search

chronicle / detection-rules

Collection of YARA-L 2.0 sample rules for the Chronicle Detection API
https://chronicle.security
Apache License 2.0
275 stars 66 forks source link

Rule_manager - Unable to rename remote rules #54

Closed curiousghost closed 4 months ago

curiousghost commented 4 months ago

@threat-punter Is renaming a remote rule not possible via the rule_cli? I tried to rename a rule in our system (changed from "office365_LogTypes" to "Office365_LogTypes") and got the below error. I updated the yaral rule_name, the file name and the rule config entry.

13-Mar-24 07:09:41 UTC | INFO | load_rules | Loaded 7 rules from /opt/actions-runner/_work/chronicle-siem-detection-rules-dev 13-Mar-24 07:09:41 UTC | INFO | update_remote_rules | Attempting to retrieve latest version of all rules from Chronicle 13-Mar-24 07:09:41 UTC | INFO | get_remote_rules | Attempting to retrieve all rules from Chronicle 13-Mar-24 07:09:42 UTC | INFO | get_remote_rules | Retrieved 57 rules 13-Mar-24 07:09:42 UTC | INFO | get_remote_rules | Retrieved a total of 57 rules 13-Mar-24 07:09:42 UTC | INFO | get_remote_rules | Attempting to retrieve rule deployment state for 57 rules 13-Mar-24 07:10:21 UTC | INFO | update_remote_rules | Checking if any rule updates are required 13-Mar-24 07:10:21 UTC | INFO | update_remote_rules | Local rule name Office365_LogTypes not found in remote rules Traceback (most recent call last): File "/opt/actions-runner/_work/_tool/Python/3.10.12/x64/lib/python3.10/runpy.py", line 196, in _run_module_as_main return _run_code(code, main_globals, None, File "/opt/actions-runner/_work/_tool/Python/3.10.12/x64/lib/python3.10/runpy.py", line 86, in _run_code exec(code, run_globals) File "/opt/actions-runner/_work/chronicle-siem-detection-rules-dev/rule_cli/main.py", line 268, in update_remote_rules() File "/opt/actions-runner/_work/chronicle-siem-detection-rules-dev/rule_cli/main.py", line 85, in update_remote_rules rule_updates = Rules.update_remote_rules(http_session=http_session) File "/opt/actions-runner/_work/chronicle-siem-detection-rules-dev/rule_cli/rules.py", line 557, in update_remote_rules rule_id = local_rule.rule_id AttributeError: 'Rule' object has no attribute 'rule_id'

threat-punter commented 4 months ago

Hi @curiousghost,

Yes, you should be able to rename a rule in Chronicle via your codebase by renaming the rule in the .yaral file name, in the YARA-L rule itself, and in the rule_config.yaml file.

Can you pull the latest version of the code from this GitHub repo and try again? Please let me know how it goes.

The output from the --update-remote-rules command should look something like this.

13-Mar-24 11:17:48 MDT | INFO | update_remote_rules | Local rule name google_workspace_mfa_disabled_1 not found in remote rules
13-Mar-24 11:17:48 MDT | INFO | update_remote_rules | Rule google_workspace_mfa_disabled_1 (ru_12345678-1234-1234-1234-1234567890ab) has been renamed - Creating new rule version for existing rule
13-Mar-24 11:17:49 MDT | INFO | update_remote_rules | Logging summary of rule changes...
13-Mar-24 11:17:49 MDT | INFO | update_remote_rules | Rules created: 0
13-Mar-24 11:17:49 MDT | INFO | update_remote_rules | Rules new_version_created: 1
13-Mar-24 11:17:49 MDT | INFO | update_remote_rules | new_version_created google_workspace_mfa_disabled_1 (ru_12345678-1234-1234-1234-1234567890ab)
13-Mar-24 11:17:49 MDT | INFO | update_remote_rules | Rules enabled: 0
13-Mar-24 11:17:49 MDT | INFO | update_remote_rules | Rules disabled: 0
13-Mar-24 11:17:49 MDT | INFO | update_remote_rules | Rules alerting_enabled: 0
13-Mar-24 11:17:49 MDT | INFO | update_remote_rules | Rules alerting_disabled: 0
13-Mar-24 11:17:49 MDT | INFO | update_remote_rules | Rules archived: 0
13-Mar-24 11:17:49 MDT | INFO | update_remote_rules | Rules unarchived: 0
curiousghost commented 4 months ago

Hi @threat-punter ,

Yes, this works with the latest version of the code. Thanks :)

threat-punter commented 4 months ago

Perfect!