Troubleshooting Cloud Guard

Use troubleshooting information to identify and address common issues that can occur while working with Oracle Cloud Guard service.

No Problems Detected

Fix enablement problems that prevent Cloud Guard from detecting problems.

You have completed the steps in Enabling Cloud Guard, and no problems start to appear on the Problems page after about 30-60 minutes.

Ensure that a Detector Recipe Is Added to the Target

Steps in Enabling Cloud Guard force you to define a target, by specifying Compartments To Monitor in the OCI tenancy. If you didn't also select either an OCI Configuration Detector Recipe or an OCI Activity Detector Recipe, then no detectors were added to the target. Without adding at least one detector to the target, no problems can be reported.

See Editing an OCI Target and Its Attached Recipes.

Some Categories of Problems Not Detected

Fix enablement problems that prevent Cloud Guard from detecting all categories of problems.

You have completed the steps in Enabling Cloud Guard, and problems are appearing on the Problems page, but an entire category of problems still is not appearing.

Ensure that a Detector Recipe Is Added to the Target for Each Category

If you skipped select a detector recipe for particular problem category in Enabling Cloud Guard, then a detector recipe for that problem category is not added to the target. If a detector for a particular problem category is not added to the target, Cloud Guard doesn't detect problems for that category.

See Editing an OCI Target and Its Attached Recipes.

No Events Generated

Fix enablement problems that prevent Cloud Guard from generating events.

You have completed the steps in Enabling Cloud Guard, and problems are appearing on the Problems page, but no events are being generated for the Notifications service to pick up (see Configuring Notifications).

Note

Only new problems that Cloud Guard detects trigger event notifications. To trigger event notifications for older problems:
  1. Locate the problem's row on the Problems page.

    See Listing Problems and Getting Their Details.

  2. Select the checkbox on the left end of the row for the problem.

    You can select additional problem to be processed in one operation.

  3. Click Mark as resolved at the top of the problems list.

    A trigger is fired for the event rule that you marked as resolved, if the conditions are met to classify it as a new problem. See Problem Lifecycle.

Ensure that the OCI Responder Recipe Is Added to the Target

Steps in Enabling Cloud Guard force you to define a target, by specifying Compartments To Monitor in the OCI tenancy. If you didn't also select the OCI Responder Recipe, then the Cloud Event responder rule in the OCI Responder Recipe is unable to send events to the Notifications service.

See Editing an OCI Target and Its Attached Recipes.

Can't Process PSM Problems

You can't dismiss or resolve problems related to the PaaS Service Manager (PSM) compartment (named ManagedCompartmentForPaaS).

You have completed the steps in Enabling Cloud Guard and all categories of problems are appearing on the Problems page. You are able to dismiss or resolve all problems, except problems related to the PSM compartment.

For more information on the ManagedCompartmentForPaaS compartment, see Resources Created in Your Tenancy by Oracle.

Create a Support Ticket to Provide Special Privileges

The PSM service controls access to the PSM compartment in your OCI tenancy, so the policies required by Cloud Guard do not affect your access through Cloud Guard to resources in the PSM compartment. To obtain the privileges necessary to dismiss or resolve problems related to the PSM compartment:

  1. Create an Oracle support ticket.
  2. Provide the following details on how these privileges necessary for Cloud Guard:
    • OCI tenancy ID
    • OCIDs of the Cloud Guard problems that you are trying to dismiss
  3. The PSM and the OCI Identity team then add the following policy:

    allow group administrators to use cloud-guard-problems in compartment managedcompartmentforpaas

    Note

    This is a special compartment, for which the ability to resolve Cloud Guard problems can only be granted to an administrative group.
  4. After the support team informs you that they've added the policy, you can dismiss and resolve problems with the PSM compartment.

"Not Authorized Or Not Found Exception" on API Call

Your API call fails with NotAuthorizedOrNotFoundException error.

Note

These issues involve the Cloud Guard reporting region.

The Cloud Guard reporting region is NOT the same thing as the OCI home region.

To see the reporting region, from the Cloud Guard options panel on the left, select Settings.

To see the region that you are in, drop down the regions list at the top of the page.

Situation 1: When making API calls outside your Cloud Guard tenancy's reporting region:

  • API READ calls are successful.
  • All CREATE, UPDATE, and DELETE calls fail with NotAuthorizedOrNotFoundException error.

Situation 2: When making API LIST calls that don't specify the reporting region, some calls fail with NotAuthorizedOrNotFoundException error.

Situation 1: Make CREATE, UPDATE, and DELETE API Calls Only on the Reporting Region

By design, CREATE, UPDATE, and DELETE API calls are only allowed on the reporting region. Avoid making these types of API calls outside the reporting region.

Situation 2: When Making LIST API Calls, Specify the Reporting Region

While some LIST API calls do not require the reporting region to be passed as a parameter, you can avoid the NotAuthorizedOrNotFoundException error by always passing the reporting region in LIST API calls.

If you get the NotAuthorizedOrNotFoundException error on an API LIST call where you didn't pass the reporting region, reissuing the call with reporting region passed should clear the error.

Oracle-Managed Resources Not Visible

After enabling Cloud Guard through the Cloud Guard API or CLI, no Oracle-managed resources appear in the Cloud Guard console.

If the API call or CLI command that enables Cloud Guard passes selfManageResources as true, none of the default Oracle-managed detector recipes, responder recipes, or managed lists appear in the Cloud Guard console UI.

You can't reverse the effect of enabling Cloud Guard with selfManageResources as true, so you have only two options to fix this problem:

  • Disable and re-enable Cloud Guard.
    1. Disable Cloud Guard through the console. See Managing Cloud Guard Settings.
    2. Re-enable Cloud Guard through the console. See Steps to Enable Cloud Guard.

      Or you can enable Cloud Guard again thru the API or CLI.

    This approach is usually best, especially if you catch the problem soon after Cloud Guard is enabled, and before much data has been ingested.

  • Create user-managed versions of Oracle-managed resources, using Cloud Guard API calls or CLI commands. See steps in the next section.

    This approach is best if you intentionally enabled Cloud Guard with selfManageResources as true.

Using Cloud Guard API or CLI to Creat User-Managed Resources

Details in the following steps are specific for using the Cloud Guard API.

  1. Use UpdateConfiguration to enable Cloud Guard by explicitly setting selfManageResources to true.

  2. Invoke the following operations to list resources by including resourceMetadataOnly query parameter as true:
  3. Use value of id field from the previous API response when invoking the following create operations:

    The id field in response of create operation is the OCID of the Oracle-managed resource: detector recipe, managed list, or responder recipe.

    The OCIDs generated in the preceding steps can be used when configuring target. See CreateTarget.