Detection-as-Code with Chronicle Security v2 APIs – Alternative to rule_cli?

Question

Hi everyone,I am exploring Detection-as-Code implementation. However, I noticed that most existing implementations, like rule_cli, are built using v1 alpha APIs. In my Chronicle console, I only have access to v2 APIs, which makes it difficult to use rule_cli as-is.Is there an official or community-supported tool similar to rule_cli that works with Chronicle Security v2 APIs?If not, what would be the best approach to implement Detection-as-Code using v2 APIs? Any sample code, SDK recommendations, or guidance would be greatly appreciated!If there’s no direct alternative, is there a way to gain access to v1 alpha APIs to use rule_cli?Thanks in advance for your help!

bsalvatore · Accepted Answer

Hi,

In order to use the Chronicle API v1alpha (Chronicle API | Google Security Operations | Google Cloud) you only need to create a dedicated service account inside the GCP project where you are the SIEM's tenant with the correct IAM permission (depend of use case, for example if you need to interact with UDM Search you need to create a service account with the chronicle.events.udmSearch permission).

David-French · Answer

@satya_saketh – Thanks for your questions. I'd recommend contacting your Google SecOps support representative to enable the REST API (currently in v1alpha) so that you can use the rule manager tooling.

Enabling this API does not disable SecOps' other API endpoints (e.g. if you have code that uses the Ingestion API, that will continue to work).

Hi @David-French
Are there team working with creating a new rule_cli tool for v2 api's ?

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded