Managed Rules FAQ

Where can I view a list of Managed Rules in Distributed Cloud AIP?

The current Rules page does not include functionality to list all managed rules in an organization. You can test whether an individual rule is managed or unmanaged by attempting to change the Rule Name. Once you click save, if the rule name reverts to the original name and does not save your changes, then the rule is managed.

If you are using the new (early access) Rules page, type "managed" in the search bar. All Managed Rules in the organization display. You can view the description and other details for each Managed Rule when you expand the rule details drawer (click the arrow in the left column of the rule).
managed-example.png

Early access for the new Rules page is available now. Please contact your Customer Success team to request access.

What happens when a new rule is deployed via the Managed Rules system?

As soon as Distributed Cloud AIP releases a new Managed Rule, it inserts into your rule list in real time. Once available, you can enable the rule, clone the rule, and edit certain rule parameters (see Anatomy of a Managed Rule). A future release will include functionality that allows you to automatically enable new rules in your organization as Distributed Cloud AIP adds them.

How will we be notified of changes or additions to Managed Rules?

See Rule Release and Changelog for Managed Rule updates.

Later this year, Distributed Cloud AIP plans to introduce Rule Change Tracking functionality, which will allow you to view who changed a rule, which user executed the change, and when the change occurred, along with other details. This functionality will be available for both managed and unmanaged rules.

Are Managed Rules tested prior to deployment?

Yes. Managed Rules are tested against Distributed Cloud AIP's robust data set of events to ensure that all rules provide meaningful data.

Can I opt out of Managed Rules?

You may elect to defer the migration process. Please be aware that by deferring the migration, you are responsible for all rule maintenance in your organization.

How will this impact my experience?

You will see two distinct types of rules: managed and unmanaged.

  • Managed rules include specific read-only fields that Distributed Cloud AIP's rule design team centrally manages. These rules periodically update to enhance rule filters, classifiers, titles, and descriptions to ensure the most accurate information is dispersed to customers.
  • Unmanaged rules are not managed by Distributed Cloud AIP. You can fully customize unmanaged rule titles, descriptions, classifiers, filters, and suppressions to fit your infrastructure’s unique needs.

How do I identify a managed rule? 

The current Rules page does not have a direct way to identify whether a rule is managed or unmanaged. You can check whether a rule is managed or unmanaged by attempting to change the Rule Name. Once you click save, if the rule name reverts to the original name and does not save your changes, then the rule is managed.

The new Rules page, which will be released shortly, identifies Managed Rules by adding a label beside the rule name:

managed-rule-label.png

Distributed Cloud AIP controls specific fields for managed rules, including the title, description, filter, managed suppressions, and managed classifiers, which means that these fields are not editable. For more information about which rule fields are fixed and which you can customize, see Anatomy of a Managed Rule.

Can I set my own alerting properties and rulesets?

Yes. The only restricted (read-only) fields for managed rules are the title, description, rule filter, and managed suppressions and classifiers. All other fields, including alerting properties and rulesets, are organization-specific.

Can we leverage tags within the new rules?

The new rules system allows for a more inclusive and overarching process to utilize the workload metadata fields within the Agent, and allows for more accurate labeling of servers across your infrastructure. For more information, see About Environment Tags.

How do I know I am leveraging all the possible Managed Rules? 

Distributed Cloud AIP lists all available Managed Rules on the new Rules page. From the rule list, you can enable any rule by enabling the toggle in the Status column and, if desired, customizing the organization-specific properties.

Early access for the new Rules page is available now. Please contact your Customer Success team to request access.

What if I want to remove a managed rule? 

You can disable a managed rule by disabling the toggle in the Status column of the rule list, or delete the rule to remove it from your organization entirely.

Can I still create my own rules?

Yes. No functionality for the existing custom rule creation process is changing.

Can I clone a managed Rule? 

Yes, but please note that the cloned rule will no longer be in a managed state and will not receive updates from Distributed Cloud AIP's rule design team.

Was this article helpful?
0 out of 0 found this helpful