What is the difference between a detector recipe and a responder recipe?

Detector recipes define what Cloud Guard looks for — they contain rules that evaluate your OCI resources against security best practices and compliance standards. Each detector rule specifies a condition, risk level (CRITICAL, HIGH, MEDIUM, LOW), and the resource types it monitors. Responder recipes define what happens when a detector finds a problem — they can automatically remediate issues, create notifications, or require manual approval before taking action.

Can I customize Oracle-managed Cloud Guard recipes?

You cannot modify Oracle-managed recipes directly, but you can clone them to create user-managed copies. Once cloned, you can enable or disable individual rules, adjust risk levels, modify rule parameters, and add conditions. Cloned recipes do not automatically receive updates when Oracle modifies the managed recipe, so you should periodically review Oracle's managed recipes for new rules you may want to incorporate.

How does Cloud Guard determine risk levels for detected problems?

Each detector rule has a configured risk level that represents the potential security impact. Cloud Guard aggregates these into a risk score for each target (compartment). Risk levels map to severity: CRITICAL problems like publicly exposed databases score highest, while LOW problems like missing tags score lowest. You can customize risk levels in cloned recipes to align with your organization's risk tolerance and compliance requirements.

Cloud Guard Recipe Builder

IAM & SecurityOCI

Build Cloud Guard detector recipe configurations with rules and risk levels.

Last verified: May 2026

OCI Cloud Guard Configuration

Build Cloud Guard detector recipe configurations for security monitoring and compliance.

Required Fields

compartmentIddisplayNamedetectorRecipeTypedetectorRules

{
  "compartmentId": "ocid1.compartment.oc1..aaaaaaaexample",
  "displayName": "custom-config-detector-recipe",
  "description": "Custom detector recipe for CIS benchmark compliance",
  "detectorRecipeType": "CONFIGURATION",
  "sourceDetectorRecipeId": "ocid1.cloudguarddetectorrecipe.oc1..aaaaaaaexample",
  "detectorRules": [
    {
      "detectorRuleId": "BUCKET_IS_PUBLIC",
      "details": {
        "isEnabled": true,
        "riskLevel": "CRITICAL",
        "condition": {
          "kind": "SIMPLE",
          "parameter": "publicAccessType",
          "operator": "NOT_EQUALS",
          "value": "NoPublicAccess"
        },
        "configurations": [
          {
            "configKey": "publicAccessType",
            "name": "Public access type",
            "value": "NoPublicAccess"
          }
        ]
      }
    },
    {
      "detectorRuleId": "VCN_SECURITY_LIST_ALLOWS_ALL_INGRESS",
      "details": {
        "isEnabled": true,
        "riskLevel": "HIGH",
        "condition": null,
        "configurations": []
      }
    }
  ],
  "freeformTags": {
    "compliance": "cis-benchmark"
  }
}

Generated Output

Output will appear here...

About This Tool

OCI Cloud Guard provides automated security monitoring by using detector and responder recipes that define what threats to look for and how to react. Detector recipes contain rules that identify security problems — like public buckets, instances without monitoring, or overly permissive policies — while responder recipes define automated or manual remediation actions. Building custom recipes requires understanding rule parameters, condition groups, risk levels, and managed list references. This tool helps you assemble detector and responder recipes with correct rule configurations, thresholds, and target mappings.

Real-World Scenario

Your security team needs to detect compute instances launched without their corporate-required tags (cost-center, environment, owner). The builder helps you clone the Oracle Configuration detector recipe, enable the 'Compute Instance has missing required tags' rule with a custom list of required tags, set risk level to HIGH, and configure a responder recipe to send a Slack notification (no auto-remediation). Within hours of deploy, the security team has visibility into 28 untagged production instances they hadn't previously known existed.

When to Use This Tool

•Building custom detector recipes that flag compute instances launched without Cloud Guard monitoring agents installed
•Creating responder recipes that automatically disable compromised user API keys and notify the security team
•Configuring detector rules with custom risk levels and condition groups for organization-specific compliance requirements
•Generating recipe configurations that integrate with OCI Events and Notifications for security alerting workflows

Pro Tips

TIP

Always start by cloning the Oracle-managed OCI Detector recipe and disabling rules you don't need rather than building from scratch. The managed recipe has 50+ well-tuned rules covering common compliance requirements; building your own from zero is months of work.

TIP

Responder recipes default to MANUAL_APPROVAL for risky actions like 'disable user' or 'delete suspicious resource'. Don't blindly switch to AUTOMATIC — a false positive on a CRITICAL detector can cause an outage faster than a real attack would. Auto-remediation should be reserved for low-blast-radius actions like 'disable a leaked API key'.

TIP

Cloud Guard problems flow into OCI Notifications by default — wire that to PagerDuty or Slack so security findings are visible to the team. Without external alerting, problems sit in the Cloud Guard console untouched until someone happens to look.

How It Works Under the Hood

The builder generates OCI Cloud Guard recipe resources: detector recipes (with rule references, condition groups, risk level overrides, target resource type filters) and responder recipes (with responder rule references, action mode AUTOMATIC/MANUAL_APPROVAL, condition groups). Output includes oci cloud-guard CLI commands and Terraform oci_cloud_guard_detector_recipe / oci_cloud_guard_responder_recipe resources.

Frequently Asked Questions

What is the difference between a detector recipe and a responder recipe?: Detector recipes define what Cloud Guard looks for — they contain rules that evaluate your OCI resources against security best practices and compliance standards. Each detector rule specifies a condition, risk level (CRITICAL, HIGH, MEDIUM, LOW), and the resource types it monitors. Responder recipes define what happens when a detector finds a problem — they can automatically remediate issues, create notifications, or require manual approval before taking action.
Can I customize Oracle-managed Cloud Guard recipes?: You cannot modify Oracle-managed recipes directly, but you can clone them to create user-managed copies. Once cloned, you can enable or disable individual rules, adjust risk levels, modify rule parameters, and add conditions. Cloned recipes do not automatically receive updates when Oracle modifies the managed recipe, so you should periodically review Oracle's managed recipes for new rules you may want to incorporate.
How does Cloud Guard determine risk levels for detected problems?: Each detector rule has a configured risk level that represents the potential security impact. Cloud Guard aggregates these into a risk score for each target (compartment). Risk levels map to severity: CRITICAL problems like publicly exposed databases score highest, while LOW problems like missing tags score lowest. You can customize risk levels in cloned recipes to align with your organization's risk tolerance and compliance requirements.

Related Learning Guides

OCI Security Best Practices24 min read

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.