Rule Configuration
Last updated: 12 January 2020
Location
Dashboard > Select {Account} > Rules settings > Update rules settings > Configure
Trend Micro Cloud One™ – Conformity offers rule configuration to allow users to adjust the behaviour of rules to meet their organisation’s needs. For example, rules that should not be run, their severity, etc. Also, some rules need to be configured to run, while others utilise defaults.
Examples of rules that need to be configured before they will run include EC2 Desired Instance Type, Approved/Golden AMIs, Security Group Naming Conventions etc. Once you configure a rule on an account, you can copy the same rule settings to other accounts for which you have administrative privileges or full access.
User Access
Configurations
Disable rule
You can disable a rule if required by unchecking Rule enabled. On disabling a rule, all violations will be removed and no more checks will be performed until the rule is re-enabled.
Assign rule severity
Every rule has a default risk level associated with it, which can be modified by selecting one of the following options from the Rule severity drop-down:
- Extreme
- Very high
- High
- Medium
- Low
Time to live
Time to live (TTL) configuration allows you to specify the length of time a Check will be displayed on the All Checks Report. The configuration is only available for certain Rules that are specific to Real-Time Threat Monitoring.
For example:
- A user signs in without MFA. The rule AWS IAM user has signed in without MFA run against the resources associated with your AWS account to create an event on RTM and a check on the All Checks Report
- This Check will be seen on the All Checks Report for the period specified in the Time to live (TTL) configuration for the rule
- After the TTL expires, the Check will be removed. Next time the user signs into their account without MFA, a new Check will be created
- However, the entire event history will still show in the Real-Time Threat Monitoring dashboard
Note: TTL is designed in such a way that prevents Conformity’s notifications service to send too many notifications for the same Check in a short period of time. After the first notification is sent for a Check, the following Checks that are identical to the one that has already been sent will be discarded during the TTL period. Once the period expires, the Check is eligible to be notified again.
Set up rule exceptions
Rule exceptions can be configured so that the rule bypasses AWS resources which match the exception input provided. Exceptions can be configured in two ways:
- Tags - Either the tag key, the tag value or a combination in the format tag key::tag value can be provided as input
- Resource Id - Resource name associated with the resource. You could also use regex expressions to configure exceptions.
Examples:
For any IAM user related rule, provide username for Resource id exceptions.
For ELBs, provide load balancer name
Note: Only resource level rules have Exception configuration. Service level rules such as ‘Root Account Usage’ will not have this configuration in their rule settings.
- Either input Tags. You can enter tag key, tag value, or a combination of both in the format ‘tagkey::tagvalue’
- Or, input Resource ids
Apply rule changes to multiple accounts
You can change rule configurations and apply the same configurations to other or all accounts in the organization.
- Make changes in any or all of the rule configurations available - Disable rule, Assign rule severity, or Set up rule exceptions
- Click Select other accounts
- From the list, check the accounts to which rule changes should be applied and Select accounts
Note:
- For audit purposes, adding a note is mandatory for every change made to the rule configuration. The changes will take effect after the subsequent bot run.
- Disabled rules are greyed out and identified by a ‘Disabled’ text highlight
- Rules with exception configured (resource id or tag) are identified by a warning icon
- Rules that need configuration prior to running are identified by a red cross icon.