Threat Research

Managing Elastic Security Detection Rules with Terraform

Elastic.co
Managing Elastic Security Detection Rules with Terraform

Elastic’s Terraform provider now supports managing detection rules and exception lists as code, enabling teams to define, deploy, and track security detections alongside other infrastructure in HCL and to translate ES|QL queries into Terraform resources. The article compares the Terraform provider with the detection-rules repository, demonstrates an ES|QL example for detecting interactive service-account logons, and highlights Elastic AI Agent assistance for generating Terraform configurations. #Elastic #Terraform

Keypoints

  • Elastic Stack Terraform provider versions v0.12.0 and v0.13.0 add resources to manage security detection rules and exception lists as Terraform code.
  • Example detection: an ES|QL rule to detect interactive logons by service accounts using logs from the system.security data stream and Windows event code 4624.
  • Exceptions can be managed as separate Terraform resources (exception lists and exception items), enabling documented, auditable exclusions like svc_sqlbackup.
  • Elastic AI Agent can assist in translating ES|QL rules and exception logic into Terraform HCL to accelerate detection-as-code creation.
  • The provider offers drift detection via Terraform plan, showing changes made directly in Kibana before applying updates.
  • The article contrasts the Terraform provider (best for DevOps/platform teams and deployment) with detection-rules (best for detection engineers and authoring/testing), highlighting complementary strengths.

MITRE Techniques

  • [T1078 ] Valid Accounts – Used to classify the rule detecting legitimate account use abused by attackers; (β€˜Detects interactive logins by service accounts.’)
  • [T1078.002 ] Domain Accounts – Identifies domain/service account patterns targeted by the rule (svc_*, svc-*, *_svc, *$); (β€˜This rule identifies service accounts by common naming conventions (svc_*, svc-*, *_svc) and managed service accounts (*$).’)

Indicators of Compromise

  • [Event Code ] Windows logon event used to detect interactive service-account logons – 4624
  • [Index / Data stream ] Data source and index pattern for telemetry in Elastic – logs-system.security-*
  • [Usernames / Patterns ] Account name indicators used in the detection and exceptions – svc_*, svc-*, *_svc, *$, svc_sqlbackup
  • [Rule / Exception IDs ] Terraform resource identifiers and list IDs referenced for deployment/context – svc-account-interactive-login-exceptions, svc-sqlbackup-exception
  • [Domains / References ] Documentation and references cited for guidance and MITRE mapping – learn.microsoft.com, attack.mitre.org (and blog.quest.com)

Read more: https://www.elastic.co/security-labs/managing-rules-with-terraform