Managing Custom Rules - UI

Fugue’s Custom Rules page allows you to create, edit, and delete custom rules. This document explains how to do all of the above. Note that to test custom rules, you’ll need to use the Fugue API.

Note

For API instructions, see Creating, Testing, and Managing Custom Rules – API.

Just looking for info on writing custom rules? See Writing Custom Rules.

Ready to begin? Below are general instructions for creating and managing custom rules with Fugue via the Custom Rules page (UI).

In a hurry? Jump ahead:

Creating Custom Rules - UI

Note

For API instructions, see Creating Custom Rules - API.

1. Select Rules in the top right of the UI, then select Custom Rules and click the Create New Custom Rule button. The Create New Custom Rule page displays, as shown below.

_images/create-custom-rule-page.png

2. Enter a name for your rule. The name entered here displays in the Control field on the Compliance by Control page for your environments. Refer to Viewing Compliance Results for more information.

3. Enter a description for your rule. The description entered here displays on the Description field on the Compliance By Control page for your environments. Refer to Viewing Compliance Results for more information.

4. Select a severity level for your rule. The severity entered here displays in the Severity field on the Compliance by Resource page for your environments.

5. Select the Cloud Provider. The selected cloud provider determines the resource types that display from the Resource Types drop-down. Note: For Azure or Azure Government, select Azure.

6. Select the Resource Type from the drop-down. This is the resource type that you want your custom rule to evaluate. Refer to Writing Custom Rules for more information.

7. In the rule definition, enter your Rego. Refer to Writing Custom Rules for more information.

8. Optionally, click the Validate Rego button. If your rule has invalid syntax, an error displays, similar to what is shown below. Fix the invalid syntax or you can choose to save your rule and edit it later.

_images/Invalid_Rule_Validate_Endpoint.png
  • If the rule has valid syntax, it displays similar to what is shown below.

_images/Valid_Rule_Validate_Endpoint.png

9. Click the Create Custom Rule button. When created, a custom rule is set to an “enabled” status if the rule has valid syntax and it is automatically applied to all environments on the subsequent scheduled scans.

  • If the rule contains invalid syntax, the following error modal displays similar to what is shown below. You can chose to fix the rule now or later. Custom rules that contain invalid syntax are not automatically ran against your environments until there are no syntax errors and the custom rule is set to an “invalid” status.

_images/Syntax_Error_Modal.png

Note

You can manually kick off a scan for an environment to see the result of your custom rule against the specified environment. Refer to the FAQ for more information.

Modifying and Deleting Custom Rules - UI

Note

You cannot modify the cloud provider for an existing custom rule. If you would like to create a rule with a different cloud provider, you need to create a new custom rule.

Note

For API instructions, see Modifying and Deleting Custom Rules - API.

Below are general instructions for modifying or deleting custom rules with Fugue in the UI.

To edit or delete a custom rule in the UI, navigate to the Custom Rules tab and find the ellipsis ... next to the custom rule you want to edit or delete:

_images/Modify_Delete_Custom_Rule.png

You can edit the following fields:

  • Name

  • Description

  • Severity

  • Resource type

  • Rule definition (Rego code)

Viewing Compliance Results - UI

Note

For API instructions, see Viewing Compliance Results - API.

All custom rules with valid syntax automatically run against your environment on the next scheduled scan. After the scheduled scan runs or is kicked off manually, navigate to the Compliance by Control tab. The Custom compliance standard displays for your environment. You can filter by Custom to only view the results for your custom rule(s).

_images/Custom_Compliance_Family.png

Additionally, the three compliance tabs allow you to take a deeper dive into why your custom rule is passing or failing.

Compliance by Resource - UI

Viewing compliance by resource is only supported in the UI, not the API.

Custom rules display as shown below on the Compliance by Resource tab.

_images/Compliance_by_Resource_Custom.png

Clicking on a noncompliant resource displays as shown below. The description you entered for the rule on the Create Custom Rule page displays under Rule and the name you entered displays under Associated Compliance Control.

_images/Compliance_By_Resource_Custom_Rules.png

Compliance by Resource Type - UI

For API instructions, see Compliance by Resource Type - API.

Custom rules display as shown below on the Compliance by Resource Type tab.

_images/Compliance_by_ResourceType.png

Clicking on a noncompliant resource type displays as shown below. The name you entered for the rule on the Create Custom Rule page displays in the Control column and the description you entered displays in the Description column.

_images/Custom_Compliance_Family_Modal.png

Compliance by Control - UI

For API instructions, see Compliance by Control - API.

Custom rules display as shown below. The name you entered for the rule on the Create Custom Rule page displays in the Control column and the description you entered displays in the Description column.

_images/Compliance_by_Rule.png

Clicking on a failed rule displays as shown below. The name you entered for the rule is listed at the top and the description is in the Rule Message column.

_images/Custom_Rule_Compliance_Modal.png

Waiving Custom Rules - UI

Waiving custom rules is currently only supported in the UI, not the API.

You can waive a custom rule the same way you’d waive any other rule. See How to Waive a Rule for instructions and Waiving Rules to learn more about waivers.

For examples of simple and advanced custom rules, see our GitHub repo.