---
title: Create Custom Rules
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Cloud Security > Cloud Security Misconfigurations >
  Create Custom Rules
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Create Custom Rules

## Overview{% #overview %}

To extend the rules being applied to your environment to evaluate your security posture, you can clone compliance rules and edit the copies, and you can create your own rules from scratch. To view the list of the available resource types for your custom rules, see [Cloud Resources Schema](https://docs.datadoghq.com/infrastructure/resource_catalog/schema.md).

## Cloning rules{% #cloning-rules %}

To clone a rule:

1. Find the rule you want to copy by doing one of the following:
   - Navigate to the [Misconfigurations Rules](https://app.datadoghq.com/security/configuration/compliance/rules) page. Select a rule you want to copy to open its details page.
   - Navigate to the [Misconfigurations explorer](https://app.datadoghq.com/security/compliance). Select a misconfiguration to open its details, then select Edit Rule.
1. Make any changes you want for your new rule.
1. Scroll to the bottom of the details page and click Clone Rule.

## Creating rules{% #creating-rules %}

To create a rule from scratch:

1. Navigate to the [Misconfigurations Rules](https://app.datadoghq.com/security/configuration/compliance/rules) page.

1. Click New Rule in the upper-right.

1. Select Cloud Configuration as the rule type.

1. Specify the cloud resource types you are writing the rule for.

1. Write the rule logic using [Rego](https://www.openpolicyagent.org/docs/latest/), a policy-as-code language, either from scratch or by using the Datadog template. Read [Writing Custom Rules with Rego](https://docs.datadoghq.com/security/cloud_security_management/guide/writing_rego_rules.md) for more information. Note that you can mark a resource as "pass", "fail", or "skip". If you do not mark a resource, it will be interpreted as "skip".

   {% image
      source="https://docs.dd-static.net/images/security/cspm/custom_rules/custom_rules_first_half.7b34a1a9e8618806457faf8c32cf7276.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/security/cspm/custom_rules/custom_rules_first_half.7b34a1a9e8618806457faf8c32cf7276.png?auto=format&fit=max&w=850&dpr=2 2x"
      alt="Custom Rules Steps" /%}

1. Exclude benign activity by specifying queries to include or remove certain resources from misconfigurations.

1. Validate the logic of your rule by selecting resources and clicking Test Rule. See which resources passed and failed, along with corresponding resource tags.

1. Specify a severity (`Critical`, `High`, `Medium`, `Low`, or `Info`) for the rule.

1. In Say what's happening, write a description and instructions for investigating and remediating the Finding.

1. Specify tags to apply to the result misconfigurations. Read Tagging misconfigurations for more information.

1. Click Save Rule.

   {% image
      source="https://docs.dd-static.net/images/security/cspm/custom_rules/custom_rules_second_half.59cce2fead94f048a913bcc1d911fae3.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/security/cspm/custom_rules/custom_rules_second_half.59cce2fead94f048a913bcc1d911fae3.png?auto=format&fit=max&w=850&dpr=2 2x"
      alt="Custom Rules Steps" /%}

## Formatting the finding description{% #formatting-the-finding-description %}

The text you enter in Say what's happening is displayed in the finding side panel. When you write it as Markdown using the following section headers, each section is shown in a dedicated area of the finding:

| Header        | Where it appears in the finding                |
| ------------- | ---------------------------------------------- |
| `Description` | **What Happened**                              |
| `Rationale`   | **What Happened** (shown with the description) |
| `Remediation` | **Remediation** section                        |
| `References`  | Shown separately                               |

For example:

```markdown
## Description
Explain what the misconfiguration is.

## Remediation
Describe how to remediate it.
```

Keep the following in mind:

- All sections are optional and can appear in any order. A typical message uses only `## Description` and `## Remediation`.
- Use level-2 (`##`) headers for each section. Deeper headers (for example, `###`) are treated as sub-points within a section, not as new sections.
- Header matching is case-insensitive, but the section names must match exactly (for example, `Remediation`, not `Fix`).
- Give each section content. A header immediately followed by another header may not render as expected.
- If none of these headers are present, the entire message is shown as the description.

This formatting also applies to rules created with the [`datadog_cloud_configuration_rule`](https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/cloud_configuration_rule) Terraform resource, where the same content is set through the resource's `message` attribute.

## Tagging misconfigurations{% #tagging-misconfigurations %}

When you create, clone, or modify Cloud Security Misconfigurations compliance rules, you can specify tags to apply to misconfigurations so that you can group, filter, and search misconfigurations by those tags. When you clone a rule, some tags are carried forward into the new rule, and others are not (see table below).

You can assign almost any key-value as a tag. The following table shows tags that are useful in common security scenarios.

| Key              | Valid values                                                                                                                                                         | Description                                                                                                                                          |
| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| `scored`         | `true`, `false`                                                                                                                                                      | Indicates whether to include the rule when calculating organization's overall posture score. Automatically added to cloned rules.                    |
| `security`       | `compliance`                                                                                                                                                         | Categorizes misconfigurations on the [Security Signals page](https://app.datadoghq.com/security/). Can't be removed.                                 |
| `requirement`    | String                                                                                                                                                               | Not allowed for custom rules. Indicates a requirement related to a compliance framework. Don't add this to rules not part of a compliance framework. |
| `cloud_provider` | `aws`, `gcp`, `azure`                                                                                                                                                | Cannot be removed. Is set automatically based on resource type.                                                                                      |
| `control`        | String                                                                                                                                                               | Not allowed for custom rules. Indicates a control related to a compliance framework. Don't add this to rules not part of a compliance framework.     |
| `source`         | String from a defined set given by cloud providers as listed in the [Source facet in the Misconfigurations explorer](https://app.datadoghq.com/security/compliance). | Cannot be removed. Automatically added to cloned rules. Facilitates grouping rules by cloud provider.                                                |
| `framework`      | String                                                                                                                                                               | Not allowed for custom rules. Indicates the compliance framework the rule belongs to. Not automatically added to cloned rules.                       |

## Further reading{% #further-reading %}

- [Start writing your own Rego rules](https://docs.datadoghq.com/security/cloud_security_management/guide/writing_rego_rules.md)
- [Explore default Cloud Security Misconfigurations cloud configuration compliance rules](https://docs.datadoghq.com/security/default_rules.md)
- [Learn about frameworks and industry benchmarks](https://docs.datadoghq.com/security/misconfigurations/frameworks_and_benchmarks.md)
