Merge pull request #799 from SumoLogic/DET-728

DET-728: Added support for overriding sumo rules

Author: antonymartinsumo

CHANGELOG.md

@@ -2,6 +2,7 @@
 * Add new change notes here
 
 ENHANCEMENTS:
+* Added support for overriding sumo built-in rules
 * Updated Terraform version in GitHub Actions tests to 1.7.5
 
 ## 3.1.3 (August 6, 2025)

sumologic/resource_sumologic_cse_aggregation_rule.go

@@ -69,8 +69,9 @@ func resourceSumologicCSEAggregationRule() *schema.Resource {
 				Optional: true,
 			},
 			"match_expression": {
-				Type:     schema.TypeString,
-				Required: true,
+				Type:             schema.TypeString,
+				Required:         true,
+				DiffSuppressFunc: suppressSpaceDiff,
 			},
 			"name": {
 				Type:     schema.TypeString,
@@ -206,13 +207,20 @@ func resourceSumologicCSEAggregationRuleCreate(d *schema.ResourceData, meta inte
 }
 
 func resourceSumologicCSEAggregationRuleUpdate(d *schema.ResourceData, meta interface{}) error {
+	ruleSource := getRuleSource(d.Id(), meta)
 	CSEAggregationRule, err := resourceToCSEAggregationRule(d)
 	if err != nil {
 		return err
 	}
 
 	c := meta.(*Client)
-	if err = c.UpdateCSEAggregationRule(CSEAggregationRule); err != nil {
+	if ruleSource == "user" {
+		err = c.UpdateCSEAggregationRule(CSEAggregationRule)
+	} else {
+		err = c.OverrideCSEAggregationRule(CSEAggregationRule)
+	}
+
+	if err != nil {
 		return err
 	}
 

sumologic/resource_sumologic_cse_aggregation_rule_test.go

@@ -56,6 +56,62 @@ func TestAccSumologicCSEAggregationRule_createAndUpdateWithCustomWindowSize(t *t
 	})
 }
 
+func TestAccSumologicCSEAggregationRule_Override(t *testing.T) {
+	SkipCseTest(t)
+
+	var aggregationRule CSEAggregationRule
+	descriptionExpression := "This rule detects when a user has utilized multiple distinct User Agents when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly. Examine other Okta related events surrounding the time period for this signal, pivoting off the username value to examine if any other suspicious activity has taken place. If this rule is generating false positives, adjust the threshold value and consider excluding certain user accounts via tuning expression."
+
+	resourceName := "sumologic_cse_aggregation_rule.sumo_aggregation_rule_test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCSEAggregationRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config:                  testOverrideCSEAggregationRuleConfig(descriptionExpression),
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateId:           "AGGREGATION-S00009",
+				ImportStateVerify:       false,
+				ImportStateVerifyIgnore: []string{"name"}, // Ignore fields that might differ
+				ImportStatePersist:      true,
+			},
+			{
+				Config: testOverrideCSEAggregationRuleConfig(fmt.Sprintf("Updated %s", descriptionExpression)),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckCSEAggregationRuleExists(resourceName, &aggregationRule),
+					testCheckAggregationRuleOverrideValues(&aggregationRule, fmt.Sprintf("Updated %s", descriptionExpression)),
+					resource.TestCheckResourceAttrSet(resourceName, "id"),
+					resource.TestCheckResourceAttr(resourceName, "id", "AGGREGATION-S00009"),
+				),
+			},
+			{
+				Config: testOverrideCSEAggregationRuleConfig(descriptionExpression),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckCSEAggregationRuleExists(resourceName, &aggregationRule),
+					testCheckAggregationRuleOverrideValues(&aggregationRule, descriptionExpression),
+					resource.TestCheckResourceAttrSet(resourceName, "id"),
+					resource.TestCheckResourceAttr(resourceName, "id", "AGGREGATION-S00009"),
+				),
+			},
+			{
+				Config: getAggregationRuleRemovedBlock(),
+			},
+		},
+	})
+}
+
+func getAggregationRuleRemovedBlock() string {
+	return fmt.Sprintf(`
+	removed {
+		from = sumologic_cse_aggregation_rule.sumo_aggregation_rule_test
+		lifecycle {
+			destroy = false
+		}
+	}`)
+}
+
 func TestAccSumologicCSEAggregationRule_createAndUpdateToCustomWindowSize(t *testing.T) {
 	SkipCseTest(t)
 
@@ -171,6 +227,50 @@ func testAccCSEAggregationRuleDestroy(s *terraform.State) error {
 	return nil
 }
 
+func testOverrideCSEAggregationRuleConfig(descriptionExpression string) string {
+	return fmt.Sprintf(`
+resource "sumologic_cse_aggregation_rule" "sumo_aggregation_rule_test" {
+    description_expression = "%s"
+    enabled                = true
+    group_by_entity        = true
+    group_by_fields        = []
+    is_prototype           = true
+    match_expression       = <<-EOT
+        metadata_vendor = "Okta"
+        and metadata_deviceEventId = "user.authentication.sso"
+    EOT
+    name                   = "Okta - Session Anomaly (Multiple User Agents)"
+    name_expression        = "Okta - Session Anomaly (Multiple User Agents) for user: {{user_username}}"
+    summary_expression     = "{{user_username}} has utilized a number of distinct User Agents which has crossed the threshold (4) value within a 30-minute time period to perform Okta authentication."
+    tags                   = [
+        "_mitreAttackTactic:TA0001",
+        "_mitreAttackTechnique:T1078.004",
+    ]
+    trigger_expression     = "distinct_userAgents > 4"
+    window_size            = "T30M"
+
+    aggregation_functions {
+        arguments = [
+            "fields[\"client.userAgent.rawUserAgent\"]",
+        ]
+        function  = "count_distinct"
+        name      = "distinct_userAgents"
+    }
+
+    entity_selectors {
+        entity_type = "_username"
+        expression  = "user_username"
+    }
+
+    severity_mapping {
+        default = 1
+        field   = null
+        type    = "constant"
+    }
+}
+`, descriptionExpression)
+}
+
 func testCreateCSEAggregationRuleConfig(t *testing.T, payload *CSEAggregationRule) string {
 	resourceTemplate := `
 		resource "sumologic_cse_aggregation_rule" "aggregation_rule" {
@@ -303,3 +403,12 @@ func testCheckCSEAggregationRuleValues(t *testing.T, expected *CSEAggregationRul
 		return nil
 	}
 }
+
+func testCheckAggregationRuleOverrideValues(aggregationRule *CSEAggregationRule, descriptionExpression string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		if aggregationRule.DescriptionExpression != descriptionExpression {
+			return fmt.Errorf("bad descriptionExpression, expected \"%s\", got %#v", descriptionExpression, aggregationRule.DescriptionExpression)
+		}
+		return nil
+	}
+}

sumologic/resource_sumologic_cse_chain_rule.go

@@ -34,8 +34,9 @@ func resourceSumologicCSEChainRule() *schema.Resource {
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"expression": {
-							Type:     schema.TypeString,
-							Required: true,
+							Type:             schema.TypeString,
+							Required:         true,
+							DiffSuppressFunc: suppressSpaceDiff,
 						},
 						"limit": {
 							Type:     schema.TypeInt,
@@ -184,13 +185,20 @@ func resourceSumologicCSEChainRuleCreate(d *schema.ResourceData, meta interface{
 }
 
 func resourceSumologicCSEChainRuleUpdate(d *schema.ResourceData, meta interface{}) error {
+	ruleSource := getRuleSource(d.Id(), meta)
 	CSEChainRule, err := resourceToCSEChainRule(d)
 	if err != nil {
 		return err
 	}
 
 	c := meta.(*Client)
-	if err = c.UpdateCSEChainRule(CSEChainRule); err != nil {
+	if ruleSource == "user" {
+		err = c.UpdateCSEChainRule(CSEChainRule)
+	} else {
+		err = c.OverrideCSEChainRule(CSEChainRule)
+	}
+
+	if err != nil {
 		return err
 	}
 

sumologic/resource_sumologic_cse_chain_rule_test.go

@@ -56,6 +56,63 @@ func TestAccSumologicCSEChainRule_createAndUpdateWithCustomWindowSize(t *testing
 	})
 }
 
+func TestAccSumologicCSEChainRule_Override(t *testing.T) {
+	SkipCseTest(t)
+
+	var ChainRule CSEChainRule
+	descriptionExpression := "This rule utilizes Jamf telemetry and looks for osascript execution with a suspicious parent process indicating execution from a shell or terminal in addition to the osascript process making network connections to an external IP address."
+
+	resourceName := "sumologic_cse_chain_rule.sumo_chain_rule_test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCSEChainRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config:                  testOverrideCSEChainRuleConfig(descriptionExpression),
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateId:           "CHAIN-S00016",
+				ImportStateVerify:       false,
+				ImportStateVerifyIgnore: []string{"name"}, // Ignore fields that might differ
+				ImportStatePersist:      true,
+			},
+			{
+				Config: testOverrideCSEChainRuleConfig(fmt.Sprintf("Updated %s", descriptionExpression)),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckCSEChainRuleExists(resourceName, &ChainRule),
+					testCheckChainRuleOverrideValues(&ChainRule, fmt.Sprintf("Updated %s", descriptionExpression)),
+					resource.TestCheckResourceAttrSet(resourceName, "id"),
+					resource.TestCheckResourceAttr(resourceName, "id", "CHAIN-S00016"),
+				),
+			},
+			{
+				Config: testOverrideCSEChainRuleConfig(descriptionExpression),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckCSEChainRuleExists(resourceName, &ChainRule),
+					testCheckChainRuleOverrideValues(&ChainRule, descriptionExpression),
+					resource.TestCheckResourceAttrSet(resourceName, "id"),
+					resource.TestCheckResourceAttr(resourceName, "id", "CHAIN-S00016"),
+				),
+			},
+			{
+				Config: getChainRuleRemovedBlock(),
+			},
+		},
+	})
+}
+
+func getChainRuleRemovedBlock() string {
+	return fmt.Sprintf(`
+	removed {
+		from = sumologic_cse_chain_rule.sumo_chain_rule_test
+		lifecycle {
+			destroy = false
+		}
+	}
+	`)
+}
+
 func TestAccSumologicCSEChainRule_createAndUpdateToCustomWindowSize(t *testing.T) {
 	SkipCseTest(t)
 
@@ -219,6 +276,54 @@ func testCreateCSEChainRuleConfig(t *testing.T, payload *CSEChainRule) string {
 	return buffer.String()
 }
 
+func testOverrideCSEChainRuleConfig(descriptionExpression string) string {
+	return fmt.Sprintf(`
+resource "sumologic_cse_chain_rule" "sumo_chain_rule_test" {
+    description        = "%s"
+    enabled            = true
+    group_by_fields    = [
+        "user_username",
+    ]
+    is_prototype       = true
+    name               = "macOS - Suspicious Osascript Execution and Network Activity"
+    ordered            = false
+    severity           = 3
+    summary_expression = "User: {{user_username}}  has created and deleted an agent pool in a short period of time - inaminadika10"
+    tags               = [
+        "_mitreAttackTactic:TA0002",
+        "_mitreAttackTechnique:T1059.002",
+    ]
+    window_size        = "T05M"
+
+    entity_selectors {
+        entity_type = "_hostname"
+        expression  = "device_hostname"
+    }
+
+    expressions_and_limits {
+        expression = <<-EOT
+            baseImage = "/usr/bin/osascript"
+            and !isNull(commandLine)
+            and parentBaseImage matches /(\/bin)/
+        EOT
+        limit      = 1
+    }
+    expressions_and_limits {
+        expression = <<-EOT
+            metadata_vendor = "Jamf"
+            and metadata_product = "Jamf"
+            and metadata_deviceEventId = "AUE_CONNECT"
+            and parentBaseImage matches /(\/bin)/
+            and baseImage = "/usr/bin/osascript"
+            and !isNull(dstDevice_ip)
+            and dstDevice_ip_isInternal = false
+        EOT
+        limit      = 1
+    }
+}
+`, descriptionExpression)
+}
+
 func getCSEChainRuleTestPayload() CSEChainRule {
 	return CSEChainRule{
 		Description:            "Test description",
@@ -282,3 +387,12 @@ func testCheckCSEChainRuleValues(t *testing.T, expected *CSEChainRule, actual *C
 		return nil
 	}
 }
+
+func testCheckChainRuleOverrideValues(chainRule *CSEChainRule, descriptionExpression string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		if chainRule.Description != descriptionExpression {
+			return fmt.Errorf("bad descriptionExpression, expected \"%s\", got %#v", descriptionExpression, chainRule.Description)
+		}
+		return nil
+	}
+}

sumologic/resource_sumologic_cse_first_seen_rule.go

@@ -36,8 +36,9 @@ func resourceSumologicCSEFirstSeenRule() *schema.Resource {
 			},
 			"entity_selectors": getEntitySelectorsSchema(),
 			"filter_expression": {
-				Type:     schema.TypeString,
-				Required: true,
+				Type:             schema.TypeString,
+				Required:         true,
+				DiffSuppressFunc: suppressSpaceDiff,
 			},
 			"group_by_fields": {
 				Type:     schema.TypeList,
@@ -183,13 +184,20 @@ func resourceSumologicCSEFirstSeenRuleCreate(d *schema.ResourceData, meta interf
 }
 
 func resourceSumologicCSEFirstSeenRuleUpdate(d *schema.ResourceData, meta interface{}) error {
+	ruleSource := getRuleSource(d.Id(), meta)
 	CSEFirstSeenRule, err := resourceToCSEFirstSeenRule(d)
 	if err != nil {
 		return err
 	}
 
 	c := meta.(*Client)
-	if err = c.UpdateCSEFirstSeenRule(CSEFirstSeenRule); err != nil {
+	if ruleSource == "user" {
+		err = c.UpdateCSEFirstSeenRule(CSEFirstSeenRule)
+	} else {
+		err = c.OverrideCSEFirstSeenRule(CSEFirstSeenRule)
+	}
+
+	if err != nil {
 		return err
 	}