Creating Rules
Overview
Rule is the fundamental pillar of the Compliance configuration. The first and foremost step is to create Rules that are applicable and in-line with the organization policies. Rules can vary in their complexities and can be as simple as defining password complexities for devices to checking if the switch port has been enabled or not on a device.
Rules can vary in their complexities and can be as simple as ensuring if the description of an interface has been correctly provided to checking if the SNMP server community string is properly defined.
Motadata AIOps provides out-of-the-box (OOTB) rules for the CIS framework along with the flexibility to create custom rules that might applicable to organization(s). Each Rule has it's unique Rule ID that helps with its identification.
Navigation
Go to Menu. Select Settings After that, Go to Compliance Settings and select Rules. The Compliance Rules screen is displayed.
Rules Screen
All the out-of-the-box Rules according to the CIS framework will be visible here. Users can view Rules details, edit, clone, and delete (only Custom Rules). A new Custom Rule can also be created from this screen.
Below are the options will be visible on the screen :
| Field | Description |
|---|---|
| Rule | Name of the Rule. |
| Description | Description for the Rule. |
| Tag | Tags defined to the particular Rule. |
| Rule Type | Displays the type of the rule. |
| Actions | Users can only clone the default Rule(s). Actions you can perform on Custom Rule: - Edit: Edit the rule to change its properties. - Clone: Clone the rule and its properties. - Delete: Delete the rule. |
Create a Custom Rule
By default, Motadata AIOps provides out-of-the-box Rules. However, should the organizational needs arise, a user can create a custom rule by clicking on the Create Rule button.
There are two steps to create a Rule, user will first need to configure the Audit & Remediation Properties and in the second step, user can define general properties such as, name, description, severity, impact, and other details. Let's look at creating a rule step-by step:
1. Audit & Remediation Properties
On the Audit & Remediation screen, user will need to enter the below-mentioned details. Since the configuration option vary based on Rule Check-in type, let's look at each of them separately:
- Config File
- CLI
When creating a Rule using Config File, it will be required to choose a Rule Configuration. Since the parameters differ based on the type of configuration, let's explore them one at a time:
- Basic
- Advanced
The Basic Rule Configuration allows user to define a Condition, Result Pattern, and the result pattern's occurence in the Config File and based upon those parameters set a Remediation Action.
| Field | Description |
|---|---|
| Rule Check in | Click on Config File. |
| Rule Configuration | Select the Basic option. |
| Condition | There are two condition options available. Below is a quick gist: - Should Not Contain: When chosen, Motadata AIOps will only apply the Rule to devices that do not contain the mentioned Result Pattern. - Should Contain: When this option is selected, Motadata AIOps will only apply the Rule to devices that contain the mentioned Result Pattern. You can also add multiple conditions by clicking on |
| Result Pattern | Enter the command or string pattern to be matched in the config file. |
| Occurence | Use the dropdown to select the number of occurences Motadata AIOps should select of the Result Pattern from the config file. |
| Operation | If there are more than one rule in the Rule condition, a user can select the operation to be performed among them. Below is a gist for both the options: - An OR operation will check the for either one of the rule. - An AND operation will only select pattern matching both the conditions in the config file. |
The Advanced Rule Configuration allows user to define a Condition, Block Criteria, Result Pattern, and the result pattern's Config File occurence and based upon those parameters set a Remediation Action.
| Field | Description |
|---|---|
| Rule Check in | Click on Config File. |
| Rule Configuration | Select the Advanced option. |
| Block Start | Define the notation which signifies start of a block present in the Config File. |
| Block End | Define the notation which signifies end of a block present in the Config File. |
| Add Block Condition | Users can also define a condition to be checked inside a code-block as well. Conditions for which, can be mentioned using the Block Condition. Please note, condition mentioned here is independent of Result Pattern. - Condition: Select the condition type using the dropdown. - Result Pattern: Enter the command or pattern to be matched in the config file. |
| Condition | Select the condition type using the dropdown. |
| Result Pattern | Enter the string pattern to be matched in the config file. |
| Occurence | Use the dropdown to select the number of occurences Motadata AIOps should select of the Result Pattern from the config file. |
| Operation | If there are more than one rule in the Rule condition, a user can select the operation to be performed among them. Below is a gist for both the options: - An OR operation will check the for either one of the rule. - An AND operation will only select pattern matching both the conditions in the config file. |
Command-Line Interface (CLI) option allows the user to check for configurations which are not explicitly present in the configuration file, and can only be checked by executing a command on the command-line interface of the device.
| Field | Description |
|---|---|
| Rule Check in | Select the CLI option. |
| Command | Enter the command to execute on the device command-line interface. |
| Condition | Select the condition type using the dropdown. |
| Result Pattern | Enter the command or string pattern to be matched with on the command-line inteface of the device. |
| Occurence | Use the dropdown to select the number of occurences Motadata AIOps should select of the Result Pattern with current device settings. |
| Operation | If there are more than one rule in the Rule condition, a user can select the operation to be performed among them. Below is a gist for both the options: - OR operation will check the for either one of the rule. An AND operation will only select pattern matching both the conditions in the config file. |
Remediation Action
Remediation Action will allow users to take corrective actions in case any defined rule is violated. Users can manually execute the Runbook if a rule is violated.
| Field | Description |
|---|---|
| Action to be taken | Select a runbook using the drop down to attach with the Rule. |
| Create Runbook | Create a Runbook on-the-fly to attach it to the Rule. |
Click Next once all parameters have been configured to proceed to the second step.
Click Reset to clear all fields and start afresh.
2. General Properties
In this next step, all the general details regarding the Rule will need to be entered. Below are the options displayed on the screen:
| Field | Description |
|---|---|
| Rule Name | Enter a unique and descriptive name for the Rule to help you easily identify it. |
| Rule Description | Enter a brief explanation about Rule's purpose which can help clarify the rule's intent. |
| Rule Severity | There are five severity levels that can be assigned to a Rule. Below is a gist for them: - Critical: Immediate attention needed to prevent major disruptions or security breaches. - High: Serious risk that requires prompt remediation to avoid significant issues. - Medium:Moderate risk with a potential impact on system performance or security. -Low: Minor issues that contribute to overall improvement but are not urgent. - Info: Informational, serving as a guideline or best practice with no direct impact. |
| Tags | Define a tag for the Rule to categorize or group them with similar rules. |
| Rationale | Enter a justification for the rule that explains the importance of the rule for maintaining compliance. |
| Impact | Mention the consequence on the system if the rule is violated. Typically, this information is derived from compliance frameworks (CIS, PCI, SOX). |
| Default Value | Enter the default values applicable for the rule. |
| References | Provide documents, links, or guidelines of compliance frameworks or source material can be mentioned here. |
| Additional Information | Mention any supplementary details necessary for understanding or implementing the rule in this field. |
Select Create Rule to create the rule.
Select Reset to clear all fields and start afresh.