Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule_Manager - Skip archived Rules flag #50

Open
the2dl opened this issue Feb 19, 2024 · 7 comments
Open

Rule_Manager - Skip archived Rules flag #50

the2dl opened this issue Feb 19, 2024 · 7 comments

Comments

@the2dl
Copy link

the2dl commented Feb 19, 2024

@threat-punter would it be possible in the Rule Manager to add in a feature to allow the skipping of Archived rules for all the processes (get/update/etc)? I tried to poke around and find where to update the code but couldn't figure it out, would be a great feature.

Would be nice when running python -m rule_cli something like --skip-archive.
@threat-punter
Copy link
Contributor

Hey @the2dl,

Thanks for reaching out. I'd like to try and understand your use case a bit better.

Why would you like to skip archived rules? Is it because you have a lot of them and this would save you some time when running the commands?

If you have many archived rules, have you considered deleting some to clean up your collection of rules?

If you have an option to skip archived rules, are you thinking that you'd like to skip writing them to local .yaral files and skip any updates being made to rules in Chronicle?

What do you think should happen if you use a "skip archived" option when you have a rule that's archived in Chronicle, but configured as enabled=True in your code?

Cheers

@the2dl
Copy link
Author

the2dl commented Feb 21, 2024

Hey @threat-punter,

It is due to the sheer volume (I have ~200 in there) and I'd prefer to not have them brought into the pipeline as they hold no value currently.

Is there a new API to delete rules? That would help me clean some up, but as far as I was aware archive is the only option, plus I want to keep a bunch in archive that I may use later.

Yes, I'd like to skip writing them to .yaral local files and also skip any updates for them, unless they become unarchived.

As far as I'm aware, you can't have an archived rule that is enabled in any way (Live or Alerting)

This error pops >

UNABLE TO ARCHIVE

Rule is currently active. If you wish to archive, you must turn off LIVE status and cancel any Retrohunts (or wait for them to finish).

@threat-punter
Copy link
Contributor

Hey @the2dl,

Did you get this figured out? I'm just reading your awesome blog post and see that you figured out how to skip writing rules to local .yaral files if they're archived in Chronicle.

There is indeed an API method to delete rules in Chronicle.

@threat-punter
Copy link
Contributor

Hey @the2dl,

Check out the code in pull request #52. I added a --skip-archived argument for the pull-latest-rules and update-remote-rules subcommands.

The new commands are as follows. The --skip-archived argument is optional.

python -m rule_cli pull-latest-rules --skip-archived
python -m rule_cli update-remote-rules --skip-archived

Please feel free to make these edits in your GitHub project and let me know if you encounter any problems/questions.

Cheers

@the2dl
Copy link
Author

the2dl commented Feb 27, 2024

@threat-punter this is perfect. I tested out both pull and update and they worked great. When this gets merged in I'll update my blog post to reflect the changes.

Thanks for adding this functionality!

@threat-punter
Copy link
Contributor

Awesome!

@threat-punter
Copy link
Contributor

Hey @the2dl,

Can you close this issue if you're happy to use the code in pull request #52 for your use case?

Cheers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@the2dl @threat-punter