Overview

To extend the rules being applied to your environment to evaluate your security posture, you can clone compliance rules and edit the copies, and you can create your own rules from scratch. To view the list of the available resource types for your custom rules, see Cloud Resources Schema.

Cloning rules

To clone a rule:

  1. Find the rule you want to copy by doing one of the following:
  2. Make any changes you want for your new rule.
  3. Scroll to the bottom of the details page and click Clone Rule.

Creating rules

To create a rule from scratch:

  1. Navigate to the Misconfigurations Rules page.

  2. Click New Rule in the upper-right.

  3. Select Cloud Configuration as the rule type.

  4. Specify the cloud resource types you are writing the rule for.

  5. Write the rule logic using Rego, a policy-as-code language, either from scratch or by using the Datadog template. Read Writing Custom Rules with Rego for more information. Note that you can mark a resource as “pass”, “fail”, or “skip”. If you do not mark a resource, it will be interpreted as “skip”.

    Custom Rules Steps
  6. Exclude benign activity by specifying queries to include or remove certain resources from misconfigurations.

  7. Validate the logic of your rule by selecting resources and clicking Test Rule. See which resources passed and failed, along with corresponding resource tags.

  8. Specify a severity (Critical, High, Medium, Low, or Info) for the rule.

  9. Select a facet (for example, for each resource type or for each account ID), and specify a notification target to signal.

  10. In Say what’s happening, write a description for the notification, using notification options to make it useful. Read Notifications for details.

  11. Specify tags to apply to the result misconfigurations. Read Tagging misconfigurations for more information.

  12. Click Save Rule.

    Custom Rules Steps

Tagging misconfigurations

When you create, clone, or modify CSM Misconfigurations compliance rules, you can specify tags to apply to misconfigurations so that you can group, filter, and search misconfigurations by those tags. When you clone a rule, some tags are carried forward into the new rule, and others are not (see table below).

You can assign almost any key-value as a tag. The following table shows tags that are useful in common security scenarios.

KeyValid valuesDescription
scoredtrue, falseIndicates whether to include the rule when calculating organization’s overall posture score. Automatically added to cloned rules.
securitycomplianceCategorizes misconfigurations on the Security Signals page. Can’t be removed.
requirementStringNot allowed for custom rules. Indicates a requirement related to a compliance framework. Don’t add this to rules not part of a compliance framework.
cloud_provideraws, gcp, azureCannot be removed. Is set automatically based on resource type.
controlStringNot allowed for custom rules. Indicates a control related to a compliance framework. Don’t add this to rules not part of a compliance framework.
sourceString from a defined set given by cloud providers as listed in the Source facet in the Misconfigurations Explorer.Cannot be removed. Automatically added to cloned rules. Facilitates grouping rules by cloud provider.
frameworkStringNot allowed for custom rules. Indicates the compliance framework the rule belongs to. Not automatically added to cloned rules.

Further reading