Processing and Resolving Problems on the Problems Page

View, sort, and filter the list of problems detected. View details for individual problems, and take actions on problems individually or in groups.

Overview of Problems

  • A problem is action or setting on a resource that could potentially cause a security problem..

  • Problems are triggered through detectors.

  • The Problems page displays information about each problem, including:
    • Problem Name
    • Risk Level
    • Detector Type
    • Resource affected
    • Target
    • Region
    • Labels
    • First Detected
    • Last Detected
  • Within the Problems page you can filter problems by Compartment, Status, Date, Risk Level, Resource Type, Detector Type, and Region.
  • You can click an individual problem to:
    • Learn more about that problem
    • View problem history
    • Take action to resolve or dismiss the problem

Problem Lifecycle

Here is how Cloud Guard manages problems as they occur, are processed, and reoccur.

  • Problems can have these lifecycle states:
    • Open – Problem has not yet been processed
    • Remediated – Fixed using Cloud Guard responder
    • Resolved – Fixed by other process
    • Dismissed – Ignore and close
    • Deleted – the associated target has been deleted (see table below under Problem Reconciliation Process)
      Note

      Cloud Guard considers a configuration problem to be orphaned if the problem:
      • Remains undetected, and...
      • Is still in the Open lifecycle state after multiple scans over a period of 4 days.
  • If Cloud Guard detects an issue again for:
    • An Open (unresolved) problem, it updates the problem history, but doesn't create a new problem.
    • A previously solved problem, it reopens the issue and updates the history.
    • A previously dismissed problem, it updates the history.

Problem Reconciliation Process

Based on your Cloud Guard configuration, every problem has four specific object associations:

  • Detector rule
  • Target in which the rule is enabled
  • Compartment in that target
  • Resource in that compartment

If any of these problem associations change, after the problem is triggered and before it's resolved, the normal problem lifecycle is interrupted. The following table describes the problem reconciliation process that Cloud Guard uses to handle different types of configuration changes that interrupt the normal problem lifecycle.

Configuration Change Cloud Guard Action * Later Configuration Change Later Cloud Guard Action *
Target is deleted Problem Status changes to Deleted New target is created for same compartment New problem is created (Status is Open)
Detector rule is disabled Problem Status changes to Resolved Detector rule is re-enabled Resolved problem is reopened (Status is Open)
Detector recipe is detached from target Problem Status changes to Resolved Detector recipe is reattached to target Resolved problem is reopened (Status is Open}
Compartment or resource is deleted Problem Status changes to Resolved Compartment or resource is re-created Resolved problem is reopened (Status is Open}

* Cloud Guard actions in response to configuration changes that interrupt the problem lifecycle typically are not effective immediately, and might take up to a few days to appear in the Console.

Note

The problem reconciliation process just emits events. To generate notifications for these events, see Configuring Notifications.

Tip

To quickly clear problems that you now consider to be false positives, for each user-managed recipe rule that produced these false positives, disable and then re-enable the rule. See Modifying Rule Settings in an OCI Detector Recipe.

Taking Actions on Problems

You can take the following actions on problems:

  • Remediate: When you remediate a problem, you're telling Cloud Guard to do one of two things:

    • Either execute a responder to fix something in your environment so that the problem doesn't happen again.
    • Or automatically resolve future instances that do occur, by executing the same responder.
  • Mark as Resolved: When you mark a problem as resolved, you're telling Cloud Guard that it was in fact a problem, but you've taken an action that handled it. If another instance of this same problem occurs, it's detected again.

  • Dismiss: When you dismiss a problem, you're telling Cloud Guard to ignore this instance of the problem for that resource, and simply ignore it if it happens in the future. Only the problem history of the dismissed problem is updated.

The following table summarizes the differences between the three problem actions.

RemediateMark as ResolvedDismiss
Number of problems resolved at one timeCurrent problem onlyCurrent problem or all selected problemsCurrent problem or all selected problems
Same problem occurring laterCan be automatically resolved in same way; future instances appear in Responder Status tile in Overview page, but still appear in Problems page list. Automatically resolved problems can also be viewed from the Problems page by choosing the Resolved filter. Will be detected and reported again; future instances appear in Problems page list.Is not detected as a new problem. Problem history's last detected time is updated.
Implementing resolutionExecutes a Cloud Guard responder.Whatever action you decide to take.Ignore the problem.

Viewing the Problems List

View, sort, and filter the list of problems detected.

The way that you access the Problems page determines what problems are listed there:

  • Directly - Open the navigation menu and click Identity & Security. Under Cloud Guard, select Problems. All problems are listed.
  • Indirectly - Click an option on the Overview page or elsewhere, that automatically filters the problems list to display a subset of problems. Only that subset of problems is displayed.

After you are on the Problems page, all the same options are available.

The Problems page displays this information for each problem listed:

  • Problem Name - text identifying the problem.
  • Risk Level - the severity of the risk associated with the problem (Critical, High, Medium, Low, Minor).

    For definitions of these severity levels, see Processing Problems from the Problems Snapshot.

  • Detector Type - Activity or Configuration.
  • Resource - an identifier for the resource affected by the problem.
  • Target - the target in which the problem was detected.
  • Region - the region in which the problem was detected.
  • Labels - any labels associated with the problem.
  • First Detected - the date and time at which the problem was first detected.
  • Last Detected - the date and time at which the problem was last detected.
  1. Open the navigation menu and click Identity & Security. Under Cloud Guard, select Problems.

    You also go to the Problems page automatically, when you click through from summary information displayed on the Overview page. In this case, the Problems page is automatically filtered to show the subset of problems that was summarized on the Overview page.

    Note

    The retention period for problems is 90, days after which problems are deleted.
  2. To filter the list for specific date ranges, enter dates in the fields at the top.
  3. To filter the list for specific detectors, set Filters to Detector Type, then select:
    • IAAS - Activity Detector for Activity Detector.
    • IAAS - Configuration Detector for Configuration Detector.
    • IAAS - Threat Detector for Threat Monitoring.
  4. To filter the list for specific categories, set Filters to Problem Category, then select:
    • Security Zone for Security Zones.
  5. To filter the list by other parameters, under Scope at lower left you can:
    • Under Scope at lower left:
      • Select a different Compartment.
      • If you also want detector recipes attached to compartments below the selected compartment to appear in the list, select Include Child Compartments.
      • Change Status.
      • Select a specific Resource type.
    • To filter by tags:
      1. To right of Tag Filters at lower left, click the add link.
      2. In the Apply tag filter dialog box, select a Tag Namespace.

        Select None (free-form tag) if you want to manually enter the Tag Key.

      3. Select a Tag Key.

        Manually enter the Tag Key if you selected None (free-form tag) for the Tag Namespace.

      4. For Value:
        • Select Match any value if you want any tag value to count as a match.
        • Select Match any of the following and manually enter values, separated by commas, if you want only the values you enter to count as a match.
        • To add more values for this tag, click the plus sign (+) at the lower right.
      5. Click Apply Filter.
  6. To switch the sort order for the problems, click the Last Detected column header.
    The default order is descending (most recently detected at top).
  7. To control which columns are displayed, click Manage Columns, then:
    • Clear check boxes for columns you want to hide.
    • Select columns you want to display.
    • Click Save.
  8. To view details for a specific problem, click the link in the Problem Name column or open the Actions menu Image of Action menu, and select View Details.

    On the Details tab, select from the Resources panel on the left:

    • Problem History to see a list of events and findings related to the problem.
    • Responder Activity to see a list of any responders that have been triggered for the problem.

Resolving Problems

After you determine how you want to handle a particular problem, you can implement the resolution from the problem details page or the Problems page.

  1. Open the navigation menu and click Identity & Security. Under Cloud Guard, select Problems.

    You can also reach the Problems page by clicking through from summary information on the Overview page. See Getting Summary Information on the Overview Page.

    If you click through from summary information on the Overview page, the problems list is automatically filtered to show only the problems represented in the summary information.

  2. First view the details for a particular problem to determine how you want to resolve it.
    Click the link in the Problem Name column, or open the Actions menu Image of Action menu, and select View Details.
  3. To remediate a problem from the Problems page:
    Note

    Not all problem types support remediation.
    1. Open the Actions menu Image of Action menu and select Remediate to open the Remediate dialog box.
    2. If you see policies listed in a Policy Required to Execute section, click the Enable link for each policy listed.
    3. Click Remediate, at the bottom of the Remediate dialog box.
    4. Confirm that you want to execute the responder to remediate the problem.
  4. To mark one or more problems as resolved from the Problems page:
    1. Select the check box for each problem to be resolved.
      Note

      You can only select a maximum of 20 problems to process at one time through the UI. If you do the processing through the Cloud Guard APIs, you can process up to 50 problems at one time.
    2. Click Mark as Resolved near the top of the page.
    3. In the Mark as Resolved confirmation, optionally add a Comment, then click Mark as Resolved.
  5. To mark a single problem as resolved from the Problems page, you can also:
    1. Open the Actions menu Image of Action menu and select Mark as Resolved.
    2. In the Mark as Resolved dialog box, enter Comments indicating how the problem was resolved.
      Note

      While this comment is not required, it's a best practice to make a note here as an audit trail for future reference.
    3. Click Mark as Resolved.
  6. To mark a single problem as resolved from the problem's detail page:
    1. From the Problems page, click the link in the Problem Name column or open the Actions menu Image of Action menu, and select View Details.
    2. On the problem's detail page, click Mark as Resolved near the top.
    3. In the Mark as Resolved dialog box, enter Comments indicating how the problem was resolved.
      Note

      While this comment is not required, it's a best practice to make a note here as an audit trail for future reference.
    4. Click Mark as Resolved.
  7. To dismiss one or more problems from the Problems page:
    1. Select the check box for each problem to be dismissed.
      Note

      You can only select a maximum of 20 problems to process at one time through the UI. No such limits apply when the processing is done through the Cloud Guard APIs.
    2. Click Dismiss at the top of the list.
    3. (Optional) In the Dismiss confirmation, enter a Comment indicating how the problems were resolved.
      Note

      While this comment is not required, it's a best practice to make a note here as an audit trail for future reference.
    4. In the Dismiss confirmation, click Dismiss.
  8. To dismiss a single problem from the Problems page, you can also:
    1. Open the Actions menu Image of Action menu and select Dismiss.
    2. In the Dismiss dialog box, enter Comments indicating how the problem was resolved.
      Note

      While this comment is not required, it's a best practice to make a note here as an audit trail for future reference.
    3. Click Dismiss.
  9. To dismiss a single problem from the problem's detail page:
    1. From the Problems page, click the link in the Problem Name column or open the Actions menu Image of Action menu, and select View Details.
    2. On the problem's detail page, click Dismiss near the top.
    3. In the Dismiss dialog box, enter Comments indicating how the problem was resolved.
      Note

      While this comment is not required, it's a best practice to make a note here as an audit trail for future reference.
    4. Click Dismiss, at the bottom of the Dismiss dialog box.
  10. To reopen a dismissed problem:
    1. From the Problems page, click the link in the Problem Name column or open the Actions menu Image of Action menu, and select View Details.
    2. On the problem's detail page, click Reopen near the top.
    3. Click Reopen, at the bottom of the Reopen dialog box.

Processing Recommendations

Use the Recommendations page to quickly locate and resolve the highest priority problems that Cloud Guard has detected.

The way that you access the Recommendations page determines what recommendations are listed there:

  • Directly - Open the navigation menu and click Identity & Security. Under Cloud Guard, select Recommendations. All recommendations are listed.
  • Indirectly - Click on an option on the Overview page or elsewhere, that automatically filters the recommendations list to display a subset of recommendations. Only that subset of recommendations is displayed.

Once you are on the Recommendations page, all the same options are available.

The Recommendations page displays this information for each recommendation listed:

  • Recommendations - text identifying the recommendation.
  • Total - the total number of instances of the problem to which the recommendation applies.
  1. Open the navigation menu and click Identity & Security. Under Cloud Guard, select Recommendations, or from the Overview page's Security Recommendations tile, click the View Recommendations link.
  2. To change the scope of compartments for which recommendations are listed:
    1. From the Scope section below the Cloud Guard options panel on the left, drop down the Compartment list and select a different compartment.
    2. Deselect the check box for Include all child compartments to narrow the scope to only the compartment selected, excluding any compartments below it in the compartment hierarchy.
  3. To view the description for a recommendation, click the Expand icon Image of Expand icon at the right end.
  4. To process the recommendation for the instances of a problem:
    1. Open the Actions menu Image of Action menu and select View Problem.

      The Problems page opens, filtered to list only problem instances for this recommendation.

    2. Follow instructions in Resolving Problems to complete your processing of the recommendation.
      Tip

      When multiple problems are listed, you can probably select all and process them the same way in one step, because they are all instances of the same problem.
    3. To return to the Recommendations page, click your browser's Back button.