If the custom rules that you are deploying are customer specific please follow this guide. If not, please refer to this guide instead. Deploying rules that are generic to all customers
If you have yet to create or export and test your custom rules please refer to Exporting custom rules and deploying via code and return here once you are done.
Setting up the environment
Before deploying our custom rules, we will first have to ensure that your environment is up to date. To do this please refer to XDR provisioning resources
Add custom rules
Clone the following repos: - git clone https://github.com/quantum-sec/infrastructure-live.git
<- Replace URL with customer specific repository.
git clone https://github.com/quantum-sec/infrastructure-modules
<- Replace URL with customer specific repository. > Note > > Steps 7 and 8 are only applicable if you are modifying an existing rule to meet the needs of the customer. If using a completely new custom rule, proceed to step 9.
Ensure you have all prerequisites installed. They are located here 1. Open the Terminal application
- Switch to the home directory by using the command
cd ~
- Create a “Customers” directory locally that you will use to store customer based repositories using the command mkdir. Example:
mkdir Customers
- Change into the “Customers” directory using
cd Customers
Make an additional directory for the customer you are creating custom rules for. Example:mkdir (Customer Name Here)
- Change into the customer directory. Example:
cd (Customer Name Here)
- Clone both the Infrastructure-live and infrastructure-modules repositories that are specific to the customer.
- If you are tuning an existing rule, Look for the original YAML Rule File for the rule that you are looking to tune from the customer infrastructure-modules repository that was locally created in step 3. Path should look like
infrastructure-modules/azure/content/rules/
- If you are tuning an existing rule, Modify the query within the YAML file to match what you are looking to tune.
- In your Terminal, change your directory to
infrastructure-live/azure/prod/southeastasia/<prefix>-log-analytics/services/sentinel-rules
- Create a
custom-rules
directory within thesentinel-rules
directory. - Place all custom YAML rules into the
custom-rules/
directory. - Open
config.hcl
found in your customer’s sentinel-rules directory (Example path: https://github.com/quantum-sec/infrastructure-live/blob/master/azure/prod/southeastasia/quantum-log-analytics/services/sentinel-rules/config.hcl and look for the custom_rules field:# Add a list of individual rules that should be deployed to the Sentinel instance from custom-rules/. # To use terraform to manage the deployment of a custom rule, add the yaml files to the custom-rules directory. # Rules are referenced from the relative path of custom-rules/ so do not include the custom-rules/ prefix in a rule. # # custom_rules = [ # "suspicious-powershell-zipping-activity", # ]
Add the custom rules:# Add a list of individual rules that should be deployed to the Sentinel instance from custom-rules/. # To use terraform to manage the deployment of a custom rule, add the yaml files to the custom-rules directory. # Rules are referenced from the relative path of custom-rules/ so do not include the custom-rules/ prefix in a rule. # custom_rules = [ "my-new-custom-rule", "conti-malware-detections-via-commandline-arguments" # "suspicious-powershell-zipping-activity", # ]
Note
If changing a production rule to a custom rule you will need to also exclude the original rule so it’s not deployed in addition to the custom rule, add to the exclude rules section the rule you modified.
# exclude_rules = [ # "ioc/application/powershell/suspicious-powershell-zipping-activity", # ] exclude_rules = [ "sentinel-rules/platform/azure/activedirectory/azureportalsigninfromanotherazuretenant", "ioc/security/sysmon/conti-malware-detections-via-commandline-arguments" ]
Example
Note
You do not need to add the custom-rules/ prefix or the yaml file extension to this array.
Deploying the change
Log into the service account using az login
and using your customer specific credentials To deploy the custom rules, run the update environment script.
Commit changes
Once you have verified that everything is working as intended please commit the changes and push it to source control.
Potential Errors and Solutions
This section covers some of the potential errors that you may face and how to resolve them.
Backend initialization required, please run “terraform init
Please check if you are logged into the correct Azure account with the correct subscription set.
If the errors still persist, run az logout
and sign in by following Logging into Azure and setting subscription
Module source has changed
Run the following command
terragrunt init
Debug Terragrunt
If the error you are facing is not one of the above, you can execute the following command to enable debugging.
terragrunt plan --terragrunt-log-level debug --terragrunt-debug