If the custom rules that you are deploying are specific to certain customers please follow this guide. If not, please refer to this guide instead. Deploying rules that are generic to all customers
If you have yet to create or export and test your custom rules please refer to Exporting custom rules and deploying via code and return here once you are done.
Set up customer’s environment
Before deploying our custom rules, we will first have to ensure that our customer’s environment is up to date. To do this please refer to XDR provisioning resources
Add custom rules
Ensure you have all prerequisites installed. They are located here 1. Open the Terminal application
- Switch to the home directory by using the command
cd ~
- Create a “Customers” directory locally that you will use to store customer based repositories using the command mkdir. Example:
mkdir Customers
- Change into the “Customers” directory using
cd Customers
Make an additional directory for the customer you are creating custom rules for. Example:mkdir (Customer Name Here)
- Change into the customer directory. Example:
cd (Customer Name Here)
- Clone both the Infrastructure-live and infrastructure-modules repositories that are specific to the customer.
git clone https://github.com/quantum-sec/infrastructure-live.git
<- Replace URL with customer specific repository. git clone https://github.com/quantum-sec/infrastructure-modules
<- Replace URL with customer specific repository. > Note
Code Block | ||||
---|---|---|---|---|
| ||||
# Add a list of individual rules that should be deployed to the Sentinel instance from custom-rules/.
# To use terraform to manage the deployment of a custom rule, add the yaml files to the custom-rules directory.
# Rules are referenced from the relative path of custom-rules/ so do not include the custom-rules/ prefix in a rule.
#
custom_rules = [
"my-new-custom-rule",
"conti-malware-detections-via-commandline-arguments"
# "suspicious-powershell-zipping-activity",
# ] |
Note | ||
---|---|---|
| ||
Note If changing a production rule to a custom rule for a specific customer you will need to also exclude the original rule so it’s not deployed in addition to the custom rule, add to the exclude rules section the rule you modified. |
Code Block | ||||
---|---|---|---|---|
| ||||
# exclude_rules = [
# "ioc/application/powershell/suspicious-powershell-zipping-activity",
# ]
exclude_rules = [
"sentinel-rules/platform/azure/activedirectory/azureportalsigninfromanotherazuretenant",
"ioc/security/sysmon/conti-malware-detections-via-commandline-arguments"
] |
Example
Note | ||
---|---|---|
| ||
Note You do not need to add the custom-rules/ prefix or the yaml file extension to this array. |
Deploy the change
Log into the service account for the customer using az login
To deploy the custom rules, run the update environment script.
Commit changes
Once you have verified that everything is working as intended please commit the changes and push it to source control.
Potential Errors and Solutions
This section covers some of the potential errors that you may face and how to resolve them.
Backend initialization required, please run “terraform init
Please check if you are logged into the correct Azure account with the correct subscription set.
If the error still persist, run az logout
and sign in by following Logging into Azure and setting subscription
Module source has changed
Run the following command
Code Block | ||||
---|---|---|---|---|
| ||||
terragrunt init |
Debug Terragrunt
If the error you are facing is not one of the above, you can execute the following command to enable debugging. terragrunt plan --terragrunt-log-level debug --terragrunt-debug