Skip to content

[Example] Rule / Exception / List workflow #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

[Example] Rule / Exception / List workflow #2

wants to merge 4 commits into from

Conversation

operatorequals
Copy link
Owner

== NOT FOR MERGING ==

This PR demonstrates the Terraform Resources and how they link the Elastic API resources by using filepaths as Object IDs.

@github-actions
Copy link 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # universe.exception_items["network/data_leakage_detection/elastic_ips.yaml"] will be created
  + resource "universe" "exception_items" {
      + config = <<-EOT
            item_id: "network-data_leakage_detection-elastic_ips"
            list_id: "network-data_leakage_detection"
            # https://www.elastic.co/guide/en/security/current/exceptions-api-create-exception-item.html
            name: Traffic to Elastic IPs
            type: simple
            namespace_type: single
            description: |
              Outbound trraffic is sent to IPs owned by Elastic
            entries:
            - field: destination.ip
              list:
                type: ip
                # Defined at
                # lists/elastic_ips.yaml
                id: elastic_ips
              operator: included
              type: list
            
            tags:
            - Skroutz
            
        EOT
      + id     = (known after apply)
    }

  # universe.exceptions["network/data_leakage_detection.yaml"] will be created
  + resource "universe" "exceptions" {
      + config = <<-EOT
            list_id: "network-data_leakage_detection"
            # https://www.elastic.co/guide/en/security/current/exceptions-api-create-container.html
            name: Legitimate high volume outbound traffic
            description: |
              Silences signals that trigger when high amount
              of traffic is sent outbound
            type: detection
            namespace_type: single
            tags:
              - Skroutz
            
            
        EOT
      + id     = (known after apply)
    }

  # universe.list_items["elastic_ips/elastic_artifacts_gcp_ipv6.yaml"] will be created
  + resource "universe" "list_items" {
      + config = <<-EOT
            id: "elastic_ips-elastic_artifacts_gcp_ipv6"
            list_id: "elastic_ips"
            
            #  GCP bucket for Elastic agent artifacts
            value: "2600:1901:0:1d7::"
            
        EOT
      + id     = (known after apply)
    }

  # universe.lists["elastic_ips.yaml"] will be created
  + resource "universe" "lists" {
      + config = <<-EOT
            id: "elastic_ips"
            
            # https://www.elastic.co/guide/en/security/current/lists-api-create-container.html
            name: "Elastic Assets"
            description: |
              It is often perceived that Elastic tools connect to external infrastructure
              (e.g. GCP buckets storing Elastic artifacts) maintained by Elastic
              which may falsely trigger our SIEM detections.
            type: ip
            
        EOT
      + id     = (known after apply)
    }

  # universe.rules_custom["network/data_leakage_detection.toml"] will be created
  + resource "universe" "rules_custom" {
      + config = <<-EOT
            [metadata]
            creation_date = "2021/08/23"
            maturity = "development"
            updated_date = "2021/08/23"
            
            [rule]
            author = ["John Torakis"]
            description = """
            This rule identifies network traffic where the host sent more than 20*524288 Bytes (~10Mib) to a host that does not belong to the Internal Network. All Private Addresses are filtered out.
            The rule is based on raw flow size, so it is not bound to a Protocol, such as TCP or UDP.
            """
            language = "kuery"
            name = "Data Leakage Detection"
            risk_score = 47
            rule_id = "7f80a667-5ac5-430d-8395-c5de457b46ea"
            severity = "medium"
            type = "threshold"
            license = "Skroutz SIEM License"
            tags = ["Network", "Elastic", "Exfiltration","Threat Detection"]
            index = ["packetbeat-*"]
            
            
            query = '''
            destination.bytes > 524288 and
              not destination.ip:(
                10.0.0.0/8 or
                127.0.0.0/8 or
                169.254.0.0/16 or
                172.16.0.0/12 or
                192.0.0.0/24 or
                192.0.0.0/29 or
                192.0.0.8/32 or
                192.0.0.9/32 or
                192.0.0.10/32 or
                192.0.0.170/32 or
                192.0.0.171/32 or
                192.0.2.0/24 or
                192.31.196.0/24 or
                192.52.193.0/24 or
                192.168.0.0/16 or
                192.88.99.0/24 or
                224.0.0.0/4 or
                100.64.0.0/10 or
                192.175.48.0/24 or
                198.18.0.0/15 or
                198.51.100.0/24 or
                203.0.113.0/24 or
                240.0.0.0/4 or
                "::1" or
                "FE80::/10" or
                "FF00::/8"
              )
            '''
            
            [rule.threshold]
            value = 25
            field = ["source.ip","destination.ip"]
            
            [[rule.threat]]
            framework = "MITRE ATT&CK"
            
            [[rule.threat.technique]]
            id = "T1041"
            name = "Exfiltration Over C2 Channel"
            reference = "https://attack.mitre.org/techniques/T1041/"
            
            [rule.threat.tactic]
            id = "TA0010"
            name = "Exfiltration"
            reference = "https://attack.mitre.org/tactics/TA0010/"
            
            
            
            
            
            # Add an Exception Container to each rule
            [[rule.exceptions_list]]
            id = "network-data_leakage_detection"
            list_id = "network-data_leakage_detection"
            namespace_type = "single"
            type = "detection"
            
            
        EOT
      + id     = (known after apply)
    }

Plan: 5 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@operatorequals