Exception Rules
Exception Rules Functionality
This page is intended for customers who are currently using the Exception Rules feature, which is currently access controlled through a feature flag.
We request that you do not share this URL/page outside of the Rapid7 organization or with customers that are not currently using this feature.
In addition, this documentation is “in-progress”. If you have questions, issues, or suggestions about the content provided here we are happy to have feedback. Reach out to your CSA or to support through the Customer Support Portal .
Exception Rules is a new feature that enables customers to use Insights to create rules that can work with regular expressions and flag resources as exempt from specific Insights. Exception rules are applied before Bot actions take place and can be used to evaluate resources that exist in your cloud accounts (harvested) and resources that need to be evaluated before they are deployed (IaC).
Use Case for Exception Rules
Exception rules were created to expand on our existing Exceptions capabilities. Generally speaking, the current Exceptions functionality only applies when the Insight and resource both already exist and this type of approach can be hard to scale. Our other support for Exceptions is provided through Bot Automation. For example you could create a Bot around volumes and use the Curate Exceptions option to set the scope (one cloud account or many), and the timing, etc. The problem with this approach is that Bots are not guaranteed to run in a particular order, so in this example, a separate Bot designed to remove unencrypted volumes may run before our example Exceptions Bot is applied to a particular resource. Exception rules avoids this issue, and other problems, by building Exceptions that can apply to resources before they are added (via IaC) or before Bots take any actions on them.
Creating an Exception Rule
Refer to the steps below to create a new Exception Rule.
- Navigate to Security > Exception Rules.
- Under the Exception Rules tab, select the Create Rule button in the top right to launch the form.
- Create a new Exception Rule by completing the following options:
- Select an Insight — Use the drop-down/search to identify and select an Insight (out-of-the-box or Custom) from which to exempt a resource
- The selected Insight will automatically update the other scoping options.
- Select a Resource Type — e.g., instance - the Cloud Security (InsightCloudSec) normalized term
- Description — provide a description for your Exception Rule
- Number of Days to Apply (optional) — Select the number of days this Exceptions will apply.
- This field is subject to the Insight Exception system-wide setting (if applied) under Settings > System Administration > System Settings.
- If a system-wide setting is populated, the number of days specified here must be equal to or less than the value specified under the regular settings. The error message currently in place for this functionality does not specifically identify this as the issue.
- If left blank (or set to 0) and no system-wide setting exists, this Exceptions will be applied indefinitely or until it is removed.
- This will be overridden by Expiration Limit.
- Expiration Limit (optional) — Select the date for the Exception rule to expire. This will override the Number of Days to Apply.
- Regular Expressions — Provide additional filtering criteria through a regular expression.
- Regular expressions are currently only applied to resource names and as a result do not apply to all resource types.
- For deployed resources/accounts not all resource types are supported. For example, snapshots, when created, are automatically named and as a result cannot be identified with regular expressions.
- Specify Accounts - Select All Accounts, which is selected by default, or specify one or more accounts in which you want this Exception rule to apply.
- IaC Only can only be applied to the All Accounts option.
- Select an Insight — Use the drop-down/search to identify and select an Insight (out-of-the-box or Custom) from which to exempt a resource
- Click OK when you are ready to create your Exception rule.
- You can view, edit, and (if permitted) delete existing Exception rules from the Exception Rules tab under System Administration.
- Your new Exception Rule will be applied to any relevant resource upon the creation of the rule. An existing Exception Rule can also be newly applied to a resource if the resource name is modified and includes a match via Regular Expression.
Viewing & Editing Exception Rules
Exception rules are visible under Security > Exception Rules under the Exception Rules tab. This view currently displays Exceptions created through the Exceptions capability via the manual workflow, and through the new Exception Rules feature.
- With the appropriate permissions this section also allows you to delete or modify an existing Exception Rule.
- At present you cannot sort to view Exceptions based on type (for example, how they were created), however (for the current release) manual Exceptions will specify a creator or approver (email).