Use cases for end to end implementations of detection-as-code (DAC)
- CC1: Maintaining rules within a Version Control System (VCS)
- CC2: Syncing rules from VCS to Elastic Security
- CC3: Managing rules within Elastic Security (consistent with a DaC approach)
- CC4: Syncing rules from Elastic Security to VCS
- GM1: VCS as authoritative
- GM2: Elastic security as authoritative
- GM3: Dual sync between VCS and Elastic Security (optional)
use case | governance model | CC1 | CC2 | CC3 | CC4 | notes |
---|---|---|---|---|---|---|
infosec | GM1 |
|
|
|
|
need to verify; grimoire |
fork DR | GM1 |
|
|
|
|
Leveraging detection-rules repo for rule maintenance |
import DR | GM3 |
|
|
|
|
Import libraries to assist dual sync |
platform centric MSSP | GM2 |
|
|
|
|
Elastic-centric rule management for multiple clients |
In practice, the Detection as Code (DaC) approach within Elastic Security leverages a series of GitHub Actions workflows to automate various synchronization tasks. These workflows facilitate the continuous integration and deployment of detection rules, ensuring that they are consistently aligned with the latest developments and threat intelligence. The following workflows can be found in the .github/workflows directory:
- Push to Production Sync: Automates the process of pushing verified rules from the Version Control System to the Elastic Security environment upon changes being merged into the main branch.
- Manual Dispatch Sync Workflow: Allows repository maintainers to manually trigger a rules synchronization, providing control over when rules are updated in Elastic Security.
- Scheduled Sync Workflow: Executes at predetermined intervals to check for and synchronize any updates from Elastic Security, ensuring the detection rules are current.
- CI/CD Per-PR Sync Workflow: Runs a series of checks on pull requests to validate rule changes before they are merged, ensuring that all updates meet the defined standards for detection rules.
These workflows are essential tools in managing the lifecycle of detection rules, contributing to a robust and responsive security posture.