Views:

The workflow will take you through the scenario where you will create, run, update and delete a custom rule for the first time.

Workflow 1: creating, running, updating and deleting a custom rule

Before building your own custom rules, it is recommended that you use one of our templates to demonstrate the key functionality.
  1. Duplicate your successful ‘Get company custom rules’ request. Change to ‘POST’ request type, rename as ‘Create a custom rule’ and click Save. This will be a POST command to an endpoint such as https://api.xdr.trendmicro.com/beta/cloudPosture/customRules
  2. Under the Body header in Postman, select Raw, ensure JSON format is selected > paste the below custom rule template > click Save. Postman also allows you to ‘Beautify’ the request body. This rule is a basic demo rule to check for S3 bucket encryption. 
    {
    "name": "S3 bucket has any Encryption",
    "description": "We want to demonstrate Custom Rules V1",
    "categories": [
        "security"
    ],
    "riskLevel": "MEDIUM",
    "provider": "aws",
    "enabled": true,
    "service": "S3",
    "resourceType": "s3-bucket",
    "remediationNote": "To remediate, follow these steps:\n1. Step one \n2. Step two\n",
    "attributes": [
        {
            "name": "bucketEncryption",
            "path": "data.Encryption",
            "required": true
        }
    ],
    "eventRules": [
        {
            "conditions": {
                "all": [
                    {
                        "fact": "bucketEncryption",
                        "operator": "notEqual",
                        "value": null
                    }
                ]
            },
            "description": "Bucket has encryption enabled"
        }
    ]
}
  3. Click save and send. If successful, the response will return a 201 HTTP response. You have now saved the custom rule to your organization. The rule will now automatically run against the resource data in each of your relevant cloud accounts (in this case AWS) as part of the regular Cloud Risk Management scan process.
  4. To verify, go back to the previous ‘Get company custom rules’ query and run that request again. You should now see data returned in the response detailing the saved rule.
  5. Optional (environment and time dependent - otherwise skip to the next section): You can let the Cloud Risk Management scan one of your cloud accounts. The saved custom rule will automatically be picked up in the next scan and will produce checks in the same format as any other rule.
  6. Recommended (troubleshooting note): If you want to view the checks in the console, refresh the browser window after creating the custom rule to ensure the Cloud Risk Management web application loads the necessary data to display the checks correctly. The Cloud Risk Management application may load only some of the necessary data to display the checks correctly without this refresh.
  7. After refreshing the browser, click the cloud account in the Cloud Risk Managementt > Misconfiguration and Compliance page and click ‘Browse All Checks’. Filter using the custom rule id to see your first custom rule live and active in your account.

Update, test, disable, and delete an existing saved custom rule

You can update, disable, and permanently delete saved custom rules. You can update existing custom rules for basic configuration changes (e.g., riskLevel or category), or more substantial changes, including rule logic. Updated rules will retain the checks until the latest logic is run.
Note: Deleting rules will NOT immediately alter any related data e.g., deletion/removal of related checks. We recommended that you first disable the rule, i.e., enabled: false, and allow for the Cloud Risk Management scan for one cycle before deleting. This will allow the scan to remove related checks and complete any related tasks, e.g., update statistics, close created JIRA/ServiceNow tickets, etc.
  1. Duplicate the POST query named ‘Create a custom rule’, change it to a PATCH request and re-name ‘Update custom rule’.
  2. Append /<custom-rule-id> to the URL, e.g. https://api.xdr.trendmicro.com/beta/cloudPosture/customRules/CUSTOM-QqVHDF6JVdUE
  3. Modify the body of the rule template by changing: a. Values for name (call the rule whatever you like) and riskLevel (e.g. change to LOW). b. Under rules → conditions → all → operator, change notEqual to equal (this will invert the rule logic).
  4. Click save and send. The existing rule will be updated, shown in the response. You can confirm by re-running ‘Get company custom rules’.
  5. Test the newly updated rule by running Test custom rule configuration - you should notice a SUCCESS check replacing the earlier FAILURE check. If you let the rule run with the Cloud Risk Management scan, you will see the checks' data updated.
  6. As a final clean up, we will prepare to disable and delete the saved rule. We will first disable the saved rule, which will allow the Cloud Risk Management scan to handle tasks related to the removal of checks e.g., delete related checks, update statistics, close created JIRA/ServiceNow tickets, etc. If no checks have been created for the custom rule, then proceed to step 8 to permanently delete the custom rule. Modify the body of the PATCH request ‘Update custom rule’ and change the enabled property to false.
  7. Click Send. The existing rule will be updated, as shown in the response. You can confirm by re-running ‘Get company custom rules’
  8. Allow the Cloud Risk Management scan to run a complete cycle across accounts related to your custom rule.
  9. Duplicate the PATCH request update saved rule, change it to a DELETE request and rename the new request to ‘Delete custom rule'.
  10. You can clear the body (optional), ensure the URL includes the custom rule id you want to delete from your company, click save and send. You can re-check by re-running the ‘Get company custom rules’ query to see if the array of custom rules is empty.