Deploy Custom Rules

Owned by Integration Service Account
Last updated: 07 January 2024
3 min read

If the custom rules that you are deploying are customer specific please follow this guide. If not, please refer to this guide instead. Deploying rules that are generic to all customers

If you have yet to create or export and test your custom rules please refer to Exporting custom rules and deploying via code and return here once you are done.

Setting up the environment

Before deploying our custom rules, we will first have to ensure that your environment is up to date. To do this please refer to XDR provisioning resources

Add custom rules

Clone the following repos: - git clone https://github.com/quantum-sec/infrastructure-live.git <- Replace URL with customer specific repository.

  • git clone https://github.com/quantum-sec/infrastructure-modules <- Replace URL with customer specific repository. > Note > > Steps 7 and 8 are only applicable if you are modifying an existing rule to meet the needs of the customer. If using a completely new custom rule, proceed to step 9.

Ensure you have all prerequisites installed. They are located here 1. Open the Terminal application

  1. Switch to the home directory by using the command cd ~

  2. Create a “Customers” directory locally that you will use to store customer based repositories using the command mkdir. Example: mkdir Customers

  3. Change into the “Customers” directory using cd Customers Make an additional directory for the customer you are creating custom rules for. Example: mkdir (Customer Name Here)

  4. Change into the customer directory. Example: cd (Customer Name Here)

  5. Clone both the Infrastructure-live and infrastructure-modules repositories that are specific to the customer.

  6. If you are tuning an existing rule, Look for the original YAML Rule File for the rule that you are looking to tune from the customer infrastructure-modules repository that was locally created in step 3. Path should look like infrastructure-modules/azure/content/rules/

  7. If you are tuning an existing rule, Modify the query within the YAML file to match what you are looking to tune.

  8. In your Terminal, change your directory to infrastructure-live/azure/prod/southeastasia/<prefix>-log-analytics/services/sentinel-rules

  9. Create a custom-rules directory within the sentinel-rules directory.

  10. Place all custom YAML rules into the custom-rules/ directory.

  11. Open config.hcl found in your customer’s sentinel-rules directory (Example path: https://github.com/quantum-sec/infrastructure-live/blob/master/azure/prod/southeastasia/quantum-log-analytics/services/sentinel-rules/config.hcl and look for the custom_rules field: # Add a list of individual rules that should be deployed to the Sentinel instance from custom-rules/. # To use terraform to manage the deployment of a custom rule, add the yaml files to the custom-rules directory. # Rules are referenced from the relative path of custom-rules/ so do not include the custom-rules/ prefix in a rule. # # custom_rules = [ # "suspicious-powershell-zipping-activity", # ] Add the custom rules: # Add a list of individual rules that should be deployed to the Sentinel instance from custom-rules/. # To use terraform to manage the deployment of a custom rule, add the yaml files to the custom-rules directory. # Rules are referenced from the relative path of custom-rules/ so do not include the custom-rules/ prefix in a rule. # custom_rules = [ "my-new-custom-rule", "conti-malware-detections-via-commandline-arguments" # "suspicious-powershell-zipping-activity", # ]

Note

If changing a production rule to a custom rule you will need to also exclude the original rule so it’s not deployed in addition to the custom rule, add to the exclude rules section the rule you modified.

# exclude_rules = [ # "ioc/application/powershell/suspicious-powershell-zipping-activity", # ] exclude_rules = [ "sentinel-rules/platform/azure/activedirectory/azureportalsigninfromanotherazuretenant", "ioc/security/sysmon/conti-malware-detections-via-commandline-arguments" ]

Example

Note

You do not need to add the custom-rules/ prefix or the yaml file extension to this array.

Deploying the change

Log into the service account using az login and using your customer specific credentials To deploy the custom rules, run the update environment script.

Commit changes

Once you have verified that everything is working as intended please commit the changes and push it to source control.

Potential Errors and Solutions

This section covers some of the potential errors that you may face and how to resolve them.

Backend initialization required, please run “terraform init

Please check if you are logged into the correct Azure account with the correct subscription set.

If the errors still persist, run az logout and sign in by following Logging into Azure and setting subscription

Module source has changed

Run the following command

terragrunt init

Debug Terragrunt

If the error you are facing is not one of the above, you can execute the following command to enable debugging. terragrunt plan --terragrunt-log-level debug --terragrunt-debug