Responder Recipe Reference

The following table lists summary information for the Oracle-managed responder recipe rules that Cloud Guard provides.

Rule Display Name Description ID, Policies, and Rule Parameters Applicable Detector Rules
Cloud Event

Publishes the problem details to Oracle Cloud Infrastructure Events service.

ID: EVENT

Policy: []

Rule Parameters:

{'condition': None, 'configurations': [], 'isEnabled': True, 'mode': 'AUTOACTION'}

Not applicable. Cloud Event responder emits events that support notifications.
Delete IAM Policy

Deletes IAM policy giving too many privileges to an individual or a group.

ID: DELETE_IAM_POLICY

Policy: ['Allow service cloudguard to manage policies in {{location}}']

Rule Parameters:

{'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'}

Configuration, IAM:
  • Policy gives too many privileges
  • Tenancy admin privilege granted to group
Delete Internet Gateway

Deletes Internet Gateway associated with a VCN.

ID: DELETE_INTERNET_GATEWAY

Policy: ['Allow service cloudguard to manage internet-gateways in {{location}}', 'Allow service cloudguard to manage vcns in {{location}}', 'Allow service cloudguard to manage route-tables in {{location}}']

Rule Parameters:

{'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'}

Configuration, Networking:
  • VCN has Internet Gateway attached
Delete Public IP(s)

Deletes Public IPs of an Oracle Cloud Infrastructure Compute Instance.

Policy: ['Allow service cloudguard to manage private-ips in {{location}}', 'Allow service cloudguard to manage public-ips in {{location}}']

Rule Parameters:

{'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'}

Configuration, Compute:
  • Instance has a public IP address
Disable IAM User

Disables IAM user's capabilities.

ID: DISABLE_IAM_USER

Policy: ['Allow service cloudguard to manage users in tenancy']

Rule Parameters:

{'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'}

Activity, Bastion:
  • Bastion created
  • Bastion session created

Activity, Certificates:

  • CA bundle updated
  • Certificate Authority (CA) deleted
  • Intermediate Certificate Authority (CA) revoked

Activity, Certificates:

  • Export Image
  • Import Image
  • Instance terminated
  • Update Image

Activity, Database:

  • Database System terminated

Activity, IAM:

  • All rules in IAM group

Activity, Networking:

  • All rules in Networking group
Enable DB Backup

Enables automatic database backup to Oracle Cloud Infrastructure Object Storage.

ID: ENABLE_DB_BACKUP

Policy: ['Allow service cloudguard to manage backups in {{location}}', 'Allow service cloudguard to manage databases in {{location}}']

Rule Parameters:

{'condition': None, 'configurations': [{'configKey': 'autoBackupWindowConfig', 'name': 'Backup time window (Slot)', 'value': None}, {'configKey': 'recoveryWindowInDaysConfig', 'name': 'Backup retention period in days', 'value': None}, {'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'}

Configuration, Database:
  • Database is not backed up automatically
Make Bucket Private

Changes the Object Storage bucket's visibility from public to private.

ID: MAKE_BUCKET_PRIVATE

Policy: ['Allow service cloudguard to manage buckets in {{location}}']

Rule Parameters:

{'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'}

Configuration, Storage:
  • Bucket is public
Rotate Vault Key

Rotates Oracle Cloud Infrastructure Vault Key to create new key version

ID: ROTATE_VAULT_KEY

Policy: ['Allow service cloudguard to manage keys in {{location}}']

Rule Parameters:

{'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'}

Configuration, KMS:
  • Key has not been rotated
Stop Compute Instance

Gracefully shuts down the Oracle Cloud Infrastructure Compute instance.

ID: STOP_INSTANCE

Policy: ['Allow service cloudguard to manage instance-family in {{location}}']

Rule Parameters:

{'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'}

Configuration, Compute:
  • Instance has a public IP address
Terminate Compute Instance

Preserves boot volume and terminates the Oracle Cloud Infrastructure Compute instance.

ID: TERMINATE_INSTANCE

Policy: ['Allow service cloudguard to manage instance-family in {{location}}']

Rule Parameters:

{'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'}

Configuration, Compute:
  • Instance has a public IP address