search

chronicle / detection-rules

Collection of YARA-L 2.0 sample rules for the Chronicle Detection API
https://chronicle.security
Apache License 2.0
306 stars 75 forks source link

Rule_Manager - Skip archived Rules flag #50

Open the2dl opened 7 months ago

the2dl commented 7 months ago

@threat-punter would it be possible in the Rule Manager to add in a feature to allow the skipping of Archived rules for all the processes (get/update/etc)? I tried to poke around and find where to update the code but couldn't figure it out, would be a great feature.

Would be nice when running python -m rule_cli something like --skip-archive.

threat-punter commented 7 months ago

Hey @the2dl,

Thanks for reaching out. I'd like to try and understand your use case a bit better.

Why would you like to skip archived rules? Is it because you have a lot of them and this would save you some time when running the commands?

If you have many archived rules, have you considered deleting some to clean up your collection of rules?

If you have an option to skip archived rules, are you thinking that you'd like to skip writing them to local .yaral files and skip any updates being made to rules in Chronicle?

What do you think should happen if you use a "skip archived" option when you have a rule that's archived in Chronicle, but configured as enabled=True in your code?

Cheers

the2dl commented 7 months ago

Hey @threat-punter,

It is due to the sheer volume (I have ~200 in there) and I'd prefer to not have them brought into the pipeline as they hold no value currently.

Is there a new API to delete rules? That would help me clean some up, but as far as I was aware archive is the only option, plus I want to keep a bunch in archive that I may use later.

Yes, I'd like to skip writing them to .yaral local files and also skip any updates for them, unless they become unarchived.

As far as I'm aware, you can't have an archived rule that is enabled in any way (Live or Alerting)

This error pops >

UNABLE TO ARCHIVE

Rule is currently active. If you wish to archive, you must turn off LIVE status and cancel any Retrohunts (or wait for them to finish).
threat-punter commented 7 months ago

Hey @the2dl,

Did you get this figured out? I'm just reading your awesome blog post and see that you figured out how to skip writing rules to local .yaral files if they're archived in Chronicle.

There is indeed an API method to delete rules in Chronicle.

threat-punter commented 7 months ago

Hey @the2dl,

Check out the code in pull request #52. I added a --skip-archived argument for the pull-latest-rules and update-remote-rules subcommands.

The new commands are as follows. The --skip-archived argument is optional.

python -m rule_cli pull-latest-rules --skip-archived
python -m rule_cli update-remote-rules --skip-archived

Please feel free to make these edits in your GitHub project and let me know if you encounter any problems/questions.

Cheers

the2dl commented 7 months ago

@threat-punter this is perfect. I tested out both pull and update and they worked great. When this gets merged in I'll update my blog post to reflect the changes.

Thanks for adding this functionality!

threat-punter commented 7 months ago

Awesome!

threat-punter commented 5 months ago

Hey @the2dl,

Can you close this issue if you're happy to use the code in pull request #52 for your use case?

Cheers