Threat Detection Policies: UI Configuration

To measure and monitor threats in the microservices in your application, you can create Threat detection policies through the Tanzu Service Mesh Console UI.

Tanzu Service Mesh Enterprise learns the behavior of services, API interactions, PII transfers, TCP transactions between the microservices deployed in the application environment. It is essential to understand the behavior of any application as the communication between the microservices involves multiple API requests and responses. Tanzu Service Mesh provides this understanding by identifying the deviation in behavior using the learnt data. This deviation identified in the behaviour is called “Drifting”. The deviation is captured and rendered in the Service Graph called “Violation”.

Prerequisites

Onboard your Kubernetes clusters where your services are deployed. For more information about onboarding a cluster, see Onboard a Cluster to Tanzu Service Mesh.
Configure a global namespace.

Procedure

In the navigation panel on the left, select New Workflow > New Policy > Threat Detection Policy.
Alternatively, in the navigation panel on the left, select Policies > Threat Detection . In the upper-right corner of the Threat Detection Policy page, click New Policy and select one of the following:
- Attack Detection Policy
- Geo Fencing Policy
- Schema Validation Policy
If you have selected Attack Detection Policy, follow these steps.:
1. In the window that appears, provide a policy name that is not already in use.
  
  Ensure that there are no special characters in the Attack Detection Policy name. Optionally, add a description.
2. Specify the name of the GNS Scope.
3. In Request Attacks, select the attacks from the displayed list of standard attacks detected in API requests to services in the GNS.
4. In Response Attacks, Select from the standard attacks detected in responses from services in the GNS.
5. Click Next.
6. In the next window, select an OWASP Paranoia Level to define actions to perform when the policy is applied to request.
  
  You can any one of the following levels:
  
  Level 1 (Low). This level enables most of the core rules. Recommended for beginners, installations covering many different types of applications, and for setups with standard security requirements.
  
  Level 2 (Medium). This level enables many extra rules. Recommended for moderate to experienced users who desire more complete coverage, and for all installations with elevated security requirements.
  
  Level 3 (High). This level enables more rules and keyword lists that cover less common attacks. Recommended for users who are experienced at the handling of false positives and at installations with high security requirements.
  
  Level 4 (Extreme). This level further restricts special characters. Recommended for experience users that require very high security requirements.
7. Click Next.
8. In the new Policy Targets window, define actions to perform when the policy is applied to requests.
  
  You can select one of the following options:
  
  All Services in the GNS.All services in the GNS will be subject to this policy.
  
  Specific Services Only. Define certain servies to be subject to this policy by selecting Add Service.
9. Click Next.
10. Review the Attack Detection Policy configuration and click Save.
  
  The new policy appears under the Attack Detection tab.
If you have selected Geo Fencing Policy, follow these steps.
1. In the window that appears, provide a policy name that is not already in use.
  
  Ensure that there are no special characters in the Geo Fencing name. Optionally, add a description.
2. Specify the name of the GNS Scope.
3. Select a policy target service (all services/ specific services).
4. Click Next.
5. In the Geo Fencing Rules window that appears, enter a unique name for the rule in the Rule Name field.
6. Select a Geo Fence Type (PROXIMITY/STATE/COUNTRY) and fill the respective details. Click Add Rule to add multiple rules.
7. Click Next.
8. Review the Geo Fencing policy configuration and click Save.
The new policy appears under the Geo Fencing tab.
If you have selected Schema Validation Policy, follow these steps:
1. In the window that appears, provide a policy name that is not already in use.Ensure that there are no special characters in the Schema Validation policy name. Optionally, add a description.
2. Specify the name of the GNS Scope.
3. Select a target service for the policy.
4. Click Next.
5. In the API Schema window that appears, upload the API schema for this policy. (optionally) you can type the policy in JSON in the provided text field.
6. Review the Schema Validation policy configuration and click Save.
  
  The new policy appears under the Schema Validation tab.
To edit an existing Threat Detection configuration, perform these steps.
1. Click the vertical three dots to the right of a policy (attack detection, geo fencing, or a schema validation policy).
2. On the menu, click Edit Configuration.
3. To advance through and edit the configuration pages, click Next.
4. To update the configuration, on the final page, click Save.