Installation
Running the Server
STDIO Transport Mode
HTTP Streaming Transport Mode
Available Tools
The server provides the following tools for security management:| Tool Name | Description |
|---|---|
list_problems | List security problems in a given compartment |
get_problem_details | Get detailed information about a problem using its OCID |
update_problem_status | Update the status of a security problem |
Usage Examples
List Security Problems
Get Problem Details
- Risk level and score
- Problem description
- Affected resources
- Detection time
- Recommendations
- Related responder activities
Update Problem Status
Understanding OCI Cloud Guard
What is Cloud Guard?
Cloud Guard is Oracle’s cloud-native security monitoring and threat detection service that:- Detects security weaknesses and threats
- Monitors configuration compliance
- Responds automatically to security problems
- Reports on security posture
- Prevents risky configurations
Key Concepts
Problems Security issues detected by Cloud Guard:- Misconfigurations violating security best practices
- Suspicious or anomalous activities
- Policy violations
- Risk-scored and prioritized
- Configuration detectors - Check resource configurations
- Activity detectors - Monitor user and system activities
- Oracle-managed detector recipes
- Custom detector configurations
- Respond to detected problems automatically
- Predefined remediation actions
- Disable resources, modify configurations
- Can be enabled/disabled per responder rule
- Define scope of monitoring
- Assign detector and responder recipes
- Hierarchical - child compartments inherit settings
Risk Levels
Critical- Severe security risks requiring immediate attention
- Examples: Public buckets with sensitive data, open databases
- Significant security concerns
- Examples: Overly permissive IAM policies, disabled security features
- Notable security issues
- Examples: Missing encryption, non-compliant configurations
- Minor security findings
- Examples: Informational alerts, best practice recommendations
- Minimal risk items
- Examples: Optimization suggestions
Problem Lifecycle
- Open - Newly detected problem
- In Progress - Under investigation or remediation
- Resolved - Issue has been fixed
- Dismissed - Marked as false positive or accepted risk
- Deleted - Removed from Cloud Guard
Common Security Problems
Identity & Access Management
- Users with overly broad permissions
- Service accounts with admin access
- Long-lived API keys
- Missing MFA on privileged accounts
- Inactive users with active credentials
Network Security
- Security lists allowing unrestricted access (0.0.0.0/0)
- Public subnets with sensitive resources
- Missing network security groups
- Unencrypted traffic
- Open management ports (SSH, RDP)
Data Protection
- Public object storage buckets
- Unencrypted volumes and databases
- Object versioning disabled
- Missing backup policies
- Data not in approved regions
Compute Security
- Instances with public IPs in private subnets
- Security agents disabled
- Non-compliant instance images
- Missing OS patches
- Exposed management interfaces
Database Security
- Databases accessible from internet
- Weak authentication settings
- Audit logging disabled
- Unencrypted data at rest
- Missing database backups
Authentication
The server uses OCI CLI configuration from~/.oci/config:
Required Permissions
Your OCI user or instance principal needs these IAM permissions: Read Problems:Common Use Cases
Security Monitoring
- Monitor security posture across tenancy
- Track new security problems
- Prioritize remediation by risk level
- Measure security metrics over time
Compliance Management
- Detect configuration drift from baselines
- Verify compliance with security standards
- Generate compliance reports
- Track remediation progress
Incident Response
- Investigate security alerts
- Identify affected resources
- Track problem remediation
- Document security incidents
Automated Remediation
- Enable responders for auto-remediation
- Monitor responder execution
- Review automated changes
- Adjust responder configurations
Security Operations
- Daily security problem review
- Triage new findings
- Assign problems to teams
- Track SLA compliance
Best Practices
Problem Management
- Review new problems daily
- Prioritize by risk level
- Document remediation actions
- Track mean time to resolution
- Don’t dismiss problems without investigation
Detection Configuration
- Enable Cloud Guard on all compartments
- Use Oracle-managed detector recipes
- Customize detectors for your requirements
- Regularly review detector configurations
- Test detector rules periodically
Responder Configuration
- Start with responders in “Test” mode
- Review automated actions before enabling
- Configure notifications for responder actions
- Monitor responder execution logs
- Adjust based on operational impact
Integration
- Route problems to SIEM systems
- Integrate with ticketing systems
- Set up notifications for critical problems
- Create dashboards for security metrics
- Automate reporting
Organizational
- Define problem ownership
- Establish SLAs for remediation
- Create runbooks for common problems
- Train teams on Cloud Guard
- Regular security posture reviews
Remediation Strategies
Immediate Actions (Critical/High)
- Verify the problem is valid
- Assess impact and risk
- Implement immediate mitigation
- Fix root cause
- Verify resolution
- Update problem status
Planned Remediation (Medium/Low)
- Review and prioritize
- Schedule remediation work
- Plan changes and testing
- Implement fixes
- Validate and close problems
False Positives
- Investigate thoroughly
- Document why it’s not a real issue
- Consider detector tuning
- Dismiss with detailed comment
- Review dismissals periodically
Monitoring & Reporting
Key Metrics
- Total open problems
- Problems by risk level
- Mean time to detection (MTTD)
- Mean time to resolution (MTTR)
- Problems opened vs. closed trends
- Top problem types
- Problems by compartment/resource
Dashboards
Create dashboards showing:- Security posture score
- Problem trends over time
- Risk distribution
- Remediation velocity
- Responder activity
Reports
Generate regular reports:- Weekly security summary
- Monthly compliance reports
- Quarterly security trends
- Audit reports for compliance
Troubleshooting
Problem Not Appearing
Check:- Cloud Guard is enabled on target compartment
- Detector rule is enabled
- Resource is in monitored compartment
- Sufficient time for detection (can take hours)
- IAM permissions allow problem creation
Cannot Update Problem Status
Possible causes:- Insufficient permissions
- Problem OCID is incorrect
- Problem already in that status
- Network connectivity issues
- Verify IAM policies include
manage cloud-guard-problems - Confirm problem OCID
- Check current problem status
- Test API connectivity
Too Many False Positives
Optimization:- Review and tune detector conditions
- Create custom detector recipes
- Exclude specific resources if appropriate
- Adjust risk thresholds
- Work with Oracle Support on detector rules
Responder Not Executing
Check:- Responder rule is enabled
- IAM policies allow responder execution
- Resource type supports responder action
- Responder execution logs for errors
- Resource state allows action
Integration Patterns
SIEM Integration
Automated Ticketing
Notification Workflow
Related Services
- Monitoring - Monitor security metrics
- Logging - Collect audit and security logs
- Identity - Manage IAM security
- Networking - Network security configuration