Managing Targets

You can add targets to expand or change the scope of resources that Cloud Guard monitors.

A target defines the scope of what Cloud Guard checks. A target can consist of your entire OCI tenancy, or any combination of compartments below the top level. Specify at least one target when you enable Cloud Guard. You can define more targets later.

Viewing Details for a Target

View the details for a target to see exactly what scope of resources it specifies for Cloud Guard to monitor.

  1. From the Cloud Guard options panel on the left, select Targets.

    The Targets page lists all targets currently defined.

    Note

    Initially, the list shows only what was specified in the Compartments to Monitor option. If None was selected, this list is initially empty.
  2. To filter the list of targets, start typing in the Filter by target name box.
  3. To view details for a specific target, click the link in the Target Name column.

    You can also open the Actions menu Image of Action menu, and select View Details.

  4. To view the OCID for the target, click the Cloud Guard Target Information tab near the top.
  5. To view tags assigned to the target, click the Tags tab.
  6. To add tags to the target, click Add Tags, below the target name, then in the Add One Or More Tags To This Resource dialog box:
    1. Select a Tag Namespace from the list.
      Selecting None... makes it a free-form tag.
    2. Enter a Tag Key.
    3. Enter a Value.
    4. To add another tag, click + Additional Tag, and repeat preceding steps a-c.
    5. To remove a tag you have added, click the X at the right end of the row for that tag.
      If you've only added one tag, click the Close link at the top right.
    6. When you are done, click Add Tags.
  7. To view compartments assigned to the target:
    1. In the Resources panel on the left, click Compartment Assignment.
      A list of compartments assigned to the target is displayed in the Compartment Assignment section.
    2. To view inheritance information for a compartment, expand the compartment row using the Expand icon Image of Expand icon at the right end.
  8. To view detector recipes enabled for the target:
    1. In the Resources panel on the left, click Detector Recipes.
      A list of detector recipes enabled for the target is displayed in the Detector Recipes section. A check mark in the (Oracle Managed) column indicates that the recipe is Oracle managed.
    2. To view the rules in a detector recipe, click the link in the Recipe Name column.

      You can also open the Actions menu Image of Action menu, and select View Details.

      The rules for the detector recipe are listed in the Detector Rules section of the page that opens.

    3. To edit a detector rule (that's not Oracle managed) from this page, open the Actions menu Image of Action menu, and select Edit.
  9. To view responder recipes enabled for the target:
    1. In Resources panel on the left, click Responder Recipes.
      A list of responder recipes enabled for the target is displayed in the Responder Recipes section. A check mark in the (Oracle Managed) column indicates that the recipe is Oracle managed.
    2. To view the rules in a responder recipe, click the link in the Recipe Name column.

      You can also open the Actions menu Image of Action menu, and select View Details.

      The rules for the detector recipe are listed in the Detector Rules section of the page that opens.

    3. To see the Description and Conditional Group information for a responder recipe rule, open the Actions menu Image of Action menu, and select Edit.
    4. To edit a responder rule (that's not Oracle managed) from this page, open the Actions menu Image of Action menu, and select Edit.

What's Next

Creating a Target

Create a target to define an extra scope of resources for Cloud Guard to monitor.

  1. From the Cloud Guard options panel on the left, select Targets.
  2. On the Targets page, click Create New Target.
  3. In the Create New Target dialog box, enter a Name for the new target.
  4. (Optional) Enter a Description.
  5. Select a Compartment Assignment.
    Select a compartment from the list. The list is an expandable, collapsible hierarchy of all the compartments available.
    Note

    You can select only a single compartment. Any child compartments under the selected compartment inherit the detector and responder recipe settings for the target.

    To exclude a child compartment from the monitoring that applies to the rest of the target, create a separate target and specify that compartment in the Compartment Assignment.

  6. Select an OCI Configuration Detector Recipe.
  7. Select an OCI Activity Detector Recipe.
  8. (Optional) Select a Responder Recipe.

    If no responder recipes are available, responders are not enabled. See Managing Responder Recipes.

    Note

    If responders are enabled, and you do not add a responder to the target, full functionality for responders is not available within the target.
  9. (Optional) To add tags to the target, click Show Advanced Options, then:
    1. Select a Tag Namespace from the list.
      Selecting None... makes it a free-form tag.
    2. Select a Tag Key.
    3. Enter a Value.
    4. To add another tag, click + Additional Tag, and repeat preceding steps a-c.
    5. To remove a tag you have added, click the X at the right end of the row for that tag.
      If you've only added one tag, you can't remove it. If removing the tag is important, click Cancel at the bottom of the dialog box, then click Create New Target to start over.
  10. Click Create.

    The detail page for the new target displays.

What's Next

Modifying Recipes Added to a Target

You can change the detector and responder recipes added to a target.

  1. From the Cloud Guard options panel on the left, select Targets.
  2. On the Targets page, locate the target you want to modify and click its link in the Target Name column.

    The detail page for the target displays, with the Compartment Assignment selected.

  3. To view tags currently defined for the target, click the Tags tab.

    To modify or remove a tag, click the pencil icon to the left of the tag entry.

  4. To add tags to the target, click Add Tags near the top, then:
    1. Select a Tag Namespace from the list.
      Selecting None... makes it a free-form tag.
    2. Enter a Tag Key.
    3. Enter a Value.
    4. To add another tag, click + Additional Tag, and repeat preceding steps a-c.
    5. To remove a tag you have added, click the X at the right end of the row for that tag.
      If you've only added one tag, click the Close link at the top right.
    6. When you are done, click Add Tags.
  5. To change an associated detector recipe, in the options panel on the left click Detector Recipes, then follow these steps:
    1. To add a recipe, click Add Recipe.
      Note

      If the Add Recipe button is not available, the target already has both a configuration detector recipe and an activity detector recipe that have been added. First remove the type of detector recipe that you want to add.
    2. To remove a recipe, open the Actions menu Image of Action menu, and select Remove.

Modifying Rule Settings in a Target's Recipes

After a detector or responder recipe has been added to a target, you can change the settings for individual rules in the recipe.

  1. From the Cloud Guard options panel on the left, select Targets.
  2. On the Targets page, locate the target for which you want to modify recipe rules and click its link in the Target Name column.

    The detail page for the target displays. With the Compartment Assignment selected.

What's Next

To change settings for individual rules in detector or responder recipes, see:

Modifying Detector Rule Settings in a Target's Recipes

Make tactical changes in detector rules from the Targets page.

Prerequisite: Complete steps in Modifying Rule Settings in a Target's Recipes to open the details page for the target for which you want to modify detector rule settings.
Note

Enabling or disabling rules for user-managed (cloned) detector recipes must be done from the recipe level, See Modifying a Detector Recipe.

For complete information on what you can modify in Oracle-managed and user-managed (cloned) detector recipes, see Modifying Recipes at Recipe and Target Levels.

  1. On the details page for the target, under Resources on the left, click Detector Recipes.
  2. In the row for a detector rule for which you want to change settings, open the Actions menu Image of Action menu, and select Edit.
  3. In the Conditional Groups section at the bottom:
    • If you want the rule to be applied to a compartment below the top-level compartment that's defined for the target:
      1. Open the Apply to Compartment list.
      2. Select a compartment to which the rule should be applied.
    • To set a condition on a parameter other than tags:
      1. In the Parameter list, select a parameter other than Tags.
      2. Select an Operator.
      3. Select a Value.
      4. To add another condition, click Add Condition and repeat the last three steps.
        Note

        Specifying multiple conditions acts as an AND operator. The rule is enforced only if all the conditions are met.
      5. To delete a condition, click the "X" at the right end of the row for the condition.
    • To set a condition on tags:
      1. In the Parameter list, select Tags.

        A Value box appears below the Parameter box.

      2. Select an Operator (In or Not In.
      3. Click Select Tags, to right of Value box.
      4. In the Select Tags dialog box:
        • To set a condition for defined tags:
          1. Select a Tag Namespace other than None (add a free-form tag).
          2. Select a Tag Key.
          3. Select or enter the Value.
        • To set a condition for free-form tags:
          1. For Tag Namespace, select None (add a free-form tag).
          2. Enter a Tag Key.
          3. (Optional) Enter a Value.
        • To add another tag:
          1. Click Additional Tag.
          2. Repeat the steps above for either defined or free-form tags.
            Note

            When you specify multiple tags, the rule is enforced only if all the conditions are met.
        • To delete a tag, click the "X" at the right end of the row for the tag.
        • To save your tag selections, click Select at the bottom of the Select Tags dialog box.
    For more information on Conditional Groups, see Using Conditional Groups with Recipe Rules.
  4. To change settings for another detector rule, repeat the preceding steps, beginning with step 3.
  5. Click Save.

Modifying Responder Rule Settings in a Target's Recipes

Make tactical changes in detector rules from the Targets page.

Prerequisite: Complete steps in Modifying Rule Settings in a Target's Recipes to open the details page for the target for which you want to modify responder rule settings.
Note

Enabling or disabling rules for user-managed (cloned) responder recipes must be done from the recipe level, See Modifying a Responder Recipe.

For complete information on what you can modify in Oracle-managed and user-managed (cloned) detector recipes, see Modifying Recipes at Recipe and Target Levels.

  1. On the details page for the target, under Resources on the left, click Responder Recipes.
  2. In the row for a responder rule for which you want to change settings, open the Actions menu Image of Action menu, and select Edit.
  3. If the Required Policy Statements section, Policy Statements list, has any statements with "Not Added" showing on the right, click Add Statements.
    Note

    These policy statements must be added to allow the responder rule to operate. For detailed information on specific Cloud Guard policies listed, see Cloud Guard Policies.
  4. If you want the responder rule to execute automatically:
    1. In the Setting section, for Rule Trigger, select Execute Automatically.
    2. Read the informational text describing the consequences of this selection.
    3. To confirm that you want to select automatic execution, select the CONFIRM EXECUTE AUTOMATICALLY check box.
    Note

    Now specify at least one condition in the Conditional Group section at the bottom. Automatic execution mode is not allowed when no conditions are defined.

    If you don't want to limit the scope of resources to which the rule is applied, specify a condition that is always true. For example:

    • Parameter = Region
    • Operator = In
    • Value = abc (assuming there's no region named "abc")
  5. In the Conditional Group section at the bottom, you can:
    1. Select a Parameter.
    2. Select an Operator.
    3. Select a Value.
    4. To add another condition, click Add Condition and repeat the last three steps.
      Note

      When you specify multiple conditions, the conditions are ANDed. The rule is enforced only if all conditions are met. If you need to OR multiple conditions, clone a separate recipe for each condition and specify only one condition for the rule in each recipe.
  6. To control post-remediation notifications, in the Input Settings section, select or deselect POST REMEDIATION NOTIFICATION.
    When this option is selected, a Cloud Event is triggered after the rule successfully remediates a problem.
  7. Click Save.
  8. To change settings for another responder rule, repeat the preceding steps, beginning with step 2.

Deleting a Target

If a target is no longer needed, you can delete it.

Caution

When you delete a target, information for all problems associated with that target disappears from the Cloud Guard console and can no longer be accessed through the API. The information remains in the Cloud Guard database until it's purged at 180 days.
  1. From the Cloud Guard options panel on the left, select Targets.
  2. On the Targets page, select the check box for each target you want to delete.
  3. Click Delete to confirm the deletion.