Custom Rules

Cloud Security Posture Management is not available in this site.

Join the Beta!

Creating and using custom CSPM rules is a beta feature, available for select Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) cloud resources. See the cloud resources schema documentation for more information. New cloud resources will be added throughout the beta period.

Overview

To extend the rules being applied to your environment to evaluate your security posture, you can clone detection rules and edit the copies, and you can create your own rules from scratch.

Cloning rules

To clone a rule:

  1. Find the rule you want to copy one of the following ways:
  2. Make any changes you want for your new rule.
  3. Scroll to the bottom of the details page and click Clone Rule.

Creating rules

To create a rule from scratch:

  1. In Datadog, navigate to Security > Posture Management and click Detection Rules.

  2. Click New Rule in the upper-right.

  3. Select Cloud Configuration as the rule type.

  4. Specify the GCP resource types you are writing the rule for.

  5. Write the rule logic using Rego, a policy-as-code language, either from scratch or by using the Datadog template. Read Writing Custom Rules with Rego for more information. Note that you can mark a resource as “pass”, “fail”, or “skip”. If you do not mark a resource, it will be interpreted as “skip”.

    Custom Rules Steps
  6. Exclude benign activity by specifying queries to include or remove certain resources from findings.

  7. Validate the logic of your rule by selecting resources and clicking Test Rule. See which resources passed and failed, along with corresponding resource tags.

  8. Specify a severity (Critical, High, Medium, Low, or Info) for the rule.

  9. Select a facet (for example, for each resource type or for each account ID), and specify a notification target to signal.

  10. In Say what’s happening, write a description for the notification, using notification options to make it useful. Read Notifications for details.

  11. Specify tags to apply to the result findings. Read Tagging findings for more information.

  12. Click Save Rule.

    Custom Rules Steps

Tagging findings

When you create, clone, or modify CSPM detection rules, you can specify tags to apply to findings so that you can group, filter, and search findings by those tags. When you clone a rule, some tags are carried forward into the new rule, and others are not (see table below).

You can assign almost any key-value as a tag. The following table shows tags that are useful in common security scenarios.

KeyValid valuesDescription
scoredtrue, falseIndicates whether to include the rule when calculating organization’s overall posture score. Automatically added to cloned rules.
securitycomplianceCategorizes findings on the Security Signals page. Can’t be removed.
requirementStringNot allowed for custom rules. Indicates a requirement related to a compliance framework. Don’t add this to rules not part of a compliance framework.
cloud_provideraws, gcp, azureCannot be removed. Is set automatically based on resource type.
controlStringNot allowed for custom rules. Indicates a control related to a compliance framework. Don’t add this to rules not part of a compliance framework.
sourceString from a defined set given by cloud providers as listed in the Source facet in CSPM FindingsCannot be removed. Automatically added to cloned rules. Facilitates grouping rules by cloud provider.
frameworkStringNot allowed for custom rules. Indicates the compliance framework the rule belongs to. Not automatically added to cloned rules.

Further reading