Hello,
I am working on automating rule creation and deployment in Google Chronicle using the secops Python SDK inside Siemplify jobs.
I can successfully create rules and enable them (enable_rule works fine). However, I cannot enable alerting for the rules:
-
The method
set_rule_alertingdoes not exist in theChronicleClientobject. -
The method
update_rule_deploymentalso does not exist.
Both of them appear in the documentation/examples:
But in my environment (chronicle object from SecOpsClient), they are not available when I run dir(chronicle).
Below is my current script:
from SiemplifyJob import SiemplifyJob
from secops import SecOpsClient
import textwrap
import traceback
# -------------------------
# Global parameters
# -------------------------
RULE_ENABLED = True # enable/disable continuous execution
RULE_ALERTING = True # define if detections generate alerts
RUN_FREQUENCY = "LIVE" # not guaranteed in all SDK versions
INTEGRATION_NAME = "CustomRules"
SCRIPT_NAME = "CreateNetworkRules"
def try_call_one_of(objs, method_name, *args, **kwargs):
"""
Try to call 'method_name' on each object in 'objs' in order.
Returns (True, result) if successful, or (False, None) if no object had the method.
"""
for obj in objs:
func = getattr(obj, method_name, None)
if callable(func):
return True, func(*args, **kwargs)
return False, None
def main():
siemplify = SiemplifyJob()
siemplify.script_name = SCRIPT_NAME
# Service account credentials
service_account_info = {
# my creds
}
client = SecOpsClient(service_account_info=service_account_info)
chronicle = client.chronicle(
# my creds
) # chronicle.create_rule works fine here
try:
# Define two rules
rule1 = textwrap.dedent("""
rule simple_network_rule10 {
meta:
description = "Detect generic network connections"
author = "SecOps SDK Example"
severity = "Medium"
priority = "Medium"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e.metadata.event_type = "NETWORK_CONNECTION"
$e.principal.hostname != ""
condition:
$e
}
""")
rule2 = textwrap.dedent("""
rule simple_network_rule20 {
meta:
description = "Detect generic network connections"
author = "SecOps SDK Example"
severity = "Medium"
priority = "Medium"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e.metadata.event_type = "NETWORK_CONNECTION"
$e.principal.hostname != ""
condition:
$e
}
""")
# Create and deploy the rules
for idx, rule_text in enumerate([rule1, rule2], start=1):
siemplify.LOGGER.info(f"Creating rule {idx}...")
rule = chronicle.create_rule(rule_text)
rule_id = rule.get("name", "").split("/")[-1]
siemplify.LOGGER.info(f"Rule {idx} created successfully! ID: {rule_id}")
# Enable rule (works fine)
enabled_ok, _ = try_call_one_of(
(chronicle, client),
"enable_rule",
rule_id
)
if enabled_ok:
siemplify.LOGGER.info(f"Rule {idx} enabled via enable_rule.")
else:
siemplify.LOGGER.info("No 'enable_rule' method found in chronicle/client.")
# Enable alerting (fails: methods not found)
if RULE_ALERTING:
alert_ok, _ = try_call_one_of(
(chronicle, client),
"set_rule_alerting",
rule_id,
True
)
if alert_ok:
siemplify.LOGGER.info(f"Alerting enabled for rule {idx}.")
else:
upd_ok, _ = try_call_one_of(
(chronicle, client),
"update_rule_deployment",
rule_id,
alerting=True
)
if upd_ok:
siemplify.LOGGER.info(f"Alerting applied via update_rule_deployment for rule {idx}.")
else:
siemplify.LOGGER.info(
"Could not enable alerting: neither 'set_rule_alerting' "
"nor 'update_rule_deployment' methods were found in chronicle/client."
)
siemplify.LOGGER.info(
f"Deployment (after attempts) for rule {idx}: enabled={RULE_ENABLED}, alerting={RULE_ALERTING}"
)
except Exception as e:
siemplify.LOGGER.error(f"Error running Job {SCRIPT_NAME}")
siemplify.LOGGER.exception(e)
siemplify.LOGGER.error(traceback.format_exc())
raise
siemplify.end_script()
if __name__ == "__main__":
main()