Rules and Rulesets

All CloudGuard components, Posture Management, Intelligence, and Image Assurance, use a combination of rulesets to test your environments. Rulesets contain rules, which are individual tests of function in your environment. For example, a rule can test if a password policy is enforced.

Rulesets Management

There are two types of rulesets management:

Severity Levels

While in CloudGuard each finding has its triggers and conditions, the information below describes the general criteria and implications to reflect finding risk.

CloudGuard assigns each finding one of five severity levels:

  • Informational - There is no security or infrastructure risk. Administrator awareness is recommended.

  • Low - There is no security or infrastructure risk. The response is based on best practices.

  • Medium - A possible security risk exists. Action is required in reasonable time.

  • High - This may lead to a possible risk. Immediate action is required.

  • Critical - An asset is compromised. Immediate action is required.

Severity Criteria and Implications

Three criteria below define and affect these severity levels:

  1. Infrastructure exposure: - If a finding shows an infrastructure exposure that is not necessary, which can provide attackers a possible ground for exploitation.

    • None - There is no risk of infrastructure exposure.

    • May lead - Some conditions can cause infrastructure exposure.

    • Exists - There is an infrastructure exposure.

  2. Information disclosure: If a finding describes an information disclosure, which can lead to sensitive data exfiltration and can be used maliciously.

    • None - There is no risk of information disclosure.

    • May lead - Some conditions can cause infrastructure exposure.

    • Exists - There is an information disclosure.

  3. Possible impairment: - If a finding describes a lead to infrastructure or information impairment, in terms of security, misconfiguration, or maintenance.

    • None - There is no risk of impairment

    • May lead - Some conditions can cause infrastructure exposure or information impairment.

    • Exists - There is a lead for an infrastructure or information impairment

In addition, each severity level correlates with two implication levels:

  1. Level of required action:

    • None - No action is required.

    • Advised - The response is based on best practices.

    • Not immediate - Action is required in a reasonable time.

    • Immediate - Immediate action is required.

  2. Compromised assets:

    • None - The asset is not compromised.

    • Compromised - The asset is vulnerable.

Severity Matrix

The table below shows the relationship between each severity level and the mentioned criteria and implications. For each finding, its severity is defined by the highest severity that meets a minimum of one criterion.

Severity Criterion Implication

Infrastructure Exposure

Information Disclosure

Possible Impairment

Compromised Asset

Action Level














May lead




Not immediate



May lead

May lead









Malicious IP Classification

For rules that identify malicious IPs, CloudGuard uses Check Point's ThreatCloud technology. The table below explains the meaning of each IP category.




The service could not classify the IP. There is not sufficient data about this resource.


The IP domains operate in the gray areas of the law, collecting private data on the users, and show unwanted content or a website that contains sub-application to download.


The IP domains contain malicious software, for example, hacking websites.


Legitimate IP that is not malicious.

CnC Server

Command and control of malware.

Compromised Server

Legitimate IP that was hacked and operates a malicious function.


The IP domains attempts to get sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), frequently for malicious reasons, by masquerading as a trustworthy entity in electronic communication.

Infection Source

The IP domains can infect their visitors with malware.

Web Hosting

The IP domains allow you to rent out space for websites to have your business in.

File Hosting

The IP domains allow you to rent out space for storage to have your business in.


The IP domains permanently do not have content. Possibly, they contain advertising content on pages that have been registered but do not (at this time) have initial content.


The IP is a known Internet scanner.


The IP is a known Tor (The Onion Router) anonymity proxy server.


The IP domains are used for crypto mining.


The IP domains are used for spam.

Compromised Host

The victim's IP.

CloudGuard Rules Repository

CloudGuard Compliance Engine is an end-to-end security and compliance solution for assessment, remediation, and continuous security compliance enforcement. The CloudGuard GSL (Governance Specification Language) is a syntax to configure cloud security and compliance rules that can be applied in assessments for your environments with the CloudGuard Compliance Engine.

The Cloud Security Posture Repository is a shared security and compliance knowledge platform for AWS, Azure, GCP, and Kubernetes. It provides an evolving set of security and compliance best practices, curated and developed by CloudGuard. The controls include risk and remediation details needed for security governance and compliance with public cloud environments.