Skip to content

Added support for all curated rule set actions #135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 31 commits into from
Nov 4, 2025
Merged

Added support for all curated rule set actions #135

Show file tree
Hide file tree
Changes from 30 commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
2fbc7b3
feat: add listing curated rule sets
PaperMtn Oct 23, 2025
089549f
refactor: switch to returning list of dicts instead of a dict
PaperMtn Oct 23, 2025
69fa556
feat: added listing curated rule set categories
PaperMtn Oct 24, 2025
1b2ba98
feat: added listing all curated rules
PaperMtn Oct 24, 2025
738bfe7
feat: added getting a curated rule by ID
PaperMtn Oct 24, 2025
9920901
feat: added getting a curated rule set category by ID
PaperMtn Oct 24, 2025
b5fcf35
feat: added getting a curated rule set by ID
PaperMtn Oct 24, 2025
b53a41d
refactor: implement helper function for paginated requests
PaperMtn Oct 24, 2025
aa122e6
feat: added listing all rule set deployments
PaperMtn Oct 24, 2025
3fd0d58
feat: added getting rule set deployment by ID
PaperMtn Oct 24, 2025
032173b
feat: added getting rule set deployment by display name
PaperMtn Oct 24, 2025
3d3f7ec
feat: added getting rule by display name
PaperMtn Oct 24, 2025
837df6f
feat: added patching a rule set deployment
PaperMtn Oct 24, 2025
c7a86c8
refactor: make function names consistent
PaperMtn Oct 24, 2025
f119877
refactor: make function names consistent
PaperMtn Oct 24, 2025
1be86c6
refactor: make function names consistent
PaperMtn Oct 24, 2025
227cbed
docs: update README with curated rule set actions
PaperMtn Oct 25, 2025
6d41f8f
feat: added tests for rule_set module
PaperMtn Oct 26, 2025
b442e32
fix: fix f-string quote error
PaperMtn Oct 26, 2025
670408e
fix: Remove typing syntax incompatible with Python 3.9
PaperMtn Oct 26, 2025
1b26271
refactor: Rename incorrectly named update function
PaperMtn Oct 28, 2025
6d60b46
feat: Added CLI support for curated rule actions
PaperMtn Oct 28, 2025
caa647e
chore: linting fixes
PaperMtn Oct 28, 2025
1deb407
refactor: modify paginated request to respect page_size
PaperMtn Oct 31, 2025
700a26b
Merge branch 'main' into feature/curated-rule-set-actions
PaperMtn Oct 31, 2025
464b74e
chore: update documentation of get_by_name functions
PaperMtn Oct 31, 2025
cacc396
refactor: change get deployment status to use get function instead of…
PaperMtn Oct 31, 2025
1a8d4df
refactor: add pagination args for curated rule list functions
PaperMtn Oct 31, 2025
9deade9
chore: added example usage. Added integration tests
mihirvala08 Nov 3, 2025
36bfc12
chore: cleanup
mihirvala08 Nov 3, 2025
c340097
chore: added changelogs. Updated version.
mihirvala08 Nov 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions CLI.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -569,6 +569,63 @@ secops rule test --file "/path/to/rule.yaral" --time-window 24 > udm_events.json

The `rule test` command outputs UDM events as pure JSON objects that can be piped to a file or processed by other tools. This makes it easy to integrate with other systems or perform additional analysis on the events.

### Curated Rule Set Management

List all curated rules:
```bash
secops curated-rule rule list
```
Get curated rules:
```bash
# Get rule by UUID
curated-rule rule get --id "ur_ttp_GCP_ServiceAPIDisable"

# Get rule by name
curated-rule rule get --name "GCP Service API Disable"

```

List all curated rule sets:
```bash
secops curated-rule rule-set list
```

Get specific curated rule set details:
```bash
# Get curated rule set by UUID
secops curated-rule rule-set get --id "f5533b66-9327-9880-93e6-75a738ac2345"
```

List all curated rule set categories:
```bash
secops curated-rule rule-set-category list
```

Get specific curated rule set category details:
```bash
# Get curated rule set category by UUID
secops curated-rule rule-set-category get --id "db1114d4-569b-5f5d-0fb4-f65aaa766c92"
```

List all curated rule set deployments:
```bash
secops curated-rule rule-set-deployment list
```

Get specific curated rule set deployment details:
```bash
# Get curated rule set deployment by UUID
secops curated-rule rule-set-deployment get --id "f5533b66-9327-9880-93e6-75a738ac2345"

# Get curated rule set deployment by name
secops curated-rule rule-set-deployment get --name "Active Breach Priority Host Indicators"
```

Update curated rule set deployment:
```bash
secops curated-rule rule-set-deployment update --category-id "db1114d4-569b-5f5d-0fb4-f65aaa766c92" --rule-set-id "7e52cd71-03c6-97d2-ffcb-b8d7159e08e1" --precision precise --enabled false --alerting false
```

### Alert Management

Get alerts:
Expand Down
86 changes: 83 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1712,11 +1712,82 @@ for rule_alert in alerts_response.get('ruleAlerts', []):

If `tooManyAlerts` is True in the response, consider narrowing your search criteria using a smaller time window or more specific filters.

### Rule Sets
### Curated Rule Sets

Manage curated rule sets:
Query curated rules:

```python
# List all curated rules
rules = chronicle.list_curated_rules()
for rule in rules:
rule_id = rule.get("name", "").split("/")[-1]
display_name = rule.get("description")
description = rule.get("description")
print(f"Rule: {display_name}, Description: {description}")

# Get a curated rule
rule = chronicle.get_curated_rule("ur_ttp_lol_Atbroker")

# Get a curated rule set by display name
# NOTE: This is a linear scan of all curated rules which may be inefficient for large rule sets.
rule_set = chronicle.get_curated_rule_by_name("Atbroker.exe Abuse")
```

Query curated rule sets:

```python
# List all curated rule sets
rule_sets = chronicle.list_curated_rule_sets()
for rule_set in rule_sets:
rule_set_id = rule_set.get("name", "").split("/")[-1]
display_name = rule_set.get("displayName")
print(f"Rule Set: {display_name}, ID: {rule_set_id}")

# Get a curated rule set by ID
rule_set = chronicle.get_curated_rule_set("00ad672e-ebb3-0dd1-2a4d-99bd7c5e5f93")
```

Query curated rule set categories:

```python
# List all curated rule set categories
rule_set_categories = chronicle.list_curated_rule_set_categories()
for rule_set_category in rule_set_categories:
rule_set_category_id = rule_set_category.get("name", "").split("/")[-1]
display_name = rule_set_category.get("displayName")
print(f"Rule Set Category: {display_name}, ID: {rule_set_category_id}")

# Get a curated rule set category by ID
rule_set_category = chronicle.get_curated_rule_set_category("110fa43d-7165-2355-1985-a63b7cdf90e8")
```

Manage curated rule set deployments (turn alerting on or off (either precise or broad) for curated rule sets):

```python
# List all curated rule set deployments
rule_set_deployments = chronicle.list_curated_rule_set_deployments()
for rs_deployment in rule_set_deployments:
rule_set_id = rs_deployment.get("name", "").split("/")[-3]
category_id = rs_deployment.get("name", "").split("/")[-5]
deployment_status = rs_deployment.get("name", "").split("/")[-1]
display_name = rs_deployment.get("displayName")
alerting = rs_deployment.get("alerting", False)
print(
f"Rule Set: {display_name},"
f"Rule Set ID: {rule_set_id}",
f"Category ID: {category_id}",
f"Precision: {deployment_status}",
f"Alerting: {alerting}",
)

# Get curated rule set deployment by ID
rule_set_deployment = chronicle.get_curated_rule_set_deployment("00ad672e-ebb3-0dd1-2a4d-99bd7c5e5f93")

# Get curated rule set deployment by rule set display name
# NOTE: This is a linear scan of all curated rules which may be inefficient for large rule sets.
rule_set_deployment = chronicle.get_curated_rule_set_deployment_by_name("Azure - Network")

# Update multiple curated rule set deployments
# Define deployments for rule sets
deployments = [
{
Expand All @@ -1728,8 +1799,17 @@ deployments = [
}
]

# Update rule set deployments
chronicle.batch_update_curated_rule_set_deployments(deployments)

# Update a single curated rule set deployment
chronicle.update_curated_rule_set_deployment(
category_id="category-uuid",
rule_set_id="ruleset-uuid",
precision="broad",
enabled=True,
alerting=False
)

```

### Rule Validation
Expand Down
20 changes: 11 additions & 9 deletions api_module_mapping.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,15 +84,17 @@ Following shows mapping between SecOps [REST Resource](https://cloud.google.com/
|bigQueryAccess.provide |v1alpha| | |
|bigQueryExport.provision |v1alpha| | |
|cases.countPriorities |v1alpha| | |
|curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments.batchUpdate|v1alpha|chronicle.rule_set.batch_update_curated_rule_set_deployments| |
|curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments.patch |v1alpha| | |
|curatedRuleSetCategories.curatedRuleSets.get |v1alpha| | |
|curatedRuleSetCategories.curatedRuleSets.list |v1alpha| | |
|curatedRuleSetCategories.get |v1alpha| | |
|curatedRuleSetCategories.list |v1alpha| | |
|curatedRules.get |v1alpha| | |
|curatedRules.list |v1alpha| | |
|dashboardCharts.batchGet |v1alpha| | |
|curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments.batchUpdate | v1alpha | chronicle.rule_set.batch_update_curated_rule_set_deployments | |
| curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments.patch | v1alpha | chronicle.rule_set.update_curated_rule_set_deployment | secops curated-rule rule-set-deployment update |
| curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments.list | v1alpha | chronicle.rule_set.list_curated_rule_set_deployments | secops curated-rule rule-set-deployment list |
| curatedRuleSetCategories.curatedRuleSets.curatedRuleSetDeployments.get | v1alpha | chronicle.rule_set.get_curated_rule_set_deployment<br/>chronicle.rule_set.get_curated_rule_set_deployment_by_name | secops curated-rule rule-set-deployment get |
| curatedRuleSetCategories.curatedRuleSets.get | v1alpha | chronicle.rule_set.get_curated_rule_set | secops curated-rule rule-set get |
| curatedRuleSetCategories.curatedRuleSets.list | v1alpha | chronicle.rule_set.list_curated_rule_sets | secops curated-rule rule-set list |
| curatedRuleSetCategories.get | v1alpha | chronicle.rule_set.get_curated_rule_set_category | secops curated-rule rule-set-category get |
| curatedRuleSetCategories.list | v1alpha | chronicle.rule_set.list_curated_rule_set_categories | secops curated-rule rule-set-category list |
| curatedRules.get | v1alpha | chronicle.rule_set.get_curated_rule<br/>chronicle.rule_set.get_curated_rule_by_name | secops curated-rule rule get |
| curatedRules.list | v1alpha | chronicle.rule_set.list_curated_rules | secops curated-rule rule list |
| dashboardCharts.batchGet |v1alpha| | |
|dashboardCharts.get |v1alpha|chronicle.dashboard.get_chart |secops dashboard get-chart |
|dashboardQueries.execute |v1alpha|chronicle.dashboard_query.execute_query |secops dashboard-query execute |
|dashboardQueries.get |v1alpha|chronicle.dashboard_query.get_execute_query |secops dashboard-query get |
Expand Down
Loading
Loading