Hey all,
Detection engineer here. Just open-sourced something that's been saving me a lot of time and wanted to share it.
The problem is well-known: Chronicle has a genuinely powerful API — rules management, bulk operations, UDM search, feed control — but most
security engineers never touch it. Not because they don't want to, but because using it requires writing Python against an SDK that has
its own undocumented quirks, field names that don't match the docs, and behaviors that only appear when you run code against a live
tenant.
Some of us script around it. Most don't, and end up doing things manually that should take one command: filtering rules by alerting
status, exporting 200 YARA-L rules to individual files, toggling alerting on a subset of rules, validating that credentials actually work.
So I built a Claude Code skill that removes the Python layer. You describe what you need in plain English. Claude maps it to the right API
call, generates the code, runs it, returns the result. The skill contains the structured knowledge that makes this work: correct method
names, actual response field names (text not ruleText, name.split("/")[-1] for rule IDs, etc.), and patterns for the operations the UI
doesn't expose.
A few things it handles that the Chronicle UI doesn't:
- Filter rules by alerting status (enabled vs. archived) without writing a single line
- Bulk-export all YARA-L rules to individual files
- Patch the text of multiple rules at once (useful when you need to add a condition across a rule family)
- Bulk enable/disable alerting on a rule subset
- Validate API connectivity and permissions without touching production data (creates a test rule, verifies it, deletes it immediately)
It also documents the Rule vs. Deployment distinction explicitly — list_rules() gives you the YARA-L definition, list_rule_deployments()
gives you the operational state. They're separate endpoints, and a lot of confusion comes from not knowing that.
Repo (MIT, v1.0): https://github.com/gromerosec/google-secops-claude-skill
Requires Claude Code and a Chronicle service account. The skill itself is a Markdown file — no additional infrastructure.
This is early. The coverage is broad but the natural language mapping will miss edge cases. If you try it and something breaks or a method
is wrong, issues are open. If anyone on the SecOps team has thoughts on why Rule and Deployment are separate resources rather than a
single object with state — genuinely curious about the design decision.
