Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If the custom rules that you are deploying are specific to certain customers please follow this guide. If not, please refer to this guide instead. Deploying rules that are generic to all customers

If you have yet to create or export and test your custom rules please refer to Exporting custom rules and deploying via code and return here once you are done.

Set up customer’s environment

Before deploying our custom rules, we will first have to ensure that our customer’s environment is up to date. To do this please refer to XDR provisioning resources

Add custom rules

Ensure you have all prerequisites installed. They are located here 1. Open the Terminal application

  1. Switch to the home directory by using the command cd ~
  2. Create a “Customers” directory locally that you will use to store customer based repositories using the command mkdir. Example: mkdir Customers
  3. Change into the “Customers” directory using cd Customers Make an additional directory for the customer you are creating custom rules for. Example: mkdir (Customer Name Here)
  4. Change into the customer directory. Example: cd (Customer Name Here)
  5. Clone both the Infrastructure-live and infrastructure-modules repositories that are specific to the customer.

git clone https://github.com/quantum-sec/infrastructure-live.git <- Replace URL with customer specific repository. git clone https://github.com/quantum-sec/infrastructure-modules <- Replace URL with customer specific repository. > Note

Code Block
language
collapsefalse
  # Add a list of individual rules that should be deployed to the Sentinel instance from custom-rules/.
  # To use terraform to manage the deployment of a custom rule, add the yaml files to the custom-rules directory.
  # Rules are referenced from the relative path of custom-rules/ so do not include the custom-rules/ prefix in a rule.
  #
  custom_rules = [
    "my-new-custom-rule",
    "conti-malware-detections-via-commandline-arguments"
  #   "suspicious-powershell-zipping-activity",
  # ]
Note
icontrue

Note

If changing a production rule to a custom rule for a specific customer you will need to also exclude the original rule so it’s not deployed in addition to the custom rule, add to the exclude rules section the rule you modified.

Code Block
language
collapsefalse
  # exclude_rules = [
  #   "ioc/application/powershell/suspicious-powershell-zipping-activity",
  # ]

  exclude_rules = [
    "sentinel-rules/platform/azure/activedirectory/azureportalsigninfromanotherazuretenant",
    "ioc/security/sysmon/conti-malware-detections-via-commandline-arguments"
  ]

Example

custom-rulesImage Added

Note
icontrue

Note

You do not need to add the custom-rules/ prefix or the yaml file extension to this array.

Deploy the change

Log into the service account for the customer using az login To deploy the custom rules, run the update environment script.

Commit changes

Once you have verified that everything is working as intended please commit the changes and push it to source control.

Potential Errors and Solutions

This section covers some of the potential errors that you may face and how to resolve them.

Backend initialization required, please run “terraform init

backend-initialization-requiredImage Added

Please check if you are logged into the correct Azure account with the correct subscription set.

If the error still persist, run az logout and sign in by following Logging into Azure and setting subscription

Module source has changed

module-source-has-changedImage Added

Run the following command

Code Block
language
collapsefalse
terragrunt init

Debug Terragrunt

If the error you are facing is not one of the above, you can execute the following command to enable debugging. terragrunt plan --terragrunt-log-level debug --terragrunt-debug