Managed Rules: More Details

Important

This page contains information for existing users of the F5 Distributed Cloud App Infrastructure (AIP) platform. For more information about rules and rule management, see Introduction to Rules.

Managed Rules is a complete overhaul of Distributed Cloud AIP's rule structure that makes repeatable and transferable parts easier within specific organizations and throughout the entire customer base. It includes a centralized library of rules that is managed by internal experts and distributed to all organizations that utilize them. Additional functionality includes new features such as lookup lists and reusable suppressions.

Distributed Cloud AIP prides itself on the ability to provide the latest detection methods to our clients by regularly providing new rules and rule updates. The new Managed Rules system streamlines this process by ensuring that your organizations have the latest and greatest rules and rule filters in real time.

Once enrolled, select rules in your organization will synchronize with Distributed Cloud AIP's centrally-maintained ruleset. New rules will immediately be available in your organization upon release, with no need to receive a traditional rule push or manual update.

While we are excited about delivering meaningful detection methods at a rapid pace, we are not changing the existing, highly customizable rules system. Any custom rules you have configured will remain in your environment. Additionally, you will still be able to create custom rules and clone Managed Rules to make custom adjustments.

Enrollment and Conversion Process

Contact your Customer Success team to begin the enrollment into Managed Rules. Once enrolled, your Security Solutions Engineer will:

  1. Back up all current rules and suppressions in your organization.
  2. Sort all rules in your organization in order to:
    1. Identify custom rules to exclude during the conversion process.
    2. Identify rules that match with a new Managed Rule. These rules will be marked as candidates for conversion, meaning that they will be replaced with a Managed Rule that has the same functionality. Any custom suppressions currently attached to these rules will migrate to the new Managed Rule.
  3. Migrate the rules identified for conversion to Managed Rules.

Your Customer Success team will reach out to you once enrollment completes. Distributed Cloud AIP will closely monitor alert activity and volume to ensure that any new filters and/or rules provide meaningful information.

Identify Managed Rules

The current Rules page does not have a direct way to identify whether a rule is managed or unmanaged. You can check whether a rule is managed or unmanaged by attempting to change the Rule Name. Once you click save, if the rule name reverts to the original name and does not save your changes, then the rule is managed.

The new Rules page, which will be released shortly, identifies Managed Rules by adding a label beside the rule name:

managed-rule-label.png

Early access to the new Rules page is available now. Please contact your Customer Success team to request access.

Anatomy of a Managed Rule

A Managed Rule contains certain read-only fields that the Distributed Cloud AIP Rule Design team controls, maintains, and updates. The following fields of a Managed Rule are read-only:

  • Rule name
  • Rule and alert descriptions
  • Managed rule classifiers (You may attach and remove your own classifiers but cannot remove the classifiers included with the rule)
  • Managed rule suppressions (You may attach and remove your own suppressions but cannot remove the suppressions included with the rule)
  • Rule filter

The following fields are fully customizable:

  • Enable/Disable
  • Alert severity
  • Alert title and alert frequency (except for Supervised Learning rules)
  • Aggregate fields
  • Unmanaged (custom) suppressions and classifiers
  • Ruleset

rule-breakdown.png

FAQs

For a list of frequently asked questions, see the Managed Rules FAQ.

Was this article helpful?
0 out of 0 found this helpful