Policies (Preview)

The vast quantity of security issues Panoptica can discover, assess, and reveal in your cloud environment can quickly lead to "information overload". Without a consistent methodology for applying security controls across your cloud resources, all the data in the world isn't going to prevent data breaches, unauthorized access, service disruptions, or worse.

Panoptica's Global Policy Framework enables you to turn this information into action, by applying policies to manage it in a structured approach. Proper application of security policies can help you monitor regulatory compliance, enforce internal policies, and respond effectively to emerging threats.

Viewing Rules

In the Panoptica console, navigate to the Policies tab under Management to view all of the policies in Panoptica, and start generating your own.

The Policies tab is pre-loaded with hundreds of rules from across Panoptica's modules, exposing the built-in rules that Panoptica uses to secure your resources out-of-the-box. In addition to providing visibility into the Panoptica's security posture rules, this also enables you to identify content updates, by sorting according to the Last Updated field.

While you cannot edit the Panoptica rules, you can customize their application by assigning them to custom frameworks and categories that you define. You can also create or edit your own rules to gain visibility into your organization's specific policies or compliance by utilizing specific environment parameters like tags and naming conventions. Custom rules appear alongside built-in rules in the Policies tab as well.

The default view displays all of the rules available for viewing. Select one of the "quick filters" – Security Graph or Posture Risk – to filter the results by that engine. The number beside the title indicates the number of rules in each engine.

You can further refine the results using predefined filters and open search.

  • Use the drop-down Filters option to narrow the results by: Engine, Severity, Status, and Frameworks & Categories.
  • Use the Search bar to look for a text string in a rule name. To clear the search, click the ×.

You'll find a few icons in the upper right corner of the table for managing the list:

  • Click the Grouped by button to aggregate the list by Framework.
  • Click the circle-arrow icon (↻) to Reload the table, without the need to refresh the whole page.
  • Select which columns are displayed, and in which order, by clicking the Arrange Columns button (▥).

Rule Properties

The table displays the rules in the following columns:

  • Rule Name
    A short textual name given to a rule, which must be unique across your environment. The table can be sorted alphabetically by Rule Name.
  • Engine
    The backend mechanism responsible for detecting and enforcing each set of policy rules.
  • Severity
    The severity of the rule’s results. The table can be sorted by this field.
  • Results
    The number of matching results for the rule. Clicking on the Results value will open a new browser tab displaying all the results for this rule in the relevant Panoptica page.
  • Action
    The action Panoptica performs once the rule logic is observed.
  • Status
    Whether a policy rule is enabled or disabled.
  • Last Updated
    The date and time that the policy rule was updated. The table can be sorted by this field.

Click the three dots (⁝) at the end of any rule in the table to open a drop-down list of actions you can perform on that asset.

  • Copy Link is useful for sharing the rule details with others in your team.
  • Edit enables you to make changes to your own rules. Options are limited when editing built-in rules, but this is where you can associate them to your custom frameworks.

📘

Frameworks and Rules

A single rule – whether built-in or custom – can be associated with more than one custom framework.

You are only allowed to attach/detach rules to custom frameworks, as the built-in frameworks are pre-defined by the Panoptica team.

  • You can Delete your own rules, but it will be grayed-out for built-in Panoptica rules

Rule Details

Click on any row in the Rules table to open the Rule details view, which is made up of three sections:

  • Rule Logic: the conditions that trigger the rule. For your own custom rules, you'll see the logic you defined when creating the rule. For system rules, like Posture Risk or Compliance, you'll see the query logic in common syntax, as defined by Panoptica's engineers.
  • Rule Info: additional details, including remediation information (when available) and severity.
  • Rule Execution: how the rule behaves when triggered.

Create Custom Frameworks

A security framework is a structured set of controls designed to ensure that your information systems and processes meet security standards or compliance requirements specific to your industry, or internal policies specific to your organization. Panoptica's Compliance Framework is an example of applying industry-standardized frameworks to your cloud environment. Here is where you can create your own frameworks.

📘

Permissions required

Users must have an Owner or Ops role in Panoptica to create custom frameworks.

An Ops user can edit/delete custom frameworks that they created; an Owner can edit/delete any custom framework in your tenant. Panoptica system frameworks cannot be edited or deleted.

See User Management for details on User Roles.

Click the + Add Custom Framework button at the top of the Policies tab to start defining customized frameworks and categories.

In addition to the overall framework, you can also define a hierarchy of structured categories, which could provide visibility into whether your organization is compliant with each and every category. A category (sometimes called a "section") is a set of controls in a single security framework containing a list of specific rules organized by a logical unit or purpose. For example, categories in the "AWS CIS framework" include IAM, Storage, and Logging.

Any custom framework you define will only be available in your own environment.

  • Framework Name
    A short textual name given to a framework. The name must be unique across your environment.
  • Description
    A longer text that explains the motivation for this framework. This is also where you can store notes regarding the categories, etc.
  • Created by
    This will always default to the logged-in user.
  • + Add Category
    You can add up to two levels of categories to any framework.
    You also have the option of associated rules to categories here. You can select either built-in system rules, or the custom rules that you have define.

Click Save Changes when you're done.

Create Custom Rules

You can create your own rules in Panoptica to gain visibility into your organization's specific policies or compliance by utilizing specific environment parameters like tags and naming conventions. Custom rules appear alongside built-in rules in the Policies tab as well.

📘

Permissions required

Users must have an Owner or Ops role in Panoptica to create custom rules.

An Ops user can edit/delete custom rules that they created; an Owner can edit/delete any custom rule in your tenant. Panoptica system rules cannot be edited or deleted.

See User Management for details on User Roles.

Click the + Add Rule button at the top of the Policies tab to start building your own custom policy rules, with actions, conditions, and operators.

The Add Rule dialog box is where you define the rule logic, provide additional details about the rule, and define how it is executed.

Logic


The rule logic defines the conditions which will trigger the rule when it runs, according to the execution parameters defined below. Select one of three Panoptica engines to start defining the rule:

  • Security Graph
  • CI/CD
  • Workload Security

Expand the relevant section below for details on defining the rule logic for each engine.

Security Graph

The rule logic for the Security Graph engine is based on the Query Builder at the heart of the Security Graph feature. You can create custom rules that integrate your assets with security insights from across Panoptica's modules: CSPM, KSPM, API Security, and more. By adding advanced filters and relationship mapping between assets, you can customize rules on which to build your policies.


Start by clicking Asset or Security Insights, and selecting which you want to start with: one or more asset, or a Panoptica security insight.

  • If you choose Assets, browse the list to find the Category, Asset Type, and/or Native Type (i.e. specific asset) you want to include in your query.
    After selecting the base asset(s) for your query, you can filter the results according to specific criteria by clicking Properties. Alternatively, you can map linkage between different assets in your environment by clicking Relationship; or identify connections between your assets and Panoptica's Security Insights
  • The Security Insights option is where you correlate between the asset(s) in your query and Panoptica's security findings. By integrating Attack Paths or Risk Findings or Vulnerabilities that Panoptica has discovered with the assets you've selected, the Query Builder enables you to tailor the rule to your specific needs.

See the Discovery Graph Query Builder documentation for further details.

To view the results of your Security Graph query in graphic form as you construct it, click Show in Security Graph.

CI/CD

Use the CI/CD engine to define custom rules that monitor you code base for potential risks. By setting conditions for those findings, you can enforce custom policies, prioritize vulnerabilities, and effectively assess risks to your software development lifecycle.


After choosing CI/CD, select the Finding type from the dropdown list:

  • IaC misconfigurations
  • Vulnerabilities
  • Secrets
  • Code weaknesses

Then select the condition that will trigger the rule – count, file, or package – and set the parameters for that condition. You can add more than one condition.

Workload Security

Use the Workload Security engine to define custom rules that detect events in your Kubernetes workloads that could pose a risk to your environment. These rules can help you identify vulnerabilities and security findings, to ensure continuous protection and security compliance of your Kubernetes workloads.


After choosing Workload Security, select one of the parameters from the dropdown list:

  • Workload Name
  • Workload Label
  • Vulnerability Severity
  • Security Findings Severity

Then define the condition for each parameter that will trigger the rule. You can include as many as four conditions in each rule.

Rule Info

This is the section where you provide details about the rule.

  • Rule Name
    A short textual name given to a rule. The name must be unique across your environment.
  • Description
    A longer text that explains the motivation for this rule. This is also where you can store notes regarding the logic, execution, etc.
  • Remediation
    Enter any remediation steps or actions that should be displayed when this policy is triggered.
  • Severity
    The severity of the rule’s results.
  • Created by
    This will always default to the logged-in user.

Rule Execution

Once the rule is defined, you need to decide how it is to be applied to your environment.

  • Frequency
    The interval at which this rule will be applied. This can vary according to the selected engine, and is aligned to Panoptica's scheduled scans.
  • Status
    Select whether the rule should be Enabled or Disabled.
  • Scope
    The selection of elements on which the rule is run.
  • Framework
    Select the frameworks and/or categories that this rule is to be associated with. You can attach the rule to more than one custom framework, but you cannot associate with built-in frameworks defined by the system.

Don't forget to click Create Rule when you're done.