Oracle Cloud Infrastructure Cloud Guard

Cloud Guard FAQ

Pre-Release, Limited Availability Documentation

1
Copyright © 2020, Oracle and/or its affiliates. All rights reserved.
Pre-General Availability: 2020-08-30
This documentation is in pre-General Availability status and is intended for demonstration and
preliminary use only. It may not be specific to the hardware on which you are using the
software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all
warranties of any kind with respect to this documentation and will not be responsible for any
loss, costs, or damages incurred due to the use of this documentation.
The information contained in this document is for informational sharing purposes only and
should be considered in your capacity as a customer advisory board member or pursuant to
your pre-General Availability trial agreement only. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions.
The development, release, and timing of any features or functionality described in this
document remains at the sole discretion of Oracle.
This document in any form, software or printed matter, contains proprietary information that is
the exclusive property of Oracle. Your access to and use of this confidential material is subject
to the terms and conditions of your Oracle Master Agreement, Oracle License and Services
Agreement, Oracle PartnerNetwork Agreement, Oracle distribution agreement, or other license
agreement which has been executed by you and Oracle and with which you agree to comply.
This document and information contained herein may not be disclosed, copied, reproduced, or
distributed to anyone outside Oracle without prior written consent of Oracle. This document is
not part of your license agreement nor can it be incorporated into any contractual agreement
with Oracle or its subsidiaries or affiliates.
This software and related documentation are provided under a license agreement containing
restrictions on use and disclosure and are protected by intellectual property laws. Except as
expressly permitted in your license agreement or allowed by law, you may not use, copy,
reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish,
or display any part, in any form, or by any means. Reverse engineering, disassembly, or
decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to
be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone
licensing it on behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system,
integrated software, any programs installed on the hardware, and/or documentation, delivered
to U.S. Government end users are "commercial computer software" pursuant to the applicable
Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use,
duplication, disclosure, modification, and adaptation of the programs, including any operating
system, integrated software, any programs installed on the hardware, and/or documentation,
shall be subject to license terms and license restrictions applicable to the programs. No other
rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management
applications. It is not developed or intended for use in any inherently dangerous applications,
including applications that may create a risk of personal injury. If you use this software or
hardware in dangerous applications, then you shall be responsible to take all appropriate fail-

Oracle Cloud Infrastructure Cloud Guard

2
safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and
its affiliates disclaim any liability for any damages caused by use of this software or hardware in
dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may
be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All
SPARC trademarks are used under license and are trademarks or registered trademarks of
SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered
trademark of The Open Group.

This software or hardware and documentation may provide access to or information about
content, products, and services from third parties. Oracle Corporation and its affiliates are
not responsible for and expressly disclaim all warranties of any kind with respect to third-party
content, products, and services unless otherwise set forth in an applicable agreement between
you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs,
or damages incurred due to your access to or use of third-party content, products, or services,
except as set forth in an applicable agreement between you and Oracle.
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility
Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Oracle customers that have purchased support have access to electronic support through My
Oracle Support. For information, visit
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

Oracle Cloud Infrastructure Cloud Guard

3
General
1. What is Cloud Guard?
Oracle Cloud Guard helps customers maintain good security posture by detecting weak security
configurations and risky activities that can indicate cloud security threats.
Cloud Guard detects security problems within a customer tenancy by ingesting audit and
configuration data about resources in each region,
processing it based on detector rules, and correlating the problems at the reporting region.
Identified problems will be used to produce dashboards and metrics and may also trigger one or
more provided responders to help resolve the problem.
Responders can mitigate, correct, and prevent security issues based on a problem.
2. How much does/will Cloud Guard cost?
Cloud Guard for OCI Configuration and Activity is provided free of charge supported OCI
services.
3. Is Cloud Guard a regional or global service?
Cloud Guard is implemented regionally and aggregates problems to the customer-
selected reporting region to provide a global view.
4. Can I have more than one reporting region?
No, Cloud Guard allows only a single reporting region.
5. Can I have more than one Cloud Guard running in my tenancy?
No. Only one instance of Cloud Guard can run in the tenancy.
6. Can I limit Cloud Guard to specified compartments?
Yes, Cloud Guard can be configured to monitor specific compartments or compartment
hierarchies or exempt compartments from monitoring.
7. Which regions are monitored?
All commercial regions for the tenancy will be “monitored regions”. Please see here for
a list of currently supported regions here: https://docs.cloud.oracle.com/en-
us/iaas/Content/General/Concepts/regions.htm
8. Can Cloud Guard monitor across tenancies?
No. Cloud Guard is specific to the OCI tenancy in which it runs.
9. Can I change the reporting region?
Yes, the reporting region can be changed; however, existing CG data will not be moved
from the old to the new reporting region.
10. Does Cloud Guard show me any metrics that indicate my current Security Posture?
Yes, Cloud Guard provides two key metrics the Risk Score and the Security score as part
of the Overview page in the Console. Security Score is a normalized value ranging from
0 – 100 that uses the number, types, and severity of problems to determine an overall
assessment of the strength of security posture. Risk Score complements the Security
Score by evaluating the number of total resources being monitored, the sensitivity of
each resource type, and the severity of any problems related to the resources, to
determine the total risk exposure of a tenant. These are used to help assess what could
be “small but insecure” and “large but overall secure” environments correctly.
11. What kind of compliance standards does Cloud Guard support today?

General
4
 Cloud Guard aligns with the CIS Foundations benchmark standard for OCI. Additional
compliance features are expected post-GA.
12. What’s the difference between Cloud Guard and other OCI SIEM based services and
tools?
Cloud Guard provides complete security posture of OCI tenancy by ingesting not just
audit/log data but also by monitoring the configuration changes in each resource. OOTB
detectors are provided and enabled by default in Cloud Guard that help detect the
problems for your resources. SIEM based services ingest log data from resources and
applications and provides support for search/analytics engine to perform investigations
and detect problems. Automated remediation (Responders) can be configured and
initiated by Cloud Guard whereas actions should be defined as part of the rules
construct for the SIEM tools.
13. How can Cloud Guard integrate with my SecOps and incident response processes?
Most customers want cloud security monitoring to integrate with existing processes,
procedures, and people. Many InfoSec teams will integrate Cloud Guard problems with
their internal SIEM tools to tie Cloud Guard problems with their internal processes.
These integrations may use the Cloud Guard APIs, and/or existing OCI Infrastructure
services such as OCI Events, OCI Notifications, and OCI Functions. Cloud Guard can be
Events to trigger (e.g.) sending problems to email, Slack, and PagerDuty as well as to
custom OCI Functions. Customers can also use the Events to OCI Functions to build
custom integration or responses based on customers' use-cases.

14. Can I use Cloud Guard in read-only mode?

Yes, Cloud Guard provides several IAM permission policies that covers individual Cloud
Guard componenets, for example read/manage policies for just detector recipes, targets
or problems. Policies can be set to only enable Cloud Guard at the compartment level
instead of tenancy. Please refer to the Cloud Guard documentation<add link here> for
definitions of policies and use cases around those.

Managing Cloud Guard

Cloud Guard Targets

1. What is a Cloud Guard target?

Targets set the scope of resources to be examined. For OCI, compartments and their
descendent structures can be set as targets.
2. How can I monitor my entire tenancy?
You can simply create a target at your root compartment in your tenancy and every
child compartment will automatically be monitored by the recipes assigned to that
target.
3. What happens when a new compartment or resource is created? Do I need to
reconfigure Cloud Guard to see that?

Managing Cloud Guard

5
 Once you have applied a target(and assigned detector recipes) to a compartment any
new compartment or resource created in that compartment will automatically be
monitored by Cloud Guard.
4. How can I exempt a compartment in a hierarchy?
If you want to exclude compartment A2, create another target at A2 (child-
compartment-target) that is not assigned to a detector or responder. Cloud Guard will
not evaluate a detector against a target that is not within the scope of the detector.
5. Can targets overlap?
No
6. Can I apply 2 different configuration detectors to the same compartment?
No. Only one detector of a type can be applied to a target.
7. Do target compartments inherit from parents for detectors?
Yes, by default. When you define a target you can specify inheritance. A compartment
can only “exist” in one target at a time.

Cloud Guard Detectors

8. What is a detector rule?

Detectors are Cloud Guard components that identify issues with resources or user
actions and alert when an issue is found
9. What types of detectors are available?
Cloud Guard for OCI IaaS provides 2 detectors: OCI Configuration and OCI Activity.
10. What is a detector recipe?
Detector recipe is a set of detector rules that can be applied to against your target
11. Can I create my own detector recipe?
You can always clone detector recipes from existing Oracle managed recipes to create
User Managed recipes but currently there is no option to create one from scratch. For
example, you cannot create one recipe with few rules from activity and few other rules
from Config based recipes. Similarly, you cannot create your own rules, you can always
disable or enable them in a recipe to set the appropriate baseline for your environment.
12. Are more detector rules coming?
Yes. New detector rules will be added automatically to all detector recipes of the correct
type as they are released. When you clone an Oracle-managed detector recipe, if a new
detector rule is added to the Oracle-managed recipe, all cloned “children” of that recipe
will inherit the new rule with the rule’s default configuration.
13. Will a new rule change my detector rule configuration?
Updating the Oracle-managed rule for example changing the default values of any
settings in a rule the will overwrite the rule configuration in the Oracle recipe; but no
changes are made to any clones of the recipe.
14. Will a new version of a rule change my detector rule configuration?
15. Can I request new detector rules?
Of course. If you or your customer think a particular rule would be very beneficial in
enhancing their security posture, please send those details to the Cloud Guard PM
group and we will see if we can make it part of the roadmap.
Managing Cloud Guard
6
 16. What is the poll frequency currently for the detectors to trigger problems?
The current poll frequency with which the problems are triggered is around 25-30 min.
For more details on the SLA around problem detection please talk to the Cloud Guard
PM team.
17. What kinds of configuration do detector rules require?
This depends on the type of detectors and the resource that it checks. All detector rules
allow for severity configuration.
Configuration detector configuration, typically permit setting a value, type, or
exemptions from the check.
Activity detector configurations may allow inclusion or exclusion by OCID, users/groups,
and/or IP data.

Cloud Guard Problems

18. What are Cloud Guard problems?

Problems are notifications that a configuration or activity is a potential security issue.
Problems are detected once you have created targets and assigned detector recipes to
these targets. Problems can be filtered by detector type, time detected, Risk level and
Resource type from the Problems page.
19. Can I get a report of problems from the Problems console page?
Not currently but this part of the roadmap. You can however use Cloud Guard API’s to
export the problems. Also, you can integrate Cloud Guard with OCI events and
Notifications to notify users via email/slack about these problems.

Cloud Guard Responders

20. What are Cloud Guard Responders?

Responders provide notifications and corrective actions to for security problems. Cloud
Guard Responder Activity page provides a complete overview of the current responder
activity for that tenancy.

Managing Cloud Guard

7