Managing Responder Recipes

View, clone, and modify responder recipes to fit the specific security needs of your environment.

About Responder Recipes

Cloud Guard detectors follow rules, combined into recipes, to identify problems.

A responder is action that Cloud Guard can take when a detector has identified a problem. The available actions are resource-specific. Each responder uses a responder recipe that defines the action or set of actions to take in response to a problem that a detector has identified.

Each responder recipe uses multiple responder rules, each of which defines the specific actions to take.

Cloud Guard provides a set of responders with default rules. You can:

  • Use these responders as is.
  • Clone any of the default responders and modify the rules to meet specific needs.
  • Enable and disable responder rules individually.
  • Limit the scope for applying individual rules by specifying conditions that must be met.

Cloud Guard supports two types of responder recipes:

  • Oracle-Managed recipes are provided by Oracle and you can't modify them.
  • User-Managed recipes must be created, by cloning an Oracle-managed recipe. You can modify user-managed recipes as needed.

For more information on the following topics, see Overview of Recipes:

  • Differences between Oracle-managed and user-managed recipes
  • How user-managed recipes work
  • What settings can be changed at the recipe and target levels

Policy Statements for Responders

Add policy statements that are required for particular responders.

Caution

Enabling responders gives Cloud Guard permissions to modify security settings in your environment to remediate, on your behalf, problems that the responders detect. Ensure that granting these permissions does not violate your organization's security policies.

The following policy statements are required for particular responders. Based on the responder type, one of these policies is needed during manual or automatic remediation.

allow service cloudguard to manage instance-family in compartment <compartment_name>
allow service cloudguard to manage object-family in compartment <compartment_name>
allow service cloudguard to manage buckets in compartment <compartment_name>
allow service cloudguard to manage users in compartment <compartment_name>
allow service cloudguard to manage policies in compartment <compartment_name>
allow service cloudguard to manage keys in compartment <compartment_name>

Viewing Details for a Responder Recipe

Open the Responder Recipes page, sort and filter the list, and view details for a specific detector recipe.

  1. From the Cloud Guard options panel on the left, select Responder Recipes.

    The column headers provide summary information for the detector recipes:

    • Recipe Name - the name of the responder recipe.
    • Oracle Managed - shows Yes if the responder recipe is Oracle-managed, No if user-managed.
    • Created - the date the responder recipe was created.
    Note

    If you have not yet cloned the OCI Responder Recipe (Oracle Managed), that is the only recipe that appears in the list.
  2. To filter the list of responder recipes, you can:
    • Start typing in the Filter by... box at the top right.
    • Under Scope at lower left, select a different Compartment.
    • To right of Tag Filters at lower left:
      1. Click the add link.
      2. In the Apply tag filter dialog box, select a Tag Namespace .

        Select None (free-form tag) if you want to manually enter the Tag Key.

      3. Select a Tag Key.

        Manually enter the Tag Key if you selected None (free-form tag) for the Tag Namespace.

      4. For Value:
        • Select Match any value if you want any tag value to count as a match.
        • Select Match any of the following and manually enter values, separated by commas, if you want only the values you enter to count as a match.
        • To add more values for this tag, click the plus sign (+) at the lower right.
      5. Click Apply Filter.
  3. To view details for a particular responder recipe, click its link in the Recipe Name column.
  4. In the Details tab, OCID row:
    • Click the Show link to show the full OCID.
    • Click the Copy link to copy the full OCID to the clipboard.
  5. If the responder recipe you're viewing is user-managed, you can view tags that have been assigned:
    1. Click the Tags tab.
    2. View the tags that have been assigned.
      If no tags have been assigned, you see "There are no Tags associated with this resource."
  6. In the Responder Rules section, use the column headers to identify the information shown:
    • Responder Rules - the name of each responder rule in the recipe.
    • Type - the rule type.
      • NOTIFICATION rules only send a notification when the violation occurs.
      • REMEDIATION rules actually remediate the violation.
    • Status - each rule can be Enabled or Disabled independently.
    • Conditional Group - are conditions configured for the rule? Yes or No.
  7. In the Responder Rules section,
    • To show summary information for a responder rule, click the Expand icon Image of Expand icon at the right end of its row.
    • To show configuration information for a responder rule, open the Actions menu Image of Action menu, and select Edit.

What's Next

Cloning a Responder Recipe

Clone responder recipes to fine-tune the set of responder recipes available to use in your environment.

You can use Oracle-managed responder recipes as is, but you can't change many of their settings. Also, you might want to create another responder recipe that's similar to a user-managed responder recipe that you cloned previously.

Whenever you want to create a responder recipe, you can clone the existing (Oracle-managed or user-managed) recipe with the settings that are most similar to what you want in the new recipe.

  1. From the Cloud Guard options panel on the left, select Responder Recipes.
  2. (Optional) In the Scope section at lower left, set parameters to filter what appears in the list:
    • Set Compartment to display only responder recipes attached to a specific compartment.
    • If you also want responder recipes attached to compartments below the selected compartment to appear in the list, select Include Child Compartments.
  3. Click Clone, then in the Clone Responder Recipe dialog box:
    1. From the Cloning list, select the responder recipe you want to clone.
      Note

      The recipe must be in the same tenancy where you are logged in.

    2. Enter a Name for the new responder recipe.
      Avoid entering confidential information.
    3. (Optional) Enter a Description for the new responder recipe.
      Avoid entering confidential information.
    4. Specify a Compartment Assignment by selecting from the list.
    5. Click Clone.

      The new responder recipe appears in the Responder Rules list.

What's Next

Modifying a Responder Recipe

You can modify a few recipe settings in an Oracle-managed responder recipe, and more settings in a user-managed (cloned) responder recipe.

  1. From the Cloud Guard options panel on the left, select Responder Recipes.
  2. Locate the responder recipe you want to modify.
    Oracle-managed responder recipes show Yes in the Oracle Managed column, and user-managed show No.
  3. Click the recipe's link in the Recipe Name column.

    The details page for the responder recipe opens. Here you can modify the responder recipe's individual rules.

  4. If the responder recipe is user-managed (cloned):
    • To change the responder recipe's name or description:
      1. Click Edit below the responder recipe's name on the details page.
      2. In the Edit Responder Recipe dialog box, edit the Name or Description entries.

        Avoid entering confidential information.

      3. Click Save.
    • To attach the responder recipe to a different compartment:
      1. Click Move Resource below the responder recipe's name on the details page.
      2. In the Move Resource to a Different Compartment dialog box, select the new compartment from the Choose New Compartment list, then click Move Resource.
    • To see tags that have been added to the responder recipe, click the Tags tab below the responder recipe's name on the details page.
      Note

      Tagging isn't supported in Oracle-managed responder recipes.
    • To add tags to the responder recipe:
      Note

      Tagging isn't supported in Oracle-managed responder recipes.
      1. Click Add Tags below the responder recipe's name on the details page.
      2. In the Add One Or More Tags To This Resource dialog box, select a Tag Namespace, then enter a Tag Key and a Value.
      3. To add another tag, click Another Tag, then repeat the previous step.
      4. When you finish adding tags, click Add Tags.
    • To enable or disable groups of rules:
      1. Select check boxes to the left of the rule names (current Status for all must be the same).
      2. Click Enable or Disable at the top of the list.
    • To see tags that have been added to the responder recipe, click the Tags tab below the responder recipe's name on the details page.
    • To delete the responder recipe:
      1. Click Delete below the responder recipe's name on the details page.
      2. In the Delete Responder Recipe dialog box, click Yes.

Next Steps

Ensure that you:

Modifying Rule Settings in a Responder Recipe

You can modify a few rule settings in an Oracle-managed responder recipe, and more settings in a user-managed (cloned) responder recipe.

Note

From the recipe level, the only change you can make in responder rule settings is to enable and disable rules in user-managed (cloned) responder recipes. You can't change any rule settings for an Oracle-managed responder recipe from the recipe level.

For complete information on what you can modify in Oracle-managed and user-managed (cloned) responder recipes, from the recipe or target level, see Modifying Recipes at Recipe and Target Levels.

  1. Navigate to the detail page for the user-managed (cloned) responder recipe in which you want to modify rule settings.
  2. Locate an individual responder rule that you want to modify, open the Actions menu Image of Action menu, and select Edit.
  3. If the responder recipe is user-managed (cloned), in the top part of the Edit Responder Rule dialog box, you can Change the rule's Status (Enabled vs. Disabled).
  4. To change settings for another responder rule, repeat the preceding steps, beginning with step 2.
  5. Click Save.

Next Steps

Ensure that you:

Deleting a User-Managed (Cloned) Responder Recipe

You can delete responder rules for any cloned copy of an Oracle-managed responder.

  1. From the Cloud Guard options panel on the left, select Responder Recipes.
  2. Locate the cloned responder recipe you want to delete.
    Cloned responder recipes have "No" in the Oracle Managed column.
  3. Open the Actions menu Image of Action menu and select Delete.
  4. Click Yes to confirm the deletion.