Create a configuration rule - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation
Product
Cortex XSIAM
Creation date
2025-07-15
Last date published
2026-06-04
Category
Administrator Guide

Configuration (config) rules monitor your resource configurations for potential policy violations or misconfigurations. Perform this task to create a custom configuration rule that you can use in a cloud security policy.

  1. Navigate to Posture ManagementRules & PoliciesRulesCloud Security.

  2. Select Create Rule > Config.

  3. Complete the Overview step:

    1. Enter a Rule Name and Description.

    2. Select a Severity. This will be the severity of any issues created with this rule.

    3. (Optional) Add Labels. These rules can be used to find rules when creating custom policies.

    4. (Optional) Enable Remediation using the toggle. In a later step, you'll enter the remediation instructions.

    5. (Optional) Associate this rule with a Compliance Control. Click Add, select one or more custom compliance controls from the list, and then click Assign.

      Custom configuration rules can only be associated with custom compliance controls.

    6. Click Next.

  4. In the Rule Logic step, use the query builder to define the detection criteria. Select one of the following modes:

    1. Simple Mode: Presents a guided interface in which you can define basic conditions and address most common rule use cases.

    2. Advanced Mode: Presents a free-form XQL editor that allows you to build complex and flexible queries across unrestricted datasets. Supports advanced and custom use cases.

  5. If you selected Simple Mode, complete the following steps:

    1. Select options from the dropdown menus to define the logic for your config rule, such as “Find EC2 instances where accessKeys are allowed”, and then click Search to view all matching results.

    2. Click Next to define Remediation instructions (if you had turned on Enable Remediation in the Overview step) or click Done.

  6. If you selected Advanced Mode, complete the following steps:

    1. Define an XQL query for the rule, following the guidelines in Guidelines for creating cloud security rules . For detailed XQL query instructions, see XQL Language Structure .XQL Language Structure

    2. Click Test to determine if the query is valid.

    3. Select the Affected Asset Type. Generated issues will be linked to assets identified by the selected field.

    4. Check the list of query results to verify that the query is working as intended.

    5. Click Next to define Remediation instructions (if you had turned on Enable Remediation in the Overview step) or click Done.

  7. (Optional) In the text field, define remediation actions or provide other information that will be included on issues created by this rule.

  8. Click Done to save your config rule.