feat: Add curated rules management tools for Chronicle detection rules

[mihirvala08]

Summary

Added Curated Rules Management tools to SecOps MCP for Chronicle SIEM, enabling AI-assisted management of Google-curated detection content and rule set deployments.

What

Added 8 Chronicle SIEM Curated Rules Management tools:

• list_curated_rules - List all curated detection rules with pagination support
• get_curated_rule - Retrieve specific curated rule details by rule ID
• get_curated_rule_by_name - Find curated rule by display name
• search_curated_detections - Search detections generated by a specific curated rule with time range filtering
• list_curated_rule_sets - List all curated rule sets available in Chronicle
• get_curated_rule_set - Retrieve specific curated rule set details by ID
• list_curated_rule_set_deployments - List deployment status of all curated rule sets with precision level and alerting configuration
• update_curated_rule_set_deployment - Update deployment configuration for a curated rule set (enable/disable, precision level, alerting)

Changelog

• server/secops/secops_mcp/tools/curated_rules_management.py: Added curated rules management tools for discovering, retrieving, and managing Google-curated detection content with comprehensive documentation and error handling
• server/secops/secops_mcp/tools/__init__.py: Added import for curated_rules_management module
• server/secops/tests/test_secops_curated_rules_tools.py: Integration tests for curated rules management tools covering all 8 tools with real Chronicle API calls

[dandye]

Integration Test Evidence

List Tools

List Curated Rule Sets

Get Rule Set (by name)

Would you like to manage this rule set's deployment (enable/disable, set precision) or list the specific rules contained within it?

"list its rules" (list_curated_rules)

That prompt confused the agent:

"""
I have listed a subset of available curated rules, but none of the initial results belong to the "CDIR SCC Enhanced Inhibit System Recovery Alerts" rule set (0223c3ee-a0ab-762f-15d0-df077ec81782). The output is paginated, and since there are many rules, searching manually is inefficient.

However, I noticed that the curatedRuleSet field in the rule object contains the full resource name of the rule set it belongs to.

Since I cannot filter list_curated_rules by rule set ID directly, and listing all pages would be slow, I will use a different approach. I'll search for rules that are likely part of this set by searching for the technique "Inhibit System Recovery" or "SCC" in the rule names or descriptions, or by making a reasonable assumption based on the rule set's description.

Wait, I recall that get_curated_rule_set was supposed to return the rules. Let's try list_curated_rules again with a larger page size, or simply inform you that I can't filter by set ID directly but can search for specific rules if you have a topic in mind.

Actually, I can try search_curated_detections if I want to see activity, but you asked for the rules themselves for management.

Let's try one more thing: get_curated_rule_set but this time I'll be very careful to check if I missed a rules parameter or if there is a list_curated_rules filter I can guess. The list_curated_rules output shows curatedRuleSet field. This is the link.

I will list rules again, but this time I'll fetch more outcomes or scan for a rule that seems related to "Inhibit System Recovery" to confirm the content. But realistically, without a filter, I might just have to say "Here are some examples" or ask for a specific rule name.

However, the user asked "list its rules". I should try to fulfill that. I'll try referencing the list_curated_rules tool again. Maybe I can pass the rule set name as a parent? No, standard is project_id/....

...
"""

That thought process went on for a while and ultimately failed.

I then tried to be more specific:

"List the rules for Rule Set ID 0223c3ee-a0ab-762f-15d0-df077ec81782"

"""
Thought for 11s

MCP Tool:
local-secops / list_curated_rules

Show Details
The list of curated rules was truncated, and the specific rule belonging to set 0223c3ee-a0ab-762f-15d0-df077ec81782 was not visible in the response.

However, based on the rule set name "CDIR SCC Enhanced Inhibit System Recovery Alerts" and the fact that it contains a single rule (quota size 1) related to "Inhibit System Recovery" (T1490), the rule likely has a similar name.

I can confirm that the Rule Set itself is available and valid. Since I cannot retrieve the specific Rule ID without pagination through likely hundreds of rules (and filtering server-side isn't supported), I recommend managing the Rule Set directly using update_curated_rule_set_deployment to enable/disable it.

Would you like me to enable this rule set for you?
"""

So, it seems the tool is balking at pagination.