Managing Elastic Security Detection Rules with Terraform
Elastic has introduced capabilities to manage security detection rules and exceptions as code using the Elastic Stack Terraform provider. This enables DevOps and platform teams to integrate detection lifecycle management into broader infrastructure-as-code pipelines, complementing existing detection engineering workflows.
Source:
Elastic Security Labs
Key Takeaways
- The Elastic Stack Terraform provider (v0.12.0+) now supports managing security detection rules and exceptions as code.
- Elastic's AI Agent can assist in converting ES|QL queries and exception parameters into Terraform HCL configurations.
- Terraform is optimal for DevOps and Platform teams managing deployments, while the 'detection-rules' repository is better suited for Detection Engineers authoring and validating rules.
- An example use case demonstrates how to detect interactive logons by Windows service accounts to identify potential credential misuse.
Affected Systems
- Windows
- Elastic Security
Attack Chain
The article does not detail a specific attack chain, but rather provides an example detection scenario. In the example scenario, an attacker compromises a Windows service account and uses it to perform an interactive logon, bypassing its normal automated service behavior. This activity is logged by LSASS as Event ID 4624 and forwarded to the SIEM for detection.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: Elastic Security
The article provides an example ES|QL query and corresponding Terraform HCL configuration to detect interactive logons by Windows service accounts.
Detection Engineering Assessment
EDR Visibility: Medium — Detection relies on Windows Local Security Authority Subsystem Service (LSASS) logging successful logon sessions, which requires proper Windows Event Forwarding or EDR collection of Event ID 4624. Network Visibility: None — Interactive logons are host-based authentication events and are not typically visible via pure network telemetry without protocol decryption. Detection Difficulty: Easy — Correlating Event ID 4624 with specific logon types (Interactive, RemoteInteractive) and service account naming conventions is straightforward with standard SIEM queries.
Required Log Sources
- Windows Security Event Log 4624
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Service accounts are being used for interactive logons, indicating potential credential compromise or policy violation. | Windows Security Event ID 4624 (Logon) | Initial Access / Persistence | Medium |
Control Gaps
- Lack of strict service account logon type restrictions in Active Directory Group Policy
Key Behavioral Indicators
- Event ID 4624 with Logon Type 2, 10, 11, or 12
- Usernames matching svc_* or *$ patterns performing interactive logons
False Positive Assessment
- Medium
Recommendations
Immediate Mitigation
- Review existing service accounts and restrict their logon rights to 'Deny log on locally' and 'Deny log on through Remote Desktop Services' via Group Policy.
Infrastructure Hardening
- Implement Detection-as-Code using Terraform or detection-rules repositories to maintain version control and auditability over security rules.
- Establish strict naming conventions for service accounts to simplify detection logic and exception management.
User Protection
- Rotate service account passwords regularly or implement Group Managed Service Accounts (gMSA) to prevent credential theft.
Security Awareness
- Train detection engineers and DevOps teams on integrating security rules into CI/CD pipelines using Terraform workspaces.
MITRE ATT&CK Mapping
- T1078 - Valid Accounts
- T1078.002 - Domain Accounts