Appearance
Create a Ruleset
This guide walks you through creating a new ruleset in AttackLens. Rulesets define the specific security checks that evaluate your assets and generate findings.
INFO
Requires Admin role or the Create Ruleset permission.
Before You Begin
Before creating a ruleset, determine:
- What security requirement this ruleset will verify
- Which inventory dataset type contains the data you need to check
- The specific property path, operator, and expected value for the check
- Whether the check requires prerequisites (e.g., specific OS or installed software)
Step 1: Navigate to the Ruleset Form
- Go to Rulesets in the left navigation menu
- Click the Add Ruleset button in the top-right corner
Step 2: Configure Main Data
Status Toggle
At the top of the form, set the Active toggle:
- Active (default): The ruleset will be evaluated when assigned to a policy
- Inactive: The ruleset is saved but not evaluated
Rule Type
Select the evaluation mode:
| Type | When to Use |
|---|---|
| Automated | The check can be fully evaluated using collected inventory data |
| Hybrid | Some checks are automated, but final determination requires human input |
| Manual | The check requires manual assessment by a security analyst |
Required Fields
| Field | Required | Description |
|---|---|---|
| Title | Yes | A clear, concise description of the requirement (e.g., "Ensure minimum password length is 14 characters") |
| Description | No | Detailed explanation of what this ruleset checks and its security context |
| Impact | No | Explanation of the security risk if this check fails |
| Solution | No | Step-by-step remediation guidance for resolving a failing check |
TIP
Write the title as an actionable requirement starting with "Ensure..." or "Verify...". This makes findings easier to understand. Fill in the Impact and Solution fields to give your team clear remediation guidance.
Step 3: Add References (Optional)
References link the ruleset to external documentation, standards, or benchmarks.
- Click Add Reference
- Enter the reference URL or text (e.g.,
https://www.cisecurity.org/benchmark/...orCIS Benchmark v3.0, Section 5.4.1) - Add as many references as needed
Step 4: Add Tags (Optional)
Tags help categorize and filter rulesets. Type a tag and press comma to add it.
Common tagging conventions:
- Framework tags:
iso-27001,gdpr,soc2,cis-benchmark - Technology tags:
ssh,password-policy,firewall,tls - Severity tags:
critical,high,medium,low
Step 5: Define Variables (Optional)
Variables parameterize your checks, making rulesets more reusable.
- Click Add Variable
- Fill in the variable details:
| Field | Description |
|---|---|
| Name | A unique identifier (e.g., min_password_length) |
| Type | Data type: string, bool, int, float, or entry |
| Value | The default value for this variable |
Example: A variable min_password_length of type int with value 14 can be referenced in check expected values.
Step 6: Define Prerequisites (Optional)
Prerequisites are conditions that must be met before this ruleset is evaluated on an asset. If prerequisites are not satisfied, the ruleset is skipped (no finding is generated).
To add a prerequisite:
- Click Add Prerequisite
- Configure the check node:
- Title: What this prerequisite verifies
- Dataset Type: The inventory data source (e.g.,
InstalledPackage,OsInfo) - Property Path: The property to evaluate
- Operator: The comparison operator
- Expected Value: The required value
To add compound prerequisites:
- Click Add Condition (AND/OR)
- Select the logical operator
- Add child checks within the condition
INFO
If no prerequisites are defined, the ruleset runs on every asset where the parent policy is evaluated. Use prerequisites to ensure the ruleset is only evaluated where applicable.
Step 7: Add Checks
Checks are the core evaluation logic of the ruleset. Each check verifies a specific condition against inventory data.
Adding a Simple Check
- Click Add Check
- Configure the check node:
| Field | Required | Description |
|---|---|---|
| Title | Yes | A description of what this check verifies |
| Dataset Type | Yes (or Resource Type) | The inventory dataset to evaluate (e.g., SecurityPolicy, InstalledPackage) |
| Resource Type | Yes (or Dataset Type) | Alternatively, a cloud resource type for adapter data |
| Filter | No | Optional filter to narrow which records are evaluated |
| Property Path | Yes | The JSON property path within the dataset record (e.g., normalizedData.minLen) |
| Operator | Yes | The comparison operator (equals, greaterThan, contains, etc.) |
| Expected Value | Depends on operator | The value to compare against |
Adding Condition Nodes
For checks that require multiple conditions:
- Click Add Condition (AND/OR)
- A condition node is created with the selected logical operator
- Add child checks within the condition node (minimum 2 children required)
Example Check Structure
For a ruleset checking SSH configuration:
AND
Check: "SSH protocol version is 2"
Dataset: SecurityPolicy
Property: normalizedData.protocol
Operator: equals
Expected: "2"
Check: "SSH root login is disabled"
Dataset: SecurityPolicy
Property: normalizedData.permitRootLogin
Operator: equals
Expected: "no"WARNING
Each check must have either a Dataset Type or Resource Type, a Title, and an Operator. The form will validate these requirements before saving.
Step 8: Save the Ruleset
- Review all sections of the form
- Click Create to save the new ruleset
After creation, you are redirected to the ruleset detail page where you can review the configuration.
What Happens Next
The ruleset is now available to be assigned to policies:
- Navigate to a policy and edit it
- Add this ruleset to one or more sections
- The ruleset will be evaluated against the policy's targeted assets on the next evaluation cycle
Next Steps
- Manage Rulesets: Edit, clone, or delete rulesets
- Create a Policy: Assign your ruleset to a policy
- Understanding Findings: View evaluation results