Open the2dl opened 7 months ago
Hey @the2dl,
Thanks for reaching out. I'd like to try and understand your use case a bit better.
Why would you like to skip archived rules? Is it because you have a lot of them and this would save you some time when running the commands?
If you have many archived rules, have you considered deleting some to clean up your collection of rules?
If you have an option to skip archived rules, are you thinking that you'd like to skip writing them to local .yaral
files and skip any updates being made to rules in Chronicle?
What do you think should happen if you use a "skip archived" option when you have a rule that's archived in Chronicle, but configured as enabled=True
in your code?
Cheers
Hey @threat-punter,
It is due to the sheer volume (I have ~200 in there) and I'd prefer to not have them brought into the pipeline as they hold no value currently.
Is there a new API to delete rules? That would help me clean some up, but as far as I was aware archive is the only option, plus I want to keep a bunch in archive that I may use later.
Yes, I'd like to skip writing them to .yaral local files and also skip any updates for them, unless they become unarchived.
As far as I'm aware, you can't have an archived rule that is enabled in any way (Live or Alerting)
This error pops >
UNABLE TO ARCHIVE
Rule is currently active. If you wish to archive, you must turn off LIVE status and cancel any Retrohunts (or wait for them to finish).
Hey @the2dl,
Check out the code in pull request #52. I added a --skip-archived
argument for the pull-latest-rules
and update-remote-rules
subcommands.
The new commands are as follows. The --skip-archived
argument is optional.
python -m rule_cli pull-latest-rules --skip-archived
python -m rule_cli update-remote-rules --skip-archived
Please feel free to make these edits in your GitHub project and let me know if you encounter any problems/questions.
Cheers
@threat-punter this is perfect. I tested out both pull and update and they worked great. When this gets merged in I'll update my blog post to reflect the changes.
Thanks for adding this functionality!
Awesome!
Hey @the2dl,
Can you close this issue if you're happy to use the code in pull request #52 for your use case?
Cheers
@threat-punter would it be possible in the Rule Manager to add in a feature to allow the skipping of Archived rules for all the processes (get/update/etc)? I tried to poke around and find where to update the code but couldn't figure it out, would be a great feature.
Would be nice when running
python -m rule_cli
something like --skip-archive.