hunfabric/fast/stages/3-secops-dev

SecOps Stage

This stage allows automated configuration of a SecOps instance at both infrastructure and application level. The following diagram illustrates the high-level design.

• Design overview and choices
• How to run this stage
  • FAST prerequisites
• Customizations
  • Data RBAC
  • SecOps rules and reference list management
  • Google Workspace integration
• Files
• Variables
• Outputs

Design overview and choices

The general idea behind this stage is to configure a single SecOps instance for a specific environment with configurations for SecOps leveraging native Terraform resources (where available) and the restful_resource for interacting with the new SecOps APIs.

Some high level features of this stage are:

• API/Services enablement
• Data RBAC configuration with labels and scopes
• IAM setup for the SecOps instance based on Cloud Identity groups or WIF (with support for Data RBAC)
• Detection Rules and reference lists management via Terraform (leveraging the secops-rules module)
• API Key setup for Webhook feeds
• Integration with Workspace for alert and log ingestion via SecOps Feeds

How to run this stage

If this stage is deployed within a FAST-based GCP organization, we recommend executing it after foundational FAST stage-2 components like networking and security. This is the recommended flow as specific features in this stage might depend on configurations from these earlier stages. Although this stage can be run independently, instructions for such a standalone setup are beyond the scope of this document.

FAST prerequisites

This stage needs specific automation resources, and permissions granted on those that allow control of selective IAM roles on specific networking and security resources.

Network permissions are needed to associate projects to Shared VPC hosts and grant network Network User role on managed service accounts.

Security permissions are only needed when using CMEK encryption, to grant the relevant IAM roles to service agents on the encryption keys used.

Customizations

This stage is designed with few basic integrations provided out of the box which can be customized as per the following sections.

Data RBAC

This stage supports configuration of SecOps Data RBAC using two separate variables:

• secops_data_rbac_config: specifies Data RBAC label and scopes in Google SecOps
• secops_iam: defines SecOps IAM configuration in {PRINCIPAL => {roles => [ROLES], scopes => [SCOPES]}} format referencing previously defined scopes. When scope is populated a IAM condition restrict access to those scopes.

Example of a Data RBAC configuration is reported below.

secops_data_rbac_config = {
  labels = {
    google = {
      description = "Google logs"
      label_id    = "google"
      udm_query   = "principal.hostname=\"google.com\""
    }
  }
  scopes = {
    google = {
      description = "Google logs"
      scope_id    = "gscope"
      allowed_data_access_labels = [{
        data_access_label = "google"
      }]
    }
  }
}
secops_iam = {
  "user:bruzzechesse@google.com" = {
    roles  = ["roles/chronicle.editor"]
    scopes = ["gscope"]
  }
}
# tftest skip

SecOps rules and reference list management

This stage leverages the secops-rules for automated SecOps rules and reference list deployment via Terraform.

By default, the stage will try to deploy sample rule and reference list available in the rules and reference_lists folders according to the configuration files secops_rules.yaml and secops_reference_lists.yaml.

The configuration can be updated via the factory_config variable as per the secops-rules module README.md.

Google Workspace integration

The stage supports automatic integration of Google Workspace as a SecOps source leveraging SecOps Feeds integration.

Integration is enabled via the workspace_integration_config variable as per the following sample:

workspace_integration_config = {
  delegated_user        = "secops-feed@..."
  workspace_customer_id = "CXXXXXXX"
}
# tftest skip

Where delegated_user should be the email of the user created in Cloud Identity following the configuration instructions available here.

Please be aware the Service Account Client ID needed during domain wide delegation setup is available in the key of the service account stored in Secret Manager.

Files

name	description	modules	resources
main.tf	Module-level locals and resources.	project · secops-rules	google_apikeys_key
outputs.tf	Module outputs.		google_storage_bucket_object
providers-override.tf	None
secops-providers.tf	None
secops.tf	None		google_chronicle_data_access_label · google_chronicle_data_access_scope
secrets.tf	None	secret-manager
variables-fast.tf	None
variables.tf	Module variables.
workspace.tf	None	iam-service-account	google_service_account_key · restful_resource

Variables

name	description	type	required	default	producer
automation	Automation resources created by the bootstrap stage.	object({…})	✓		0-org-setup
prefix	Prefix for organization projects.	string	✓		0-org-setup
tenant_config	SecOps Tenant configuration.	object({…})	✓
billing_account	Billing account id. If billing account is not part of the same org set is_org_level to false.	object({…})		{}	0-org-setup
context	Context-specific interpolations.	object({…})		{}
custom_roles	Custom roles defined at the org level, in key => id format.	map(string)		{}	0-org-setup
data_rbac_config	SecOps Data RBAC scope and labels config.	object({…})		{}
factories_config	Paths to YAML config expected in 'rules' and 'reference_lists'. Path to folders containing rules definitions (yaral files) and reference lists content (txt files) for the corresponding _defs keys.	object({…})		{…}
folder_ids	Folders created in the bootstrap stage.	map(string)		{}	0-org-setup
iam	SecOps IAM configuration in {PRINCIPAL => {roles => [ROLES], scopes => [SCOPES]}} format.	map(object({…}))		{}
iam_default	Groups ID in IdP assigned to SecOps admins, editors, viewers roles.	object({…})		{}
iam_principals	IAM-format principals.	map(string)		{}	0-org-setup
kms_keys	KMS key ids.	map(string)		{}	2-security
parent_folder	Folder to use for created project.	string		"$folder_ids:secops/dev"
project_id	Project id for newly created project, or id of existing project if project_create is false.	string		"dev-secops-core-0"
project_ids	Projects created in the bootstrap stage.	map(string)		{}	0-org-setup
project_reuse	Whether to use an existing project.	map(string)		null
region	Google Cloud region definition for resources.	string		"europe-west8"
stage_config	FAST stage configuration used to find resource ids. Must match name defined for the stage in resource management.	object({…})		{…}
workspace_integration_config	SecOps Feeds configuration for Workspace logs and entities ingestion.	object({…})		null

Outputs

name	description	sensitive	consumers
project_id	SecOps project id.