Oracle Cloud Infrastructure Documentation

Managing OCI Responder Recipes

View, clone, and modify OCI responder recipes to fit the specific security needs of your environment.

About OCI Responder Recipes

Cloud Guard detectors follow rules, combined into recipes, to identify problems.

A responder is action that Cloud Guard can take when a detector has identified a problem. The available actions are resource-specific.. Each responder uses a responder recipe that defines the action or set of actions to take in response to a problem that a detector has identified.

Each responder recipe uses multiple responder rules, each of which defines the specific actions to take.

Cloud Guard provides a set of responders with default rules. You can:

  • Use these responders as is.
  • Clone any of the default responders and modify the rules to meet specific needs.
  • Enable and disable responder rules individually.
  • Limit the scope for applying individual rules by specifying conditions that must be met.

Cloud Guard supports two types of responder recipes:

  • Oracle-Managed recipes are provided by Oracle and you can only modify a few settings in the recipe rules.
  • User-Managed recipes must be created, usually by cloning an Oracle-managed recipe. You can modify more settings in user-managed recipes rules.

For more information on what you can modify in recipes that are Oracle-managed or user-managed, and whether you are making changes from the recipe level or the target level, see Modifying Recipes at Recipe and Target Levels,

Policy Statements for OCI Responders

Add policy statements that are required for particular responders.

Caution

Enabling responders gives Cloud Guard permissions to modify security settings in your environment to remediate, on your behalf, problems that the responders detect. Ensure that granting these permissions does not violate your organization's security policies.

The following policy statements are required for particular responders. Based on the responder type, one of these policies is needed during manual or automatic remediation.

allow service cloudguard to manage instance-family in compartment <compartment_name>
allow service cloudguard to manage object-family in compartment <compartment_name>
allow service cloudguard to manage buckets in compartment <compartment_name>
allow service cloudguard to manage users in compartment <compartment_name>
allow service cloudguard to manage policies in compartment <compartment_name>
allow service cloudguard to manage keys in compartment <compartment_name>

Viewing Details for an OCI Responder Recipe

Open the Responder Recipes page, sort and filter the list, and view details for a specific detector recipe.

  1. Open the navigation menu and click Identity & Security. Under Cloud Guard, select Responder Recipes.

    The column headers provide summary information for the responder recipes:

    • Recipe Name - the name of the responder recipe.
    • Oracle Managed - shows Yes if the responder recipe is Oracle-managed, No if user-managed.
    • Created - the date the responder recipe was created.
    Note

    If you haven’t yet cloned the OCI Responder Recipe (Oracle Managed), that is the only recipe that appears in the list.
  2. To ensure that you’re viewing all available items in the list, under Scope at lower left, set Compartment to the tenancy's root compartment.
  3. To filter the list, you can:
    • Under Scope at lower left:
      • Select a different Compartment.
      • If you also want detector recipes attached to compartments below the selected compartment to appear in the list, select Include Child Compartments.
    • To filter by tags:
      1. To right of Tag Filters at lower left, click the add link.
      2. In the Apply tag filter dialog box, select a Tag Namespace.

        Select None (free-form tag) if you want to manually enter the Tag Key.

      3. Select a Tag Key.

        Manually enter the Tag Key if you selected None (free-form tag) for the Tag Namespace.

      4. For Value:
        • Select Match any value if you want any tag value to count as a match.
        • Select Match any of the following and manually enter values, separated by commas, if you want only the values you enter to count as a match.
        • To add more values for this tag, click the plus sign (+) at the lower right.
      5. Click Apply Filter.
  4. To view the details for a specific item, click its link in the Recipe Name column.
  5. To view OCID information, in the Details tab, OCID row:
    • Click the Show link to show the full OCID.
    • Click the Copy link to copy the full OCID to the clipboard.
  6. If the recipe you're viewing is user-managed, you can view tags that have been assigned:

    Tagging isn't supported in Oracle-managed recipes.

    1. Click the Tags tab.
    2. View the tags that have been assigned.
      If no tags have been assigned, you see "There are no Tags associated with this resource."
  7. In the Responder Rules section, use the column headers to identify the information shown:
    • Responder Rules - the name of each responder rule in the recipe.
    • Type - the rule type.
      • NOTIFICATION rules only send a notification when the violation occurs.
      • REMEDIATION rules actually remediate the violation.
    • Status - each rule can be Enabled or Disabled independently.
    • Conditional Group - are conditions configured for the rule? Yes or No.
  8. To show summary information for a responder rule, click the Expand icon Image of Expand icon at the right end of its row.
  9. To show configuration information for a responder rule, open the Actions menu Image of Action menu, and select Edit.

What's Next

Cloning an OCI Responder Recipe

You can clone an OCI responder recipe to make a copy that you can modify for different purposes.

You can use Oracle-managed responder recipes as is, but you can't change many of their settings. Also, you might want to create another responder recipe that's similar to a user-managed responder recipe that you cloned previously.

Whenever you want to create a responder recipe, you can clone the existing (Oracle-managed or user-managed) recipe with the settings that are most similar to what you want in the new recipe.

  1. Open the navigation menu and click Identity & Security. Under Cloud Guard, select Responder Recipes.
  2. To ensure that you’re viewing all available items in the list, under Scope at lower left, set Compartment to the tenancy's root compartment.
  3. Look for rows where the Type column entry is OCI.
  4. In the row for the recipe you want to clone, open the Actions menu Image of Action menu, and select Clone to open the Clone detector recipe dialog box.
    Note

    The recipe must be in the same tenancy where you’re logged in.

  5. Enter a Name for the new recipe.
    Avoid entering confidential information.
  6. (Optional) Enter a Description for the new detector recipe.Avoid entering confidential information.
  7. Specify a Compartment Assignment by selecting from the list.
  8. Click Clone.

    The new recipe appears in the list.

What's Next

Modifying an OCI Responder Recipe

You can edit the name and description for a user-managed recipe. You can modify settings for rules in both user and Oracle-managed recipes.

  1. Open the navigation menu and click Identity & Security. Under Cloud Guard, select Responder Recipes.

    The column headers provide summary information for the responder recipes:

    • Recipe Name - the name of the responder recipe.
    • Oracle Managed - shows Yes if the responder recipe is Oracle-managed, No if user-managed.
    • Created - the date the responder recipe was created.
    Note

    If you haven’t yet cloned the OCI Responder Recipe (Oracle Managed), that is the only recipe that appears in the list.
  2. Locate the recipe that you want to modify.

    User-managed detector recipes have No in the Oracle-Managed column.

  3. Click the recipe's link in the Recipe Name column.
    The details page for the recipe opens.
  4. Make desired changes:
    • To change the recipe's name or description:
      1. Click Edit below the detector recipe's name on the details page.
      2. In the Edit Detector Recipe dialog box, edit the Name or Description entries.

        Avoid entering confidential information.

      3. Click Save.
    • To attach the recipe to a different compartment:
      1. Click Move Resource below the detector recipe's name on the details page.
      2. In the Move Resource to a Different Compartment dialog box, select the new compartment from the Choose New Compartment list, then click Move Resource.
    • To see tags that have been added to the detector recipe, click the Tags tab below the detector recipe's name on the details page.
    • To add tags to the detector recipe, click Add tags below the recipe name, then in the Add tags dialog box.
    • To enable or disable groups of rules:
      1. Select check boxes to the left of the rule names (current Status for all must be the same).
      2. Click Enable or Disable at the top of the list.

Next Steps

Ensure that you:

Modifying Rule Settings in an OCI Responder Recipe

You can modify different sets of rule settings in Oracle-managed and user-managed recipes.

Note

From the recipe level, the only change you can make in responder rule settings is to enable and disable rules in user-managed (cloned) responder recipes. You can't change any rule settings for an Oracle-managed responder recipe from the recipe level.

For complete information on what you can modify in Oracle-managed and user-managed (cloned) responder recipes, from the recipe or target level, see Modifying Recipes at Recipe and Target Levels.

  1. Navigate to the detail page for the user-managed (cloned) responder recipe in which you want to modify rule settings.
    See Modifying an OCI Responder Recipe.
  2. Locate a rule that you want to modify, open the Actions menu Image of Action menu, and select Edit.
  3. If the recipe is user-managed, in the top part of the Edit ... Rule dialog box, you can change the rule's Status (Enabled vs. Disabled).
  4. Click Save.
  5. To change settings for another responder rule, repeat the preceding steps, beginning with step 2.

Next Steps

Make other changes needed to customize responder rule settings for the target to which your detector recipe is added. See Modifying Responder Rule Settings in an OCI Target's Recipes.

Deleting a User-Managed (Cloned) OCI Responder Recipe

You can delete any cloned copy of an Oracle-managed OCI responder recipe wheu you no longer need it.

  1. Open the navigation menu and click Identity & Security. Under Cloud Guard, select Responder Recipes.
  2. Locate the recipe you want to delete.

    User-managed detector recipes have No in the Oracle-Managed column.

  3. Open the Actions menu Image of Action menu and select Delete.
  4. Click Yes to confirm the deletion.

Responder Recipe Reference

The following table lists summary information for the Oracle-managed responder recipe rules that Cloud Guard provides.

Rule Display Name Description ID and Policies Rule Parameters Applicable Detector Rules
Cloud Event

Description: Publishes the problem details to Oracle Cloud Infrastructure Events service.

ID: EVENT

Policy: []

 {'condition': None, 'configurations': [], 'isEnabled': True, 'mode': 'AUTOACTION'} Not applicable. Cloud Event responder emits events that support notifications.
Delete IAM Policy

Description: Deletes IAM policy giving too many privileges to an individual or a group.

ID: DELETE_IAM_POLICY

Policy: ['Allow service cloudguard to manage policies in {{location}}']

 {'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'} Configuration, IAM:
  • Policy gives too many privileges
  • Tenancy admin privilege granted to group
Delete Internet Gateway

Description: Deletes Internet Gateway associated with a VCN.

ID: DELETE_INTERNET_GATEWAY

Policy: ['Allow service cloudguard to manage internet-gateways in {{location}}', 'Allow service cloudguard to manage vcns in {{location}}', 'Allow service cloudguard to manage route-tables in {{location}}']

 {'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'} Configuration, Networking:
  • VCN has Internet Gateway attached
Delete Public IP(s)

Description: Deletes Public IPs of an Oracle Cloud Infrastructure Compute Instance.

 ['Allow service cloudguard to manage private-ips in {{location}}', 'Allow service cloudguard to manage public-ips in {{location}}'] {'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'} Configuration, Compute:
  • Instance has a public IP address
Disable IAM User

Description: Disables IAM user's capabilities.

ID: DISABLE_IAM_USER

Policy: ['Allow service cloudguard to manage users in tenancy']

 {'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'} Activity, Bastion:
  • Bastion created
  • Bastion session created

Activity, Certificates:

  • CA bundle updated
  • Certificate Authority (CA) deleted
  • Intermediate Certificate Authority (CA) revoked

Activity, Certificates:

  • Export Image
  • Import Image
  • Instance terminated
  • Update Image

Activity, Database:

  • Database System terminated

Activity, IAM:

  • All rules in IAM group

Activity, Networking:

  • All rules in Networking group
Enable DB Backup

Description: Enables automatic database backup to Oracle Cloud Infrastructure Object Storage.

ID: ENABLE_DB_BACKUP

Policy: ['Allow service cloudguard to manage backups in {{location}}', 'Allow service cloudguard to manage databases in {{location}}']

 {'condition': None, 'configurations': [{'configKey': 'autoBackupWindowConfig', 'name': 'Backup time window (Slot)', 'value': None}, {'configKey': 'recoveryWindowInDaysConfig', 'name': 'Backup retention period in days', 'value': None}, {'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'} Configuration, Database:
  • Database is not backed up automatically
Make Bucket Private

Description: Changes the Object Storage bucket's visibility from public to private.

ID: MAKE_BUCKET_PRIVATE

Policy: ['Allow service cloudguard to manage buckets in {{location}}']

 {'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'} Configuration, Storage:
  • Bucket is public
Rotate Vault Key

Description: Rotates Oracle Cloud Infrastructure Vault Key to create new key version

ID: ROTATE_VAULT_KEY

Policy: ['Allow service cloudguard to manage keys in {{location}}']

 {'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'} Configuration, KMS:
  • Key has not been rotated
Stop Compute Instance

Description: Gracefully shuts down the Oracle Cloud Infrastructure Compute instance.

ID: STOP_INSTANCE

Policy: ['Allow service cloudguard to manage instance-family in {{location}}']

 {'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'} Configuration, Compute:
  • Instance has a public IP address
Terminate Compute Instance

Description: Preserves boot volume and terminates the Oracle Cloud Infrastructure Compute instance.

ID: TERMINATE_INSTANCE

Policy: ['Allow service cloudguard to manage instance-family in {{location}}']

 {'condition': None, 'configurations': [{'configKey': 'isPostRemediateNotifyEnabled', 'name': 'Post Remediation Notification', 'value': 'true'}], 'isEnabled': True, 'mode': 'USERACTION'} Configuration, Compute:
  • Instance has a public IP address