Rule Creation Overview
F5 Distributed Cloud App Infrastructure Protection (AIP) collects raw event data from the Agents installed on your machines and delivers it to Distributed Cloud AIP to be processed. Distributed Cloud AIP uses the rules you create to initiate alerts based on the information you want reported. Your defined suppressions determine whether you are notified about behavior you consider normal.
Rulesets can be considered buckets, inside of which rules are built. Suppressions are then associated with the rule directly. In most cases, a server must be associated with a ruleset bucket in order for an alert to be initiated by a rule (This currently excludes CloudTrail rules, which rely on tags).
You can configure the following rule types in Distributed Cloud AIP:
Host rules monitor events generated from general activity in the Operating System (OS). Examples include kernel activity, network activity, and user activity. For additional information about configuring a host rule, see:
File rules are for monitoring file changes and integrity of the files themselves. In addition to creating the rule, you need to define the path and the events to monitor.
Examples include file opens, file deletes, configuration file changes, and system file changes. For additional information about configuring a file integrity rule, see Create a File Integrity Rule.
A CloudTrail rule is a rule built specifically to monitor your connected Amazon Web Services (AWS) CloudTrail service.
Examples of CloudTrail rules include IAM policy changes, too many API calls, and access denied. For additional information about configuring a CloudTrail rule, see Get Started with CloudTrail Alerting.
Distributed Cloud AIP provides a database of known threats and helps you reference them to keep you safe.
Examples of Threat Intelligence rules are inbound or outbound IP connections, or system vulnerabilities unveiled after an Agent scan. For additional information about configuring a threat intelligence rule, see Create Threat Intelligence Rule Types.
This is an opportunity to clone current rules and alter them, or update them to catch new events. For additional information, see Clone Existing Rule.
Kubernetes Audit rules monitor events generated from orchestration activity related to node/pod/container actions, such as creations and modifications. For additional information about configuring a Kubernetes Audit rule, see Create a Kubernetes Audit Rule.
Kubernetes Config rules monitor role, role bindings, and cluster role bindings events generated periodically. For additional information about configuring a Kubernetes Configuration rule, see Create a Kubernetes Configuration Rule.