Configuring CloudGuard Exclusions
You can select to exclude specific findings that appear in the results of assessments or vulnerability scanning, manually triggered compliance assessments, and Continuous Posture assessments, including these CloudGuard solutions:
-
CSPM
-
CIEM
-
CDR
-
Image Assurance (Vulnerabilities)
-
Admission Control
With exclusions, you can control the findings and show only those applicable to you. After you create an exclusion, the findings that match the exclusion parameters do not appear in the calculation of the assessment result statistics. Excluded findings are not sent as notification messages (by email, SNS, etc.) to external systems.
Some typical cases to make exclusions are:
-
Exclude findings from unrelated rules, for specific or for all environments. For example, when you use preconfigured CloudGuard rulesets, possibly some rules do not apply to your environments, and you can create exclusions to adjust them.
-
Provide temporary correction for rules that require adjustments.
-
Stop generation of findings for specific entities.
|
Best Practice - Do not overuse exclusions. If it is necessary to have a large number of exclusions to control your assessment results, then perhaps make adjustments to your rulesets. As a result, the rulesets fit better the current state of your cloud environments. |
In the Exclusions page, use the Filter and Search toolbar to select parameters to filter out from the exclusion table. Only exclusions that match the parameters show up in the exclusion table.
You can use these preconfigured filters:
-
Platform - Select an environment platform.
-
Environment/OU - Select one or more environments or organizational units.
-
Rulesets - Select from the available rulesets.
-
Rules - Select from the available rules.
-
Status - Select currently Active exclusions (in the Date Range) or Inactive exclusions (out of the Date Range).
-
Severity - Select from the available alert severity objects.
There are two methods to create an exclusion:
-
Full - Create a new empty exclusion and enter all the required parameters manually.
-
Based on assessment results or findings - Some of the parameters exist; you can edit them and complete the missing parameters.
To create a new exclusion with the full procedure:
-
Navigate to one of the relevant menu items (CSPM, CIEM, Workload Protection > Vulnerabilities or Admission Control, or CDR > Threat Monitoring) and click Exclusions.
-
Click Create New Exclusion in the top right.
-
Select the Ruleset to which you apply the exclusion. CloudGuard shows only applicable rulesets. This parameter is mandatory.
-
Enter your comment to distinguish between different exclusions. The comment is a mandatory parameter.
-
Select at least one characteristic whose finding should be excluded from the results. The list below contains all available parameters that your type of exclusion may have or may have not:
-
Environment or Organization unit - Exclude findings that correspond to an asset from a specific environment or organization unit. The field shows only environments that match the platform of the selected ruleset.
-
Regions - Select one or more regions where you want the exclusion to apply.
-
Date range - Select during which time frame the exclusion takes effect. If you do not select the date range, the exclusion applies permanently.
-
Rule - Exclude findings that correspond to a specific rule. Select the rule from the list based on the selected ruleset. If you do not select a rule, the exclusion applies to all rules. The rule severity applies to the exclusion automatically, so you cannot configure it separately.
-
Entity - Exclude findings that correspond to specific entities. Enter the entity name or ID. You can enter one or more entity names. Start to type the entity name to see and select a matching option. You can include the wildcard '%' in the entity name, to include a group of entities. For example,
%s3%
matches all entities with 's3' in their name. -
Account number - Exclude findings that correspond to an AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. account with a specific number.
-
Tags - Exclude findings that contain specific tags (key + value).
-
Alerts severity - Exclude findings that have specific severity. You cannot select a rule when you select the alert's severity, because each rule has its severity level.
Note - The exclusion characteristics apply to the finding with the AND logic. For example, if you set the date range, rule, and account number, the finding is excluded from the assessment if it matches all the parameters at the same time. That is, it matches the configured ruleset and the specified date range and the specified rule and it has the specified account number. To apply the characteristics with the OR logic, create more exclusions.
-
-
Click Save.
To create an exclusion based on existing parameters:
A simpler procedure to create an exclusion is to start the procedure directly from an assessment (Creating Exclusions from Assessment), finding (Creating exclusion for findings), or GSL rules. In the Create New Exclusion window, some parameters appear configured as they are in your assessment or finding.
Parameters for CDR
CDR exclusions have these additional parameters:
-
Source or Destination IP - Exclude findings that have a specific Source or Destination IP address, IP range, or use saved IP lists. For more information about IP lists, see Custom Resources.
-
Source or Destination Port Range - Exclude findings that have a specific Source or Destination Port or Port Range.
Parameters for Vulnerabilities
Vulnerability exclusions have these additional parameters:
-
Finding Type - Select one of these types:
-
Package - Enter the package name, version, or path.
-
Malware - Enter the name or path.
-
Insecure Content - Enter the path or payload-sha256.
-
Parameters for Admission Control
Admission Control exclusions have these additional parameters (filters):
-
Annotation
-
Namespace - The namespace where the agents are installed can be referred to with the variable
CHECKPOINT_NAMESPACE
. -
Role
-
Service Account
-
Label
Important - To optimize the ruleset, the workload object model considers only the containers section of the YAML. This ensures the enforcement of a rule on all workload types: pods, deployments, daemonsets, etc. This means that the labels on the top-level metadata are not considered, but only labels on the container metadata are inspected.
For example, if the label “app: test” is added as an exception, the workload and its pods are created.With this, if the label “app: test-pod” is added, the workload is created, but its pod The smallest and simplest Kubernetes object. A pod represents a set of running containers on your cluster. A pod is typically set up to run a single primary container. It can also run optional sidecar containers that add supplementary features like logging. Pods are commonly managed by a Deployment. is not.
-
Navigate to one of the relevant menu items (CSPM, CIEM, Workload Protection > Vulnerabilities or Admission Control, or CDR > Threat Monitoring) and click Exclusions.
-
Select an exclusion to edit and click Edit on top bar.
-
Navigate to one of the relevant menu items (CSPM, CIEM, Workload Protection > Vulnerabilities or Admission Control, or CDR > Threat Monitoring) and click Exclusions.
-
Select an exclusion to delete and click Delete on the top bar.
You can use API to configure a new exclusion. For more information, see the CloudGuard API Reference Guide - https://docs.cgn.portal.checkpoint.com/reference/complianceexclusion_post_post_v2complianceexclusion.
For logicExpressions
strings, use a combination of these expressions:
-
name like 'PackageName' and category = 'Package'
-
version like 'PackageVersion' and category = 'Package'
-
package-manager.path like 'PackageManagerPath' and category = 'Package'
-
(scannedAsset.entityName like 'entityName1' or scannedAsset.entityName like 'entityName2') and category = 'Package'
(up to 10 entities) -
files contain [file-path like 'FilePath'] and category = 'InsecureContent'
-
files contain [contents contain [payload-sha256 like 'InsecureContentPayloadSha256']] and category = 'InsecureContent'
-
name like 'MalwareName' and category = 'Malware'
-
files contain [file-path like 'FilePath'] and category = 'Malware'
More Links