{"id":512,"date":"2024-09-22T07:32:23","date_gmt":"2024-09-22T07:32:23","guid":{"rendered":"https:\/\/www.seclink.info\/?p=512"},"modified":"2024-09-28T02:19:09","modified_gmt":"2024-09-28T02:19:09","slug":"complete-detection-as-code-dac-in-1-hour-with-detailed-steps","status":"publish","type":"post","link":"https:\/\/www.seclink.info\/cn\/complete-detection-as-code-dac-in-1-hour-with-detailed-steps\/","title":{"rendered":"Complete Detection-as-Code (DAC) in 1 Hour – with Detailed Steps"},"content":{"rendered":"

<\/span>Introduction<\/span><\/span><\/h1>\n

DAC<\/strong>((D<\/strong>etection A<\/strong>s C<\/strong>ode), detection is a strategic method that seamlessly integrates the security detection mechanism into the life cycle of software development. By considering security control as a code, the organization can automatically deploy, configure and maintain security measures throughout the SIEM operation and maintenance process.<\/p>\n

Perhaps many people have heard of the concept of DAC, but have not been realized step by step. This article guides you to use Sigma rules, gitlab Ci\/CD and SPLUNK deployment detection, which is the code pipeline.<\/p>\n

do not be afraid! If you plan to build a pipeline that detects the code in accordance with the content demonstrated herein, you only need to have a basic understanding of Docker, Gitlab, Git, Python, Sigma Rules, and YAML.<\/p>\n

Let’s start!<\/p>\n

<\/span>Related concept<\/span><\/span><\/h1>\n

<\/span>Sigma and Sigmac<\/strong><\/span><\/span><\/h2>\n 
<\/span>title:<\/span> Ingress\/Egress<\/span> \u5b89\u5168<\/span> Group<\/span> Modification<\/span>
id:<\/span> 6fb77778-040f-4015-9440-572aa9b6b580<\/span>
status:<\/span> test<\/span>
description:<\/span> |
    Detects when an account makes changes to the ingress or egress rules of a security group.
    This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC\/Subnet to contact a C&C server.
<\/span>references:<\/span>
    -<\/span> https:\/\/www.gorillastack.com\/blog\/real-time-events\/important-aws-cloudtrail-security-events-tracking\/<\/span>
author:<\/span> jamesc-grafana<\/span>
date:<\/span> 2024<\/span>-07<\/span>-11<\/span>
tags:<\/span>
    -<\/span> attack.initial-access<\/span>
    -<\/span> attack.t1190<\/span>
logsource:<\/span>
    product:<\/span> aws<\/span>
    service:<\/span> cloudtrail<\/span>
detection:<\/span>
    selection:<\/span>
        eventSource:<\/span> 'ec2.amazonaws.com'<\/span>
        eventName:<\/span>
            -<\/span> 'AuthorizeSecurityGroupEgress'<\/span>
            -<\/span> 'AuthorizeSecurityGroupIngress'<\/span>
            -<\/span> 'RevokeSecurityGroupEgress'<\/span>
            -<\/span> 'RevokeSecurityGroupIngress'<\/span>
    condition:<\/span> selection<\/span>
falsepositives:<\/span>
    -<\/span> New<\/span> VPCs<\/span> and<\/span> Subnets<\/span> being<\/span> setup<\/span> requiring<\/span> a<\/span> different<\/span> security<\/span> profile<\/span> to<\/span> those<\/span> already<\/span> defined<\/span>
    -<\/span> A<\/span> single<\/span> port<\/span> being<\/span> opened<\/span> for<\/span> a<\/span> \u5168\u65b0<\/span> service<\/span> that<\/span> is<\/span> known<\/span> to<\/span> be<\/span> deploying<\/span>
    -<\/span> Administrators<\/span> closing<\/span> unused<\/span> ports<\/span> to<\/span> reduce<\/span> the<\/span> attack<\/span> surface<\/span>
level:<\/span> medium<\/span>
<\/code><\/pre>\n    
Sigma rule example\n    ;<\/p>\n    
Sigma is an open source project that defines the standard for developing detection content and unrelated formats that are not related to suppliers. These rules are written in structured YAML format for human and systematic use. For my “detection is the code” pipe, I chose to use Sigma to create the detection content. The reason is as follows<\/p>\n    
Scalability:<\/strong> A SIGMA rule can be deployed to many discrete SIEM, EDR, NDR, XDR, and any “DR”.<\/p>\n    
Shared:<\/strong> sigma rules can easily share with other organizations or receive from other organizations.<\/p>\n    
Simple:<\/strong> threat detection analysts only need to master the standard for creating test content.<\/p>\n    
The SIGMA project includes Sigmac, which is a powerful Python command line tool that can use “back -end” to convert Sigma rules for controls such as SPLUNK, DEVO, ELK, and CrowDStrike. Create a custom back end for almost any detection control of detection logic.<\/p>\n    
In the pipeline of this article, we will use Sigmac to convert Sigma rules into Splunk -friendly SPL corresponding items.<\/p>\n    
<\/span>Pipe infrastructure<\/strong><\/span><\/span><\/h2>\n    
In order to build a pipeline, we will configure the following three Docker containers and a Docker network called “DACNET” to provide version control, CI\/CD, SIEM infrastructure, and connections between them:<\/p>\n    
    \n    
  1. gitlab<\/strong>: Gitlab community vector. I will use it as VCS to detect content and supervise the CI\/CD pipeline.<\/p>\n    <\/section><\/li>
  2. gitlab-runner<\/strong>: Gitlab operator container for running CI\/CD pipelines. This will be used to use additional Docker containers to build and deploy detection content.<\/p>\n    <\/section><\/li>
  3. splunk<\/strong>: SPLUNK search head and indexer, installed the Splunk Botsv3 data set at runtime. This will be used as SIEM. I will use the BOTSV3 dataset to demonstrate the creation and data source configuration of the SIGMA rule.<\/p>\n    <\/section><\/li><\/ol>\n    
    <\/span>Construction and configuration<\/span><\/span><\/h1>\n    
    <\/span>Docker<\/strong><\/span><\/span><\/h2>\n    
    I made the following docker-compose.yml file to help me use Docker Compose to dynamically build infrastructure:<\/p>\n    
    <\/span>version:<\/span> '3'<\/span>

    networks:<\/span>
      dacnet:<\/span> 
        external:<\/span> true<\/span>
        name:<\/span> dacnet<\/span>

    services:<\/span>
        gitlab:<\/span>
            networks:<\/span>
                dacnet:<\/span>
                    aliases:<\/span>
                        -<\/span> gitlab<\/span>
            ports:<\/span>
                -<\/span> '443:443'<\/span>
                -<\/span> '80:80'<\/span>
                -<\/span> '222:22'<\/span>
            hostname:<\/span> gitlab<\/span>    
            environment:<\/span>
                GITLAB_OMNIBUS_CONFIG:<\/span> |
                    external_url 'http:\/\/gitlab'
                    gitlab_rails['initial_root_password']='$DEFAULT_PASSWORD'
    <\/span>        container_name:<\/span> gitlab-dac<\/span>
            image:<\/span> 'gitlab\/gitlab-ce:latest'<\/span>
        gitlab-runner:<\/span>
            networks:<\/span>
                dacnet:<\/span>
                    aliases:<\/span>
                            -<\/span> gitlab-runner<\/span>
            ports:<\/span>
                -<\/span> '81:80'<\/span>
            hostname:<\/span> gitlab-runner<\/span>
            container_name:<\/span> gitlab-runner-dac<\/span>
            restart:<\/span> always<\/span>
            volumes:<\/span>
                -<\/span> '\/srv\/gitlab-runner\/config:\/etc\/gitlab-runner'<\/span>
                -<\/span> '\/var\/run\/docker.sock:\/var\/run\/docker.sock'<\/span>
            image:<\/span> 'gitlab\/gitlab-runner:latest'<\/span>
        splunk:<\/span>
            networks:<\/span> 
                dacnet:<\/span>
                    aliases:<\/span>
                        -<\/span> splunk<\/span>
            ports:<\/span>
                -<\/span> '8000:8000'<\/span>
                -<\/span> '8089:8089'<\/span>
            hostname:<\/span> splunk<\/span>
            container_name:<\/span> splunk-dac<\/span>
            environment:<\/span>
                -<\/span> SPLUNK_START_ARGS=--accept-license<\/span>
                -<\/span> SPLUNK_PASSWORD=$DEFAULT_PASSWORD<\/span>
                -<\/span> SPLUNK_APPS_URL=https:\/\/botsdataset.s3.amazonaws.com\/botsv3\/botsv3_data_set.tgz<\/span>
            container_name:<\/span> splunk-dac<\/span>
            image:<\/span> 'splunk\/splunk:latest'<\/span>
    <\/code><\/pre>\n    
    To deploy it with docker-compose.yml file, first create a.env file under the current path<\/p>\n    
    <\/span>DEFAULT_PASSWORD=****  ****  **** #\u8bbe\u7f6egitlab\u548csplunk\u521d\u59cb\u5bc6\u7801<\/span>
    EXTERNAL_URL=http:\/\/192.168.1.1 #\u4fee\u6539ip\u5730\u5740\u4e3a\u5bbf\u4e3b\u673a\u5185\u7f51ip<\/span>
    <\/code><\/pre>\n    
    After the creation of .env files, run Docker Network Create -Driver Bridge Dacnet to create a DACNET network<\/p>\n    
    Run the Docker Compose Up -D and wait for the image to draw the creation container.<\/p>\n    
    <\/figure>\n    
    <\/span>Gitlab runner<\/strong><\/span><\/span><\/h2>\n    
    The Gitlab running program needs to be registered in the Gitlab CE before it can be used in the CI\/CD pipeline. In Gitlab UI, create Runner, TAG can be set to docker<\/p>\n    
    <\/figure>\n    
    Use the page steps to use Docker EXEC-IT Gitlab-Runner Bash into Gitlab-Runner-DAC container<\/p>\n    
    <\/figure>\n    
    After the container registration is complete<\/p>\n    
    <\/figure>\n    
    Gitlab configuration\n    Turn on Github Import for it to then import the project from github<\/p>\n    
    <\/figure>\n    
    <\/span>Version control<\/strong><\/span><\/span><\/h2>\n    
    Fork https:\/\/github.com\/infosecb\/detection-as-code This project to personal Github, import the project through Personal Access Token\n    The project is the basis for the detection content CI\/CD pipeline and VCS. The following is the rapid decomposition of the structure of the project:<\/p>\n    
    <\/figure>\n    
      \n    
    • \/TA-DAC: Includes the core template file required when constructing and packing Splunk technology additional components (TA). In this example, I will build a TA called TA-DAC.<\/section><\/li>
    • \/Config: Contains Sigma data source configuration and mapping files. These files establish the relationship between Sigma data source and detection control data sources. In this example, I created a mapping configuration called “Splunk-Dac.yml”, which mapped the Botsv3 Powershell log index, source type, and field mapping to the appropriate Sigma data source.<\/section><\/li>
    • \/Rules: Includes the SIGMA rules stored in the .yml format. The threat detection team can create, update and depreciate the inspection content here.<\/section><\/li>
    • \/scripts: Three scripts containing CI\/CD pipelines used to build and deploy detection content. I will study these scripts in the next section.<\/section><\/li>
    • .gitLab-Ci.yml: Gitlab Ci\/CD configuration file, instructing how the Gitlab running program builds and deploys detection content. I will also introduce the file in detail in the next section.\n    Everything else: PIPENV\/PIPENV.LOCK files are used by PIPENV to install the Python package and its dependencies required in CI\/CD operations. The docker-compose.yml file contains the same code I shared in the pipe architecture part above. Readme.md files include the title and basic description of the GitLab project, as well as. Gitignore told Git to ignore which files\/folders to be ignored during the local development.<\/section><\/li><\/ul>\n    
      Gitlab CI and scripts\n    The Gitlab CI provides an environment for construction, testing and deployment of any type of software. To create a CI\/CD pipeline in Gitlab, the .gitLab-Ci.yml configuration file must be created in the project. This is the configuration I created. I explained this in the interpretation of the interpretation:<\/p>\n    
      <\/span>### Define two seperate jobs for CI\/CD pipeline.<\/span>
      stages:<\/span>
        ### The build job runs anytime a user commits code<\/span>
        -<\/span> build<\/span>
        ### The release job only runs when the main branch is tagged with a version<\/span>
        -<\/span> release<\/span>
        
      build:<\/span>
        ### Sigmac requires Python 3.8, specify the appropriate Docker image<\/span>
        image:<\/span> python:3.8<\/span>
        ### Identify build stage<\/span>
        stage:<\/span> build<\/span>
        ### Install Pipenv, Python dependencies and the Splunk Packaging toolkit.<\/span>
        before_script:<\/span>
          -<\/span> pip<\/span> install<\/span> pipenv<\/span>
          -<\/span> pipenv<\/span> install<\/span>
          -<\/span> wget<\/span> https:\/\/download.splunk.com\/misc\/packaging-toolkit\/splunk-packaging-toolkit-1.0.1.tar.gz<\/span>
          -<\/span> pipenv<\/span> install<\/span> splunk-packaging-toolkit-1.0.1.tar.gz<\/span>
        script:<\/span>
          ### Run Sigmac against all rules in the \/rules folder that have been set to status=stable. <\/span>
          ### Outputs to the out.yaml file with the resulting search logic and a few Sigma fields.<\/span>
          -<\/span> pipenv<\/span> run<\/span> sigmac<\/span> --filter<\/span> 'status=stable'<\/span> --target<\/span> splunk<\/span> --config<\/span> config\/splunk-dac.yml<\/span>  --output-format<\/span> yaml<\/span> --output<\/span> out.yaml<\/span> --output-fields<\/span> title,id,status,author,tags<\/span> --recurse<\/span> rules\/<\/span>
          ### Run script that converts the Sigmac produced .yml to Splunk saved search stanzas in savedsearch.conf.<\/span>
          -<\/span> pipenv<\/span> run<\/span> python<\/span> scripts\/convert_yml_to_search.py<\/span>
          ### Copies the savedsearch.conf to the appropriate Splunk TA folder<\/span>
          -<\/span> cp<\/span> savedsearches.conf<\/span> TA-dac\/default<\/span>
          ### Sets the TA version based on either tag version number or \"0.0.1\" if run by an untagged Git commit.<\/span>
          -<\/span> pipenv<\/span> run<\/span> python<\/span> scripts\/set_version.py<\/span> --file<\/span> \"TA-dac\/default\/app.conf\"<\/span> --version<\/span> \"${CI_COMMIT_TAG}\"<\/span> 
          ### Runs the splunk-sdk slim utility to package the Splunk TA.<\/span>
          -<\/span> pipenv<\/span> run<\/span> slim<\/span> package<\/span> TA-dac<\/span>
        artifacts:<\/span>
          ### Specify the output files as artifacts that can be retrieved in release job<\/span>
          ### or downloaded via the Gitlab UI<\/span>
          paths:<\/span>
            -<\/span> out.yaml<\/span>
            -<\/span> savedsearches.conf<\/span>
            -<\/span> 'TA-dac-*.tar.gz'<\/span>
        tags:<\/span> 
          ### Tag job as \"docker\" to call the Docker Gitlab runner<\/span>
          -<\/span> docker<\/span>
          
      release:<\/span>
        ### Run on latest python Docker image<\/span>
        image:<\/span> python:latest<\/span>
        ### Identify as release stage<\/span>
        stage:<\/span> release<\/span>
        before_script:<\/span>
          ### Install the Python splunk-sdk library for use by deploy_splunk_package.py script<\/span>
          -<\/span> pip<\/span> install<\/span> splunk-sdk<\/span>
        script:<\/span>
          ### Upload the TA to Gitlab packages<\/span>
          -<\/span> 'curl --header \"JOB-TOKEN: $CI_JOB_TOKEN\" --upload-file TA-dac-${CI_COMMIT_TAG}.tar.gz \"${CI_API_V4_URL}\/projects\/${CI_PROJECT_ID}\/packages\/generic\/TA-dac\/${CI_COMMIT_TAG}\/TA-dac-${CI_COMMIT_TAG}.tar.gz\"'<\/span>
          ### Run the deploy_splunk_package.py to install the new TA-dac TA<\/span>
          -<\/span> python<\/span> scripts\/deploy_splunk_package.py<\/span> --url<\/span> \"${CI_API_V4_URL}\/projects\/${CI_PROJECT_ID}\/packages\/generic\/TA-dac\/${CI_COMMIT_TAG}\/TA-dac-${CI_COMMIT_TAG}.tar.gz\"<\/span> --user<\/span> \"$ENV_USERNAME\"<\/span> --password<\/span> \"$ENV_PASSWORD\"<\/span> --host<\/span> \"$ENV_HOST\"<\/span> --port<\/span> $ENV_PORT<\/span>
        rules:<\/span>
          ### Restrict this job to only run when the main branch is tagged<\/span>
          -<\/span> if:<\/span> '$CI_COMMIT_BRANCH == \"main\" && $CI_COMMIT_TAG'<\/span>
        tags:<\/span>
          ### Tag job as \"docker\" to call the Docker Gitlab runner<\/span>
          -<\/span> docker<\/span>
      <\/code><\/pre>\n    
      Build a script\n    SIGMAC converts the SIGMA rule logic with Splunk Spl query and outputs an Out.yaml file, which contains generated query and several other fields we will use in Splunk TA.<\/p>\n    
      Then, Convert_yml_TO_SEARCH.PY converted the sigmac out.yaml file into a search section saved by Splunk and output the SAVINGSEARCHES.CONF file. In this example, the saved search configuration is to generate the built -in “alert” of Splunk, but its function is very limited. The search configuration that can be easily adjusted can be easily adjusted to create a significant event of the SPLUNK ES or call an event in the downstream systems such as Soar via API.<\/p>\n    
      <\/span>import<\/span> yaml
      import<\/span> os
      import<\/span> glob
      from<\/span> jinja2 import<\/span> Template


      ss_template = \"\"\"
      [{{ title }}]
      alert.expires = 5m
      alert.suppress = 1
      alert.suppress.period = 60m
      alert.track = 1
      counttype = number of events
      cron_schedule = {{ cron }}
      description = Detects a second malicious IP.
      enableSched = 1
      quantity = 0
      relation = greater than
      search = {{ search }}

       \"\"\"<\/span>


      def<\/span> priority_to_cron<\/span>(priority)<\/span>:<\/span>
          if<\/span> priority == \"low\"<\/span>:
              return<\/span> \"0 *\/4 * * *\"<\/span> 
          elif<\/span> priority == \"high\"<\/span>:
              return<\/span> \"*\/15 * * * *\"<\/span> 
          elif<\/span> priority == \"critical\"<\/span>:
              return<\/span> \"*\/5 * * * *\"<\/span> 
          else<\/span>:
              return<\/span> \"0 * * * *\"<\/span> 


      t = Template(ss_template)

      savedsearch_content = \"\"<\/span> 

      rules = yaml.safe_load(open(\"out.yaml\"<\/span>))
      for<\/span> rule in<\/span> rules:
          if<\/span> rule[\"status\"<\/span>] == \"stable\"<\/span>:
              print(\"Creating alert for \"<\/span> + rule[\"title\"<\/span>])
              savedsearch_content += t.render(
                  title=rule[\"title\"<\/span>], search=rule[\"rule\"<\/span>][0<\/span>], cron=priority_to_cron(\"normal\"<\/span>)
              )
          else<\/span>:
              print(
                  'The rule \"'<\/span>
                  + rule[\"title\"<\/span>]
                  + '\" status is set to '<\/span>
                  + rule[\"status\"<\/span>]
                  + \", skipping.\"<\/span> 
              )

      f = open(\"savedsearches.conf\"<\/span>, \"w\"<\/span>)
      f.write(savedsearch_content)
      f.close()
      <\/code><\/pre>\n    
      Set_version.py is used to update the version number contained in the App.conf Splunk TA file.<\/p>\n    
      <\/span>import<\/span> argparse
      import<\/span> re


      def<\/span> set_version<\/span>(conf_file, version)<\/span>:<\/span>
          if<\/span> version == \"\"<\/span>:
              version = \"0.0.1\"<\/span> 
          elif<\/span> re.match(\".*(\\d)+\\.(\\d)+\\.(\\d)+.*\"<\/span>, version):
              version = (re.search(\"(\\d)+\\.(\\d)+\\.(\\d)+\"<\/span>, version)).group()
          else<\/span>:
              print(\"An invalid version number was tagged \"<\/span> + version)
              exit(1<\/span>)
          print(\"Updating app.conf file with version number: \"<\/span> + version)
          with<\/span> open(conf_file, \"r\"<\/span>) as<\/span> file:
              lines = file.readlines()
          with<\/span> open(conf_file, \"w\"<\/span>) as<\/span> file:
              for<\/span> line in<\/span> lines:
                  file.write(re.sub(r \"VERSION\"<\/span>, version, line))
          with<\/span> open(\".env\"<\/span>, \"w\"<\/span>) as<\/span> env_file:
              env_file.write(f'export VERSION=\"{version}<\/span>\"'<\/span>)
          file.close()


      def<\/span> main<\/span>()<\/span>:<\/span>
          parser = argparse.ArgumentParser()
          parser.add_argument(\"--file\"<\/span>, type=str)
          parser.add_argument(\"--version\"<\/span>, type=str)
          args = parser.parse_args()
          set_version(args.file, args.version)


      if<\/span> __name__ == \"__main__\"<\/span>:
          main()
      <\/code><\/pre>\n    
      The SPLUNK-SDK Slim Package command is used to build and generate TA .pkg files.\n    Publish work script\n    Finally, deploy_splunk_package.py script interacts with the Splunk Rest API to upload and install the latest version of TA during the deployment stage of the pipeline.<\/p>\n    
      <\/span>from<\/span> logging import<\/span> error
      import<\/span> splunklib.client as<\/span> client
      import<\/span> os
      import<\/span> argparse


      def<\/span> upload_ta<\/span>(url, user, password, host, port)<\/span>:<\/span>
          service = client.connect(
              host=host, port=port, username=user, password=password, verify=False<\/span>
          )
          service.post(path_segment=\"apps\/local\"<\/span>, filename=True<\/span>, name=url, update=True<\/span>)
          service.logout()


      def<\/span> main<\/span>()<\/span>:<\/span>
          parser = argparse.ArgumentParser()
          parser.add_argument(\"--url\"<\/span>, type=str)
          parser.add_argument(\"--user\"<\/span>, type=str)
          parser.add_argument(\"--password\"<\/span>, type=str)
          parser.add_argument(\"--host\"<\/span>, type=str)
          parser.add_argument(\"--port\"<\/span>, type=str)
          args = parser.parse_args()
          upload_ta(args.url, args.user, args.password, args.host, args.port)


      if<\/span> __name__ == \"__main__\"<\/span>:
          main()
      <\/code><\/pre>\n    
      Detective content creation workflow\n    Before creating a workflow, you need to modify the pipFile<\/p>\n    
      <\/span>[[source]]<\/span>
      url<\/span> =<\/span> \"https:\/\/pypi.org\/simple\"<\/span> 
      verify_ssl<\/span> =<\/span> true<\/span>
      name<\/span> =<\/span> \"pypi\"<\/span> 

      [packages]<\/span>
      sigmatools<\/span> =<\/span> \"0.20\"<\/span> 
       \"ruamel.yaml\"<\/span> =<\/span> \"0.16\"<\/span> 
      jinja2<\/span> =<\/span> \"*\"<\/span> 

      [dev-packages]<\/span>
      black<\/span> =<\/span> \"*\"<\/span> 

      [requires]<\/span>
      python_version<\/span> =<\/span> \"3.8\"<\/span> 

      [pipenv]<\/span>
      allow_prereleases<\/span> =<\/span> true<\/span>

      <\/code><\/pre>\n    
      Modify the rules in the .gitLab-Ci.yml.<\/p>\n    
      <\/span>  rules:<\/span>
          -<\/span> if:<\/span> $CI_COMMIT_BRANCH<\/span> ==<\/span> \"main\"<\/span>  

      <\/code><\/pre>\n    
      Threat testing team personnel can now create, review and deploy new content in accordance with simple procedures. In this example, I will run the same examples used in the server -free detection pipe: detect the use of PowerShell coding and hidden commands.<\/p>\n    
      <\/span>Verify<\/span><\/span><\/h1>\n    
      <\/span>Run<\/strong><\/span><\/span><\/h2>\n    
        \n    
      1. Create a gitlab issue for mergers and associated requests in the “Detection As Code” project.<\/p>\n    <\/section><\/li>
      2. Create the SIGMA rules on the new branch .yml, and the merger request was marked as “ready” after completion. Each time it is submitted to the project, no matter what the branch is submitted, “build” operations. If there is a problem with the detection content, the homework will fail and output errors.\n    <\/p>\n    <\/section><\/li>
      3. After the new rules are completed, trigger the BUILD JOB\n    <\/p>\n    <\/section><\/li>
      4. Create a new merger request after the operation of Build Job successfully operated\n    <\/p>\n    <\/section><\/li>
      5. The team members conducted a peer review of the detection content, and then comment and edit them as needed. After the review and consent, it is merged into the main branch.\n    <\/p>\n    <\/section><\/li>
      6. The first run of PIPELINE needs to configure the variable when running, namely the Splunk address, password, port, user name. When adding a password, you need to configure Masked to facilitate the mask in the JOB log. The port is the Splunk API port 8089.\n    <\/p>\n    <\/section><\/li><\/ol>\n    
        <\/span>Notice<\/strong><\/span><\/span><\/h2>\n    
        The lack of running variables when running the first runtime will cause the push task to fail.<\/p>\n    
        \n    Splunk address, password, port, user name configuration reappear the task after completion.<\/p>\n    
        <\/figure>\n    
        After running successfully, log in to Splunk for viewing. You can see that Splunk has created a new alarm rule.<\/p>\n    
        <\/figure>\n    
        Open in the search, you can see the log content that has matched the detection rules.<\/p>\n    
        <\/figure>\n    
        <\/span>Conclusion<\/span><\/span><\/h1>\n    
        Although this example pipeline demonstrates the basic functions of the construction and publishing detection content, it still has many shortcomings. Gitlab CI\/CD provides more functions to run effective “detection is code” pipeline. You can create some additional pipeline operations for continuous review of testing, document records, and test content:<\/p>\n    
          \n    
        • Automation SIGMA and Splunk TA test: In order to ensure high -quality content and CI\/CD pipelines running smoothly, testing should be created to check the effectiveness of SIGMA rules and SPLUNK TA.<\/p>\n    <\/section><\/li>
        • Automation document: The important part of the detection content document can be included in each SIGMA rule. This creates an opportunity to automatically generate documents in the CI\/CD pipeline by writing the creation script of the .md or .st files.<\/p>\n    <\/section><\/li>
        • Continuous review and testing content: Ci\/CD pipes can be created to mark outdated detection content to review the new GitLab problem.<\/p>\n    <\/section><\/li><\/ul>\n    
          <\/span>Reference document<\/span><\/span><\/h1>\n    
          Serverless detection pipeline<\/strong>(https:\/\/infoscb.medium.com\/building-a- serverless-detection-platform-in -AWS–I-Endpoint-DETECTL<\/p>\n    
          Practical detection-as-code<\/strong><\/p>\n    
          detection-as-code<\/strong>(https:\/\/github.com\/infosecb\/detection- as-code)<\/p>\n    <\/section>","protected":false},"excerpt":{"rendered":"
          Introduction DAC((Detection As Code), detection is a strategic method that seamlessly integrates the security detection mechanism into the life cycle of software development. By considering security control as a code, the organization can automatically deploy, configure and maintain security measures throughout the SIEM operation and maintenance process. Perhaps many people have heard of the concept of DAC, but have not been realized step by step. This article guides you to use Sigma rules, gitlab Ci\/CD and SPLUNK deployment detection, which is the code pipeline. do not be afraid! If you plan to build a pipeline that detects the code in accordance with the content demonstrated herein, you only need to have a basic understanding of Docker, Gitlab, Git, Python, Sigma…<\/p>","protected":false},"author":1,"featured_media":520,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[12,9,15,13,11],"class_list":["post-512","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-techniques","tag-dac","tag-siem","tag-sigma","tag-splunk","tag-threat-blog"],"_links":{"self":[{"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/posts\/512","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/comments?post=512"}],"version-history":[{"count":6,"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/posts\/512\/revisions"}],"predecessor-version":[{"id":522,"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/posts\/512\/revisions\/522"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/media\/520"}],"wp:attachment":[{"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/media?parent=512"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/categories?post=512"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.seclink.info\/cn\/wp-json\/wp\/v2\/tags?post=512"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}