Page Comparison

If the custom rules that you are deploying are customer specific to certain customers please follow this guide. If not, please refer to this guide instead. Deploying rules that are generic to all customers

If you have yet to create or export and test your custom rules please refer to Exporting custom rules and deploying via code and return here once you are done.

...

Setting up

...

the environment

Before deploying our custom rules, we will first have to ensure that our customer’s your environment is up to date. To do this please refer to XDR provisioning resources

Add custom rules

Clone the following repos: - git clone https://github.com/quantum-sec/infrastructure-live.git <- Replace URL with customer specific repository.

• git clone https://github.com/quantum-sec/infrastructure-modules <- Replace URL with customer specific repository. > Note > > Steps 7 and 8 are only applicable if you are modifying an existing rule to meet the needs of the customer. If using a completely new custom rule, proceed to step 9.

Ensure you have all prerequisites installed. They are located here 1. Open the Terminal application

...

1. Switch to the home directory by using the command cd ~
2. Create a “Customers” directory locally that you will use to store customer based repositories using the command mkdir. Example: mkdir Customers
3. Change into the “Customers” directory using cd Customers Make an additional directory for the customer you are creating custom rules for. Example: mkdir (Customer Name Here)
4. Change into the customer directory. Example: cd (Customer Name Here)
5. Clone both the Infrastructure-live and infrastructure-modules repositories that are specific to the customer.

...

1. If you are tuning an existing rule, Look for the original YAML Rule File for the rule that you are looking to tune from the customer infrastructure-modules repository that was locally created in step 3. Path should look like infrastructure-modules/azure/content/rules/
2. If you are tuning an existing rule, Modify the query within the YAML file to match what you are looking to tune.
3. In your Terminal, change your directory to infrastructure-live/azure/prod/southeastasia/<prefix>-log-analytics/services/sentinel-rules
4. Create a custom-rules directory within the sentinel-rules directory.
5. Place all custom YAML rules into the custom-rules/ directory.
6. Open config.hcl found in your customer’s sentinel-rules directory (Example path: https://github.com/quantum-sec/infrastructure

...

1. -live/blob/master/azure/prod/southeastasia/quantum-log-analytics/services/sentinel-rules/config.hcl and look for the custom_rules field: # Add a list of individual rules that should be deployed to the Sentinel instance from custom-rules/. # To use terraform to manage the deployment of a custom rule, add the yaml files to the custom-rules directory. # Rules are referenced from the relative path of custom-rules/ so do not include the custom-rules/ prefix in a rule. # # custom_rules = [ # "suspicious-powershell-zipping-activity", # ] Add the custom rules: # Add a list of individual rules that should be deployed to the Sentinel instance from custom-rules/. # To use terraform to manage the deployment of a custom rule, add the yaml files to the custom-rules directory. # Rules are referenced from the relative path of custom-rules/ so do not include the custom-rules/ prefix in a rule. # custom_rules = [ "my-new-custom-rule",

...

1. "conti-malware-detections-via-commandline-arguments"

...

1. #

...

1. "suspicious-powershell-zipping-activity",

...

1. #

...

1. ]

...

...

Deploying the change

Log into the service account for the customer using az login and using your customer specific credentials To deploy the custom rules, run the update environment script.

...

Please check if you are logged into the correct Azure account with the correct subscription set.

If the error errors still persist, run az logout and sign in by following Logging into Azure and setting subscription

...