kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
hunfabric/modules/secops-rules
History
Julio Castillo d8d66583f8 Bump GCP provider version to 7.33.0 (#4004) 
* Bump provider version

* Fix inventories

* Ignore certificates in inventories

* Add header to cloud run recipe

* Optimize file copy for example-based tests

* Remove local references
2026-05-31 21:04:01 +00:00
..
main.tf
Pathexpand all factory data paths (#3033)
2025-04-16 13:28:10 +02:00
README.md
Add toggle to tfdoc to remove type hints (#3842)
2026-04-08 11:08:18 +00:00
variables.tf
secops-rules module (#3023)
2025-04-11 15:44:31 +02:00
versions.tf
Bump GCP provider version to 7.33.0 (#4004)
2026-05-31 21:04:01 +00:00
versions.tofu
Bump GCP provider version to 7.33.0 (#4004)
2026-05-31 21:04:01 +00:00

README.md

SecOps Rules

This module allows creation and management of custom rules as well as reference lists in Google SecOps.

  • rule definition (yaral code) and reference list entries are managed as files in data folder as per the factories_config variable and sample code
  • rule and reference list deployments can leverage both rules_config and reference_lists_config variables or YAML file still specified in the factories_config variable.

Examples

Sample SecOps Rules and reference list deployment

This is a sample usage of the secops-rules module for deploying a rule (network_traffic_to_specific_country) and a reference list (private_ip_ranges), definition of the rule in yaral is available in the corresponding file in the data/rules folder and the reference list in the data/reference_lists folder. Deployment configuration for both is passed as an input to the module using the rules_config and reference_lists_config variables.

module "secops" {
  source        = "./fabric/modules/secops-rules"
  project_id    = var.project_id
  tenant_config = var.secops_tenant_config
  reference_lists_config = {
    "private_ip_ranges" = {
      description = "Private CIDR ranges"
      type        = "CIDR"
    }
  }
  rules_config = {
    "network_traffic_to_specific_country" = {
      enabled       = true
      alerting      = true
      archived      = false
      run_frequency = "LIVE"
    }
  }
  factories_config = {
    rules_defs           = "./data/rules"
    reference_lists_defs = "./data/reference_lists"
  }
}
# tftest modules=1 resources=3 files=reference,rule inventory=basic.yaml

rule network_traffic_to_specific_country {

meta:
  author = "Google Cloud Security"
  description = "Identify network traffic based on target country"
  type = "alert"
  tags = "geoip enrichment"
  data_source = "microsoft windows events"
  severity = "Low"
  priority = "Low"

events:
  $network.metadata.event_type = "NETWORK_CONNECTION"
  //Specify a country of interest to monitor or add additional countries using an or statement
  $network.target.ip_geo_artifact.location.country_or_region = "France" nocase
  $network.target.ip = $ip

match:
  $ip over 30m

outcome:
  $risk_score = max(35)
  $event_count = count_distinct($network.metadata.id)

  // added to populate alert graph with additional context
  $principal_ip = array_distinct($network.principal.ip)

  // Commented out target.ip because it is already represented in graph as match variable. If match changes, can uncomment to add to results
  //$target_ip = array_distinct($network.target.ip)
  $principal_process_pid = array_distinct($network.principal.process.pid)
  $principal_process_command_line = array_distinct($network.principal.process.command_line)
  $principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
  $principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
  $principal_process_product_specfic_process_id = array_distinct($network.principal.process.product_specific_process_id)
  $principal_process_parent_process_product_specfic_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)
  $target_process_pid = array_distinct($network.target.process.pid)
  $target_process_command_line = array_distinct($network.target.process.command_line)
  $target_process_file_sha256 = array_distinct($network.target.process.file.sha256)
  $target_process_file_full_path = array_distinct($network.target.process.file.full_path)
  $target_process_product_specfic_process_id = array_distinct($network.target.process.product_specific_process_id)
  $target_process_parent_process_product_specfic_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)
  $principal_user_userid = array_distinct($network.principal.user.userid)
  $target_user_userid = array_distinct($network.target.user.userid)

condition:
  $network
}
# tftest-file id=rule path=data/rules/network_traffic_to_specific_country.yaral

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
127.0.0.1/32
::1/128
fc00::/7
fe80::/10
# tftest-file id=reference path=data/reference_lists/private_ip_ranges.txt

SecOps Rules Factory

The module includes a secops rules and reference list factory for the configuration of rules and reference lists leveraging YAML configuration files. Each configuration file for rules and reference lists contains more than one rule with a structure that reflects the rules_config and reference_lists_config variables. Again rules and reference list definition is available in the corresponding yaral and txt files in the data folder.

module "secops" {
  source        = "./fabric/modules/secops-rules"
  project_id    = var.project_id
  tenant_config = var.secops_tenant_config
  factories_config = {
    rules                = "./secops_rules.yaml"
    rules_defs           = "./data/rules"
    reference_lists      = "./secops_reference_lists.yaml"
    reference_lists_defs = "./data/reference_lists"
  }
}
# tftest modules=1 resources=3 files=1,2,reference,rule inventory=factory.yaml


network_traffic_to_specific_country:
  enabled: true
  alerting: true
  archived: false
  run_frequency: "DAILY"
# tftest-file id=1 path=secops_rules.yaml

private_ip_ranges:
  description: "Private CIDR ranges"
  type: CIDR # either CIDR, STRING, REGEX
# tftest-file id=2 path=secops_reference_lists.yaml

rule network_traffic_to_specific_country {

meta:
  author = "Google Cloud Security"
  description = "Identify network traffic based on target country"
  type = "alert"
  tags = "geoip enrichment"
  data_source = "microsoft windows events"
  severity = "Low"
  priority = "Low"

events:
  $network.metadata.event_type = "NETWORK_CONNECTION"
  //Specify a country of interest to monitor or add additional countries using an or statement
  $network.target.ip_geo_artifact.location.country_or_region = "France" nocase
  $network.target.ip = $ip

match:
  $ip over 30m

outcome:
  $risk_score = max(35)
  $event_count = count_distinct($network.metadata.id)

  // added to populate alert graph with additional context
  $principal_ip = array_distinct($network.principal.ip)

  // Commented out target.ip because it is already represented in graph as match variable. If match changes, can uncomment to add to results
  //$target_ip = array_distinct($network.target.ip)
  $principal_process_pid = array_distinct($network.principal.process.pid)
  $principal_process_command_line = array_distinct($network.principal.process.command_line)
  $principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)
  $principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)
  $principal_process_product_specfic_process_id = array_distinct($network.principal.process.product_specific_process_id)
  $principal_process_parent_process_product_specfic_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)
  $target_process_pid = array_distinct($network.target.process.pid)
  $target_process_command_line = array_distinct($network.target.process.command_line)
  $target_process_file_sha256 = array_distinct($network.target.process.file.sha256)
  $target_process_file_full_path = array_distinct($network.target.process.file.full_path)
  $target_process_product_specfic_process_id = array_distinct($network.target.process.product_specific_process_id)
  $target_process_parent_process_product_specfic_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)
  $principal_user_userid = array_distinct($network.principal.user.userid)
  $target_user_userid = array_distinct($network.target.user.userid)

condition:
  $network
}
# tftest-file id=rule path=data/rules/network_traffic_to_specific_country.yaral

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
127.0.0.1/32
::1/128
fc00::/7
fe80::/10
# tftest-file id=reference path=data/reference_lists/private_ip_ranges.txt

Variables

name description type required default
project_id Project used for resources. string
tenant_config SecOps Tenant configuration. object({…})
factories_config Paths to YAML config expected in 'rules' and 'reference_lists'. Path to folders containing rules definitions (yaral files) and reference lists content (txt files) for the corresponding _defs keys. object({…}) {}
reference_lists_config SecOps Reference lists configuration. map(object({…})) {}
rules_config SecOps Detection rules configuration. map(object({…})) {}