This topic explains how to define an application in CloudSecure using Application Discovery Rules. To define an application individually, see Define an Application Individually.
For an explanation of CloudSecure application definitions and how they relate to deployments, see Deployments and Applications.
Prerequisites
Before you define an application, you must have onboarded at least one cloud account. Defining a deployment is optional. For information about defining a deployment, see Define a Deployment.
Define Applications Automatically
Although CloudSecure has always allowed you to define applications individually, you can now automatically create multiple applications by defining an Application Discovery Rule. This feature runs in the background, so the rule you create automatically defines applications when new resources are added that meet the rule parameters.
The user interface presents the following ways to begin creating such rules:
- If you have not defined your first application, either individually or with an Application Discovery Rule, the Application Definitions page displays a banner inviting you to add your first application definition using either method. Click Add Application Definition, select Application Discovery Rule, and click Confirm to begin.
- If you have already added an application individually, but not yet with the Application Discovery Rule method, a banner invites you to do so. Click Create to begin.
- If you have already created an Application Discovery Rule, navigate to the Application Discovery menu item
The in-application pop-up guide instructs you on how to proceed.
Application Discovery Rule Guidelines
- Choose your rule name carefully, to make it clear what sort of applications you are automatically defining
- You can add a prefix to the name of all applications discovered with the rule
- The prefix and name may be changed when editing the rule. Other parts of the rule are not editable.
- When editing the rule, if the edit does not affect an existing application definition, you do not need to modify or re-approve the application. If the edit affects an existing application definition, then the following apply:
- If the change is to only the prefix in the rule, rename the existing application label to reflect the new prefix. You do not need to re-approve application.
- If any of the change is to metadata (the type of rule, such as account/subscription, virtual network, etc.), you may need to review and approve new or existing application deployments
- When you save your rule edits, the application approval or re-approval workflows begin. A prompt tells you to review and remove any policies associated with application labels that were previously associated with the rule.
- The rule's exact behavior may vary depending on the rule type you select.
- Cloud Tags: If you choose this rule type, a Cloud Tag Keys dropdown menu appears
- Cloud Accounts: If you choose this rule type, it applies to all the available account/subscription across all accounts and ties an application to each account/subscription with the relevant resources. You have the option to specify the CSPs to which the rule applies. You can have only one rule of this type.
- Virtual Networks: If you choose this rule type, it applies to all the available virtual networks across all accounts and ties an application to each virtual network with the relevant resources. You have the option to specify the CSPs to which the rule applies. You can have only one rule of this type.
- Subnet: If you choose this rule type, it applies to all the available subnets across all of your accounts, and therefore ties any application to each subnet with the relevant resources. You have the option to specify the CSPs to which the rule applies. You can have only one rule of this type.
- Application Discovery Rules cannot be disabled or paused once added. There are two workarounds:
- You can delete the rule, which will also delete all application definitions created with the rule
- You can modify individual application definitions for those created with the rule, which decouples the application definition with the rule
- Once you create an Application Discovery Rule, you can browse to Discovery Rules > View details to edit it.
- Application definitions have contexts for how they were created, viewable on their respective detail pages, either individually or using an Application Discovery Rule
Application Label Conventions
- Tag-based application labels are generated in the format
Prefix-<TagValue> e.g., infosec-payment - Account/Subscription-based application labels are generated in the format
Prefix-<unique account/sub identifier> e.g., InfoSec-Act123 - VPC/VNet based-metadata application labels are generated in the format
Prefix-<unique virtual network identifier> InfoSec-VirtualNetwork123 - Subnet based metadata application labels are generated in the format
Prefix-<unique subnet identifier> InfoSec-Subnet123
Edit an Application Definition
You may wish to update or otherwise edit an application you have already defined. Use the following steps to do so.
- From the Application Discovery > Application Definitions tab, find the application label for which you want to edit the definition.
- Click View Details for the application of interest.
- Click Edit. The in-application pop-up guide instructs you on how to proceed. Note that if during editing you change the Auto Approve Setting toggle, you must confirm and save to retain the toggle change.
Delete Application Discovery Rule-Created Application Definitions
When you delete applications that are pending approval, CloudSecure simply deletes the application definitions.
When you delete approved applications, CloudSecure deletes the application definitions and the rulesets (policies) associated with the application definitions and the application instances. CloudSecure also disassociates any related resources from the application definitions being removed.
Note that deleting a discovery rule automatically deletes all application definitions associated with the rule. You may also choose to manually delete associated application definitions, as follows:
- From the left navigation, choose Application Discovery > Discovery Rules. The Application Discovery page appears and the Discovery Rules tab is selected.
- For the Application Discovery Rule in question, select the View Details link in its table row. The Details page for that rule appears.
-
In the Discovered Application Definitions section of the Details page, select all the application definitions that you want to delete and click the Remove button in the upper right of the Discovered Application Definitions section. This is different than the Remove button at the very top of the page, which is grayed-out when you select an application definition.
A confirmation dialog box appears displaying the applications you are deleting.
- Verify that you are deleting the correct applications and click Remove in the dialog box.
Exporting Application Definition Reports
- Click Export on the Application Definitions tab.
- Edit the report name and select the format.
- Click the Scheduling Section toggle to the on position to schedule the export unless you want to export the report immediately.
- If you choose to schedule your report, select your recurrence and time.
- Click Save when done.
- Go to the Reports page to download the exported report.
What's Next
Approve your application. (Each instance of the application in different deployments requires approval.) See View and Approve an Application for information.
Begin creating policy for your application. See Writing Application Policy for information.