Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Cloud Security Posture Management is not available in this site.
Overview
To extend the rules being applied to your environment to evaluate your security posture, you can clone compliance rules and edit the copies, and you can create your own rules from scratch.
Cloning rules
To clone a rule:
- Find the rule you want to copy one of the following ways:
- Make any changes you want for your new rule.
- Scroll to the bottom of the details page and click Clone Rule.
Creating rules
To create a rule from scratch:
In Datadog, navigate to Security > Posture Management and click Compliance Rules.
Click New Rule in the upper-right.
Select Cloud Configuration as the rule type.
Specify the cloud resource types you are writing the rule for.
Write the rule logic using Rego, a policy-as-code language, either from scratch or by using the Datadog template. Read Writing Custom Rules with Rego for more information. Note that you can mark a resource as “pass”, “fail”, or “skip”. If you do not mark a resource, it will be interpreted as “skip”.
Exclude benign activity by specifying queries to include or remove certain resources from findings.
Validate the logic of your rule by selecting resources and clicking Test Rule. See which resources passed and failed, along with corresponding resource tags.
Specify a severity (Critical, High, Medium, Low, or Info) for the rule.
Select a facet (for example, for each resource type or for each account ID), and specify a notification target to signal.
In Say what’s happening, write a description for the notification, using notification options to make it useful. Read Notifications for details.
Specify tags to apply to the result findings. Read Tagging findings for more information.
Click Save Rule.
Tagging findings
When you create, clone, or modify CSPM compliance rules, you can specify tags to apply to findings so that you can group, filter, and search findings by those tags. When you clone a rule, some tags are carried forward into the new rule, and others are not (see table below).
You can assign almost any key-value as a tag. The following table shows tags that are useful in common security scenarios.
| Key | Valid values | Description |
|---|
scored | true, false | Indicates whether to include the rule when calculating organization’s overall posture score. Automatically added to cloned rules. |
security | compliance | Categorizes findings on the Security Signals page. Can’t be removed. |
requirement | String | Not allowed for custom rules. Indicates a requirement related to a compliance framework. Don’t add this to rules not part of a compliance framework. |
cloud_provider | aws, gcp, azure | Cannot be removed. Is set automatically based on resource type. |
control | String | Not allowed for custom rules. Indicates a control related to a compliance framework. Don’t add this to rules not part of a compliance framework. |
source | String from a defined set given by cloud providers as listed in the Source facet in CSPM Findings | Cannot be removed. Automatically added to cloned rules. Facilitates grouping rules by cloud provider. |
framework | String | Not allowed for custom rules. Indicates the compliance framework the rule belongs to. Not automatically added to cloned rules. |
Further reading
Documentation, liens et articles supplémentaires utiles:
