Details for a Target.
  
  If necessary, see Creating a Target or Modifying Recipes Added to a Target.
If Cloud Guard IS already enabled, ensure that your Cloud Guard tenancy has:
- Cloud Guard targets defined that include all the OCI compartments you want Cloud Guard to monitor for the Data Safe service - see Viewing Details for a Target.
- The OCI Configuration Detector Recipe (either Oracle-managed or user-managed) attached to each of those targets – see Viewing Details for a Target.
  If necessary, see Creating a Target or Modifying Recipes Added to a Target.
Add the following policies to your Cloud Guard tenancy to enable access to the Data Safe information:

allow service cloudguard to read data-safe-family in tenancy

allow service cloudguard to read autonomous-database-family in tenancy
If necessary, refine the configuration of these rules listed in the OCI Configuration Detector Recipe (either Oracle-managed or user-managed) - see Modifying Rule Settings in a Target's Recipes.
- Data Safe is not enabled (this rule is inoperative after Data Safe is enabled)
- Database is not registered with Data Safe (this rule is inoperative, if Data Safe isn't enabled)
Your goal is to optimize the rule configurations so that you don't miss real problems, but you are not overwhelmed with false positives. It might be necessary to monitor problems generated from the Data Safe service for a while, before you can determine whether any rule modifications are needed.
View problems generated from the Data Safe service on the Cloud Guard Problems page - see Viewing the Problems List.
To see problems for the Data Safe service only, filter the Problems list using Labels = Database Security.
Note

The Labels entry isn't case-sensitive, but you must match the characters in "database security" exactly.

Threat Intelligence Service

Logging Service

Instance Security uses the OCI Logging service to record activity.

Prerequisite: Ensure that both Cloud Guard and the Logging service are enabled.

There are two types of log produced by Cloud Guard.

Cloud Guard Raw Logs, produced by Instance Security. You can enable these logs when you attach an Instance Security recipe to a target. Alternatively, you can enable them from the Logging service.
Cloud Guard Query Results Logs, produced by scheduled queries.

For information about policies for working with logs, see Required Permissions for Working with Logs and Log Groups

For information about the types of log Cloud Guard produces, see Logging Details for Cloud Guard.

Oracle Cloud Infrastructure Documentation