Rule Creation Overview
F5 Distributed Cloud App Infrastructure Protection (AIP) collects raw event data from your environment and delivers it to your Distributed Cloud AIP organization for processing. Distributed Cloud AIP uses the managed rules you implement and/or the unmanaged rules you create to initiate alerts based on the information you want reported. Your defined rule suppressions determine whether you receive notifications about behavior you consider normal.
Optionally, you can create rulesets in which to store related rules. Rulesets can help to organize the rules and alerts in your organization.
You can configure the following unmanaged rule types in Distributed Cloud AIP:
- Linux
- CloudTrail
- File
- Hostless
- Kubernetes
- Netflow
- Windows
Linux rules monitor events generated from general activity in the operating system (OS), including kernel activity, network activity, and user activity.
CloudTrail rules monitor your connected Amazon Web Services (AWS) CloudTrail service, including IAM policy changes, excessive API calls, and denied access.
For additional information, see Get Started with CloudTrail Alerting.
You can set up File (FIM) rules to monitor changes to critical files on your system, including file opens, file deletes, configuration file changes, and system file changes.
For additional information, see File Integrity Monitoring Overview.
Note
Enabling recursive monitoring for a specific file path allows Distributed Cloud AIP to monitor changes in that directory and its subdirectories.
If you include a backslash (\) character in a FIM rule, then performance issues may occur. Do not include the backslash (\) character in your FIM rules.
The Distributed Cloud AIP Agent depends on inotify to populate FIM events. Due to inotify limitations, Distributed Cloud AIP cannot provide information about the user that triggers a FIM Create, Delete, or Move event. Additionally, inotify cannot distinguish between events that inotify triggers and events that other processes trigger. As a result, the Distributed Cloud AIP Linux Host Agent will not provide the following information for FIM Create, Delete, or Move events:
- containerID
- containerImage
- containerLabel
- gid
-
group
-
pid
-
ppid
-
session
-
uid
Hostless rules correlate to the hostlessProcess event type, which monitors serverless infrastructure, such as AWS Lambda and AWS Fargate.
Kubernetes rules monitor role, role bindings, and cluster role binding events, as well as events generated from orchestration activity related to node/pod/container actions, such as creations and modifications.
Netflow rules correlate to the hostlessNetflow event type, which monitors serverless infrastructure, such as AWS Lambda and AWS Fargate.
Windows rules monitor events generated from general activity in the operating system (OS), including kernel activity, network activity, and user activity.
You can clone current rules into the ruleset to which they belong, then alter or update them to monitor for new events. For information, see Clone Existing Rule.