Managing OCI Targets

You can add targets to expand or change the scope of resources that Cloud Guard monitors, and you can change the rules Cloud Guard uses to do the monitoring.

A target defines scope of what Cloud Guard checks.. A target can consist of your entire OCI tenancy, or any combination of compartments below the top level.. Specify at least one target when you enable Cloud Guard. You can define more targets later.

Viewing Details for an OCI or Security Zone Target

See the scope of resources that Cloud Guard monitors, and the detector and responder recipes that are used in the monitoring.

Note

You can view the details of a Security Zone target in Cloud Guard.You must create and modify Security Zone targets in the OCI Security Zones application.
  1. Open the navigation menu and click Identity & Security. Under Cloud Guard, select Targets.

    The Targets page lists all targets currently defined.

    Note

    Initially, the list shows only what was specified in the Compartments to Monitor enablement option. If None was selected, this list is initially empty.
    The column headers:
    • Target name - the name of the target, linked to target details.
    • Compartment - the compartment hierarchy to which the target is mapped.
    • Type - specific type of target. Different target types differ in their details.

      OCI and Security Zone targets are so similar in their details that the instructions for managing OCI targets cover both.

    • Recipes - number of recipes attached to the target.
  2. To ensure that you’re viewing all available items in the list, under Scope at lower left, set Compartment to the tenancy's root compartment.
  3. To filter the list, you can:
    • In the Filter by … name box at top right, enter a text string.

      Only names that contain that text that you type, anywhere in the name, now appear in the list.

    • Under Scope at lower left:
      • Select a different Compartment.
      • If you also want detector recipes attached to compartments below the selected compartment to appear in the list, select Include Child Compartments.
    • To filter by tags:
      1. To right of Tag Filters at lower left, click the add link.
      2. In the Apply tag filter dialog box, select a Tag Namespace.

        Select None (free-form tag) if you want to manually enter the Tag Key.

      3. Select a Tag Key.

        Manually enter the Tag Key if you selected None (free-form tag) for the Tag Namespace.

      4. For Value:
        • Select Match any value if you want any tag value to count as a match.
        • Select Match any of the following and manually enter values, separated by commas, if you want only the values you enter to count as a match.
        • To add more values for this tag, click the plus sign (+) at the lower right.
      5. Click Apply Filter.
  4. Look for rows where the Type column entry is OCI or Security Zone.
  5. To view the details for a specific item, click its link in the Target Name column.

    You can also open the Actions menu Image of Action menu, and select View Details.

  6. To view the OCID for the item, click the Cloud Guard Target Information tab near the top.

    For a Security Zone target, you can click the link following Linked security zone to see the details for the associated security zone, in the Security Zone service. Use the browser's Back button to return to Cloud Guard.

  7. To view currently defined tags, click the Tags tab.
  8. To view the compartment hierarchy for a target, under Resources at lower left, click Compartment and expand in the row in the Compartments list.
  9. To view detector recipes attached to the target:
    1. In the Resources panel on the left, click Detector Recipes.
      A list of detector recipes attached to the target is displayed in the Detector Recipes section. A Yes in the Oracle Managed column indicates that the recipe is Oracle-managed.
    2. To view the rules in a detector recipe, click the link in the Recipe Name column.

      You can also open the Actions menu Image of Action menu, and select View Details.

      The rules for the detector recipe are listed in the Detector Rules section of the page that opens.

    3. To view summary information for a rule, click the Expand icon Image of Expand icon at the right end of its row.
  10. For Security Zone targets, to view the security zone recipe:
    1. In the Resources panel on the left, click Security zone recipe.
    2. To view the policies in a security zone recipe, click the link in the Recipe name column.
    3. To copy the OCID of a policy, in the Actions menu Image of Action menu for the policy row, select Copy OCID.
    4. To view the associated security zones for the recipe, under Resources at lower left, click Associated Security Zones.
    5. Use the browser Back button to return to the Cloud Guard Target Details page.
  11. To view the responder recipe attached to the target:
    1. In the Resources panel on the left, click Responder Recipe.
      A list of responder recipes attached to the target is displayed in the Responder Recipe section. A check mark in the (Oracle Managed) column indicates that the recipe is Oracle managed.
    2. To view the rules in a responder recipe, click the link in the Recipe Name column.

      The rules for the responder recipe are listed in the Responder Rules section of the page that opens.

    3. To see the Description and Conditional Group information for a responder recipe rule, open the Actions menu Image of Action menu, and select Edit.

What's Next

Creating an OCI Target

A target defines the scope of resources that Cloud Guard monitors, and the detector and responder recipes to be used in the monitoring.

  1. Open the navigation menu and click Identity & Security. Under Cloud Guard, select Targets.
  2. On the Targets page, click Create New Target.
  3. On the Basic information page, enter a Target name for the new target.
    Avoid entering confidential information.
  4. (Optional) Enter a Description.
    Avoid entering confidential information.
  5. Select a Compartment Assignment.
    Select a compartment from the list. The list is an expandable, collapsible hierarchy of all the compartments available.
    Note

    You can select only a single compartment. Any child compartments under the selected compartment inherit the detector and responder recipe settings for the target.

    To exclude a child compartment from the monitoring that applies to the rest of the target, create a separate target and specify that compartment in the Compartment Assignment.

  6. Select an OCI Configuration Detector Recipe.
  7. (Optional) Select an OCI Threat Detector Recipe from the list.
  8. Select an OCI Activity Detector Recipe.
  9. (Optional) Select a Responder Recipe.
    Note

    If responders are enabled, and you don’t add a responder to the target, full functionality for responders isn’t available within the target.
  10. To add tags, click Show advanced options near the bottom, then:
    1. Select a Tag Namespace from the list.
      Selecting None... makes it a free-form tag.
    2. Select a Tag Key.
    3. Enter a Value.
    4. To add another tag, click Addi Tag, and repeat preceding steps a-c.
    5. To remove a tag you’ve added, click the X at the right end of the row for that tag.
      Note

      If you've only added one tag, you can't remove it.
    6. Click Add tags.
  11. Click Create.

    The detail page for the new target displays.

What's Next

Modifying an OCI Target

You can change the detector and responder recipes added to an OCI target.

  1. Open the navigation menu and click Identity & Security. Under Cloud Guard, select Targets.
  2. Look for targets where the Type column entry is OCI.
  3. On the Targets page, locate the target you want to modify and click its link in the Target Name column.

    The detail page for the target displays, with the Compartment Assignment selected.

  4. To view currently defined tags, click the Tags tab.

    To modify or remove a tag, click the pencil icon to the left of the tag entry.

  5. To add tags, click Add Tags near the top, then:
    1. Select a Tag Namespace from the list.
      Selecting None... makes it a free-form tag.
    2. Select a Tag Key.
    3. Enter a Value.
    4. To add another tag, click Addi Tag, and repeat preceding steps a-c.
    5. To remove a tag you’ve added, click the X at the right end of the row for that tag.
      Note

      If you've only added one tag, you can't remove it.
    6. Click Add tags.
  6. For targets that aren’t Security Zone targets, to To change a detector recipe, in the options panel on the left click Detector Recipes, then follow these steps:
    1. To add a recipe, click Add Recipe.
      Note

      If the Add Recipe button isn’t available, the target already has a detector recipe of each type attached. First remove the type of detector recipe that you want to add.
    2. To remove a recipe, open the Actions menu Image of Action menu, and select Remove.
  7. For Security Zone targets:
    1. To replace a detector recipe or an OCI Configuration Detector Recipe, from the Actions menu Image of Action menu select Replace.
    2. To add any other detector recipe, click Add Recipe.
      Note

      If the Add Recipe button isn’t available, the target already has a full set of available detector recipe added. First remove the type of detector recipe that you want to add.
    3. To remove any other detector recipe, open the Actions menu Image of Action menu, and select Remove.
    4. To change the Security Zone recipe,
  8. For both OCI and Security Zone targets, to change the associated responder recipe, in the options panel on the left click Responder Recipe, then follow these steps:
    1. To add a recipe, click Add Recipe.
      Note

      If the Add Recipe button isn’t available, the target already has both a configuration detector recipe and an activity detector recipe that have been added. First remove the type of detector recipe that you want to add.
    2. To remove a recipe, open the Actions menu Image of Action menu, and select Remove.

Modifying Rule Settings in an OCI Target's Recipes

You can change the settings for individual rules in the detector and responder recipes attached to a target.

  1. Open the navigation menu and click Identity & Security. Under Cloud Guard, select Targets.
  2. On the Targets page, locate the target for which you want to modify recipe rules and click its link in the Target Name column.

    The detail page for the target displays, with the Compartment Assignment selected.

What's Next

To change settings for individual rules in detector or responder recipes, see:

Modifying Detector Rule Settings in an OCI Target's Recipes

Make tactical changes in detector rules from the Targets page.

Prerequisite: Complete steps in Modifying Rule Settings in an OCI Target's Recipes to open the details page for the target for which you want to modify detector rule settings.
Note

In Security Zone targets, the security zone detector recipes have policies instead of rules, and the policies can't be modified.

In all other OCI targets, the only detector rule setting that you can change from the target level is the Conditional Group specification. To change other rule settings from the recipe level, see Modifying an OCI Detector Recipe.

For complete information on what you can modify in Oracle-managed and user-managed (cloned) detector and responder recipes, from the recipe or target level, see Modifying Recipes at Recipe and Target Levels.

  1. From the target detail page, in the Resources panel on the left, click Responder Recipe.
  2. In the row for a rule for which you want to change rule settings, open the Actions menu Image of Action menu, and select Edit.
  3. In the Conditional Groups section at the bottom:
    • If you want the rule to be applied to a compartment below the top-level compartment that's defined for the target:
      1. Open the Apply to Compartment list.
      2. Select a compartment to which the rule should be applied.
    • To set a condition on a parameter other than tags:
      1. In the Parameter list, select a parameter other than Tags.
      2. Select an Operator.
      3. Select a Value.
      4. To add another condition, click Add Condition and repeat the last three steps.
        Note

        Specifying multiple conditions acts as an AND operator. The rule is enforced only if all the conditions are met.
      5. To delete a condition, click the "X" at the right end of the row for the condition.
    • To set a condition on tags:
      1. In the Parameter list, select Tags.

        A Value box appears below the Parameter box.

      2. Select an Operator (In or Not In).
      3. Click Select Tags, to right of Value box.
      4. In the Select Tags dialog box:
        • To set a condition for defined tags:
          1. Select a Tag Namespace other than None (add a free-form tag).
          2. Select a Tag Key.
          3. Select or enter the Value.
        • To set a condition for free-form tags:
          1. For Tag Namespace, select None (add a free-form tag).
          2. Enter a Tag Key.
          3. Optional: Enter a Value.
        • To add another tag:
          1. Click Additional Tag.
          2. Repeat the preceding substeps for either defined or free-form tags.
            Note

            When you specify multiple tags, the rule is enforced only if all the conditions are met.
        • To delete a tag, click the "X" at the right end of the row for the tag.
        • To save your tag selections, click Select at the bottom of the Select Tags dialog box.
        • When done editing Conditional Groups for the rule, click Save.
  4. To change settings for another detector rule, repeat the preceding steps, beginning with step 2.
  5. Click Save.

Modifying Responder Rule Settings in an OCI Target's Recipes

Make tactical changes in responder rules from the Targets page.

Prerequisite: Complete steps in Modifying Rule Settings in an OCI Target's Recipes to open the details page for the target for which you want to modify responder rule settings.
Note

Responder rules can be enabled or disabled only from the recipe level, and only in user-managed (cloned) responder recipes. See Modifying an OCI Responder Recipe. You can change all other responder rule settings from the target level.

For complete information on what you can modify in Oracle-managed and user-managed (cloned) detector and responder recipes, from the recipe or target level, see Modifying Recipes at Recipe and Target Levels.

  1. From the target detail page, in the Resources panel on the left, click Responder Recipe.
  2. In the row for a rule for which you want to change rule settings, open the Actions menu Image of Action menu, and select Edit.
  3. If the Required Policy Statements section, Policy Statements list, has any statements with "Not Added" showing on the right, click Add Statements.
    Note

    These policy statements must be added to allow the responder rule to operate. For detailed information on specific Cloud Guard policies listed, see ztarg-mod.
  4. If you want the responder rule to execute automatically:
    1. In the Setting section, for Rule Trigger, select Execute Automatically.
    2. Read the informational text describing the consequences of this selection.
    3. To confirm that you want to select automatic execution, select the CONFIRM EXECUTE AUTOMATICALLY check box.
    Note

    Now, specify at least one condition in the Conditional Group section at the bottom. Automatic execution mode isn’t allowed when no conditions are defined.

    If you don't want to limit the scope of resources to which the rule is applied, specify a condition that is always true. For example:

    • Parameter = Region
    • Operator = Not In
    • Value = abc (assuming there's no region named "abc")
  5. To control post-remediation notifications, in the Input Settings section, select or clear POST REMEDIATION NOTIFICATION.
    When this option is selected, a Cloud Event is triggered after the rule successfully remediates a problem.
  6. In the Conditional Groups section at the bottom:
    1. In the Parameter list, select a parameter.
    2. Select an Operator.
    3. Select a List type.
    4. In the Value box, enter the name of the list.
    5. To add another condition, click Add Condition and repeat the last three steps.
      Note

      Specifying multiple conditions acts as an AND operator. The rule is enforced only if all the conditions are met.
    6. To delete a condition, click the "X" at the right end of the row for the condition.

    For more information on Conditional Groups, see Using Conditional Groups with Recipe Rules.

  7. Click Save.
  8. To change settings for another responder rule, repeat the preceding steps, beginning with step 2.

Deleting an OCI Target

You can delete a target if you no longer need it.

Note

You must delete a Security Zone target from the OCI Security Zones service. See Deleting a Security Zone.
Caution

When you delete a target, information for all problems associated with that target disappears from the Cloud Guard console and can no longer be accessed through the API. The information remains in the Cloud Guard database until it's purged at 180 days. For more information, see Problem Lifecycle, especially the "Problem Reconciliation Process" section.
  1. Open the navigation menu and click Identity & Security. Under Cloud Guard, select Targets.
  2. Look for targets where the Type column entry is OCI.
  3. On the Targets page, select the check box for each target you want to delete, then click Delete.
  4. In the Delete target(s) dialog box, select I understand, then click Delete target(s).