feat: Add curated rules management tools for Chronicle detection rules

docs/servers/secops_mcp.md

@@ -344,6 +344,112 @@ The service account or user credentials need the following Chronicle roles:
       - Zero-day exploitation
       ```
 
+- **`list_curated_rules(project_id=None, customer_id=None, region=None, page_size=100, page_token=None, as_list=False)`**
+    - **Description:** List all curated detection rules available in Chronicle. Retrieves pre-built detection rules provided by Google that cover common security threats and attack patterns.
+    - **Parameters:**
+        - `project_id` (optional): Google Cloud project ID (defaults to environment config).
+        - `customer_id` (optional): Chronicle customer ID (defaults to environment config).
+        - `region` (optional): Chronicle region (defaults to environment config or 'us').
+        - `page_size` (optional): Maximum number of rules to return per page (default: 100).
+        - `page_token` (optional): Token for retrieving next page of results.
+        - `as_list` (optional): If True, automatically paginate and return all rules as a list (default: False).
+    - **Returns:** Dictionary containing curated rules and pagination metadata.
+    - **Return Example:**
+      ```json
+      {
+        "curatedRules": [
+          {
+            "name": "projects/.../curatedRules/ur_ttp_lol_Atbroker",
+            "displayName": "Atbroker.exe Abuse",
+            "description": "Detects abuse of Windows Atbroker.exe",
+            "severity": "MEDIUM",
+            "type": "MULTI_EVENT"
+          }
+        ],
+        "nextPageToken": "token-for-next-page"
+      }
+      ```
+
+- **`get_curated_rule(rule_id, project_id=None, customer_id=None, region=None)`**
+    - **Description:** Retrieve specific curated rule details by rule ID. Fetches complete definition and metadata for a specific Google-curated detection rule.
+    - **Parameters:**
+        - `rule_id` (required): Unique identifier of the curated rule.
+        - `project_id` (optional): Google Cloud project ID (defaults to environment config).
+        - `customer_id` (optional): Chronicle customer ID (defaults to environment config).
+        - `region` (optional): Chronicle region (defaults to environment config or 'us').
+    - **Returns:** Dictionary containing complete curated rule information.
+
+- **`get_curated_rule_by_name(display_name, project_id=None, customer_id=None, region=None)`**
+    - **Description:** Find curated rule by display name. Searches for a curated rule matching the specified human-readable name.
+    - **Parameters:**
+        - `display_name` (required): Display name of the curated rule to find.
+        - `project_id` (optional): Google Cloud project ID (defaults to environment config).
+        - `customer_id` (optional): Chronicle customer ID (defaults to environment config).
+        - `region` (optional): Chronicle region (defaults to environment config or 'us').
+    - **Returns:** Dictionary containing curated rule information if found.
+
+- **`search_curated_detections(rule_id, start_time, end_time, project_id=None, customer_id=None, region=None, list_basis=None, alert_state=None, page_size=100, page_token=None)`**
+    - **Description:** Search detections generated by a specific curated rule within a time range. Useful for investigating threats detected by Google-curated detection content.
+    - **Parameters:**
+        - `rule_id` (required): Unique identifier of the curated rule.
+        - `start_time` (required): Start of search time range in ISO 8601 format (e.g., "2025-01-20T00:00:00Z").
+        - `end_time` (required): End of search time range in ISO 8601 format.
+        - `project_id` (optional): Google Cloud project ID (defaults to environment config).
+        - `customer_id` (optional): Chronicle customer ID (defaults to environment config).
+        - `region` (optional): Chronicle region (defaults to environment config or 'us').
+        - `list_basis` (optional): Basis for listing detections ("DETECTION_TIME" or "CREATED_TIME").
+        - `alert_state` (optional): Filter by alert state ("ALERTING" or "NOT_ALERTING").
+        - `page_size` (optional): Maximum number of detections to return (default: 100).
+        - `page_token` (optional): Token for retrieving next page.
+    - **Returns:** Dictionary containing detections and pagination metadata.
+
+- **`list_curated_rule_sets(project_id=None, customer_id=None, region=None, page_size=100, page_token=None, as_list=False)`**
+    - **Description:** List all curated rule sets available in Chronicle. Retrieves collections of related curated rules grouped by threat category or data source.
+    - **Parameters:**
+        - `project_id` (optional): Google Cloud project ID (defaults to environment config).
+        - `customer_id` (optional): Chronicle customer ID (defaults to environment config).
+        - `region` (optional): Chronicle region (defaults to environment config or 'us').
+        - `page_size` (optional): Maximum number of rule sets to return (default: 100).
+        - `page_token` (optional): Token for retrieving next page.
+        - `as_list` (optional): If True, automatically paginate and return all rule sets as a list (default: False).
+    - **Returns:** Dictionary containing rule sets and pagination metadata.
+
+- **`get_curated_rule_set(rule_set_id, project_id=None, customer_id=None, region=None)`**
+    - **Description:** Retrieve specific curated rule set details by ID. Provides information about rules included in the set and deployment options.
+    - **Parameters:**
+        - `rule_set_id` (required): Unique identifier of the curated rule set.
+        - `project_id` (optional): Google Cloud project ID (defaults to environment config).
+        - `customer_id` (optional): Chronicle customer ID (defaults to environment config).
+        - `region` (optional): Chronicle region (defaults to environment config or 'us').
+    - **Returns:** Dictionary containing complete rule set information.
+
+- **`list_curated_rule_set_deployments(project_id=None, customer_id=None, region=None, page_size=100, page_token=None, as_list=False)`**
+    - **Description:** List deployment status of all curated rule sets. Shows enabled status, precision level (broad/precise), and alerting configuration.
+    - **Parameters:**
+        - `project_id` (optional): Google Cloud project ID (defaults to environment config).
+        - `customer_id` (optional): Chronicle customer ID (defaults to environment config).
+        - `region` (optional): Chronicle region (defaults to environment config or 'us').
+        - `page_size` (optional): Maximum number of deployments to return (default: 100).
+        - `page_token` (optional): Token for retrieving next page.
+        - `as_list` (optional): If True, automatically paginate and return all deployments as a list (default: False).
+    - **Returns:** Dictionary containing deployment configurations with enabled status, precision level, and alerting settings.
+
+- **`update_curated_rule_set_deployment(category_id, rule_set_id, precision, enabled, alerting, project_id=None, customer_id=None, region=None)`**
+    - **Description:** Update deployment configuration for a curated rule set. Enables/disables rule sets, configures precision level (broad or precise), and controls alerting settings.
+    - **Parameters:**
+        - `category_id` (required): Category ID of the rule set.
+        - `rule_set_id` (required): Unique identifier of the rule set.
+        - `precision` (required): Detection precision level ("broad" or "precise").
+        - `enabled` (required): Whether to enable the rule set for detection (boolean).
+        - `alerting` (required): Whether to enable alerting for detections (boolean).
+        - `project_id` (optional): Google Cloud project ID (defaults to environment config).
+        - `customer_id` (optional): Chronicle customer ID (defaults to environment config).
+        - `region` (optional): Chronicle region (defaults to environment config or 'us').
+    - **Returns:** Dictionary containing updated deployment configuration.
+    - **Note:** Precision modes:
+        - **broad**: More detections, potentially higher false positive rate. Better for comprehensive threat hunting.
+        - **precise**: Fewer detections, lower false positive rate. Better for production alerting.
+
 ## Usage Examples
 
 ### Example 1: Natural Language Security Event Search
@@ -443,6 +549,69 @@ Their TTPs include:
 The group continues to evolve tactics and primarily targets financial institutions, cryptocurrency exchanges, and organizations in sectors of strategic interest to North Korea.
 ```
 
+### Example 5: Curated Rules Management Workflow
+
+```
+User: What pre-built detection rules does Chronicle offer for Azure security monitoring?
+
+AI uses: list_curated_rule_sets(as_list=True)
+
+AI: I found several curated rule sets for Azure security monitoring:
+
+1. "Azure - Network" - Detects network-based threats in Azure environments
+2. "Azure - Authentication" - Monitors suspicious authentication patterns
+3. "Azure - Storage" - Detects unusual storage access patterns
+
+Would you like to enable any of these?
+
+User: Yes, enable the Azure Network rule set with precise detection mode and alerting turned on.
+
+AI uses: list_curated_rule_sets() to get rule set details
+AI extracts category_id and rule_set_id from the rule set information
+
+AI uses: update_curated_rule_set_deployment(
+  category_id="110fa43d-7165-2355-1985-a63b7cdf90e8",
+  rule_set_id="00ad672e-ebb3-0dd1-2a4d-99bd7c5e5f93",
+  precision="precise",
+  enabled=True,
+  alerting=True
+)
+
+AI: Successfully enabled the "Azure - Network" rule set with:
+- Precision: Precise (lower false positives, better for production alerting)
+- Enabled: Yes
+- Alerting: Yes
+
+The rule set is now actively monitoring your Azure network traffic.
+
+User: Can you show me what detections this rule set has generated in the last 7 days?
+
+AI uses: get_curated_rule_set(rule_set_id="00ad672e-ebb3-0dd1-2a4d-99bd7c5e5f93")
+AI gets the rule IDs from the rule set
+
+AI uses: search_curated_detections(
+  rule_id="ur_azure_network_suspicious_traffic",
+  start_time="2025-01-20T00:00:00Z",
+  end_time="2025-01-27T23:59:59Z"
+)
+
+AI: The Azure Network rule set generated 3 detections in the last 7 days:
+
+1. Suspicious outbound connection from Azure VM to known C2 server
+   Detection Time: 2025-01-25T14:23:45Z
+   Affected Asset: azure-vm-prod-01
+
+2. Unusual data transfer volume to external Azure Storage
+   Detection Time: 2025-01-24T09:15:22Z
+   Affected Asset: azure-app-service-02
+
+3. Port scanning activity from Azure container instance
+   Detection Time: 2025-01-22T16:48:31Z
+   Affected Asset: azure-container-instance-03
+
+Would you like me to investigate any of these detections further?
+```
+
 ## Additional Resources
 
 - [Chronicle API Documentation](https://cloud.google.com/chronicle/docs/reference/rest)

server/secops/README.md

@@ -120,6 +120,32 @@ Chronicle Security Operations suite.
 - **`generate_feed_secret(feed_id, project_id=None, customer_id=None, region=None)`**
     - Creates a new authentication secret for feeds that support authentication (e.g., HTTP feeds with basic auth). This replaces any existing secret.
 
+### Curated Rules Management Tools
+
+- **`list_curated_rules(project_id=None, customer_id=None, region=None, page_size=100, page_token=None, as_list=False)`**
+    - List all curated detection rules available in Chronicle. Retrieves pre-built detection rules provided by Google that cover common security threats and attack patterns.
+
+- **`get_curated_rule(rule_id, project_id=None, customer_id=None, region=None)`**
+    - Retrieve specific curated rule details by rule ID. Fetches complete definition and metadata for a specific Google-curated detection rule.
+
+- **`get_curated_rule_by_name(display_name, project_id=None, customer_id=None, region=None)`**
+    - Find curated rule by display name. Searches for a curated rule matching the specified human-readable name.
+
+- **`search_curated_detections(rule_id, start_time, end_time, project_id=None, customer_id=None, region=None, list_basis=None, alert_state=None, page_size=100, page_token=None)`**
+    - Search detections generated by a specific curated rule within a time range. Useful for investigating threats detected by Google-curated detection content.
+
+- **`list_curated_rule_sets(project_id=None, customer_id=None, region=None, page_size=100, page_token=None, as_list=False)`**
+    - List all curated rule sets available in Chronicle. Retrieves collections of related curated rules grouped by threat category or data source.
+
+- **`get_curated_rule_set(rule_set_id, project_id=None, customer_id=None, region=None)`**
+    - Retrieve specific curated rule set details by ID. Provides information about rules included in the set and deployment options.
+
+- **`list_curated_rule_set_deployments(project_id=None, customer_id=None, region=None, page_size=100, page_token=None, as_list=False)`**
+    - List deployment status of all curated rule sets. Shows enabled status, precision level (broad/precise), and alerting configuration.
+
+- **`update_curated_rule_set_deployment(category_id, rule_set_id, precision, enabled, alerting, project_id=None, customer_id=None, region=None)`**
+    - Update deployment configuration for a curated rule set. Enables/disables rule sets, configures precision level (broad or precise), and controls alerting settings.
+
 ### API Capabilities
 
 The MCP server provides the following capabilities:
@@ -136,7 +162,8 @@ The MCP server provides the following capabilities:
 10. **Data Table Management**: Create and manage structured data tables for detection rules
 11. **Reference List Management**: Create and manage reference lists for detection rules
 12. **Feed Management**: Create, update, enable, disable, and delete data feeds
-13. **UDM Search & Export**: Direct UDM querying, field value autocomplete, and CSV export
+13. **Curated Rules Management**: Discover, retrieve, and manage Google-curated detection content and rule set deployments
+14. **UDM Search & Export**: Direct UDM querying, field value autocomplete, and CSV export
 
 ### Example
 
@@ -151,6 +178,7 @@ These tools focus on core security operations tasks:
 - **Entity Analysis**: Use `lookup_entity` to investigate IPs, domains, hashes, and other indicators
 - **Rule Management**: Use `list_security_rules` and `search_security_rules` to manage detection rules
 - **Threat Intelligence**: Use `get_ioc_matches` and `get_threat_intel` for IOC analysis and AI-powered insights
+- **Curated Rules Management**: Use curated rules management tools to discover, enable, and configure Google-maintained detection content
 - **UDM Analysis & Export**: Use `search_udm`, `export_udm_search_csv`, and `find_udm_field_values` for direct UDM querying, data export, and field discovery
 
 ### Data Ingestion & Parsing Tools
@@ -167,6 +195,13 @@ These tools help you maintain reference data for enhanced detections:
 - **Reference Lists**: Use for simple lists of values (e.g., IP addresses, domains, usernames)
 - **Detection Enhancement**: Both data tables and reference lists can be referenced in detection rules to make them more dynamic and maintainable
 
+### Curated Detection Management Tools
+These tools help you leverage Google-curated detection content:
+- **Discovery**: Use `list_curated_rules` and `list_curated_rule_sets` to browse available pre-built detection content
+- **Deployment**: Use `update_curated_rule_set_deployment` to enable rule sets with configurable precision levels (broad/precise)
+- **Investigation**: Use `search_curated_detections` to analyze threats detected by curated rules
+- **Configuration**: Manage alerting settings and precision tuning for optimal detection coverage
+
 ## Configuration
 
 ### MCP Server Configuration

server/secops/secops_mcp/tools/__init__.py

@@ -26,3 +26,4 @@
 from .udm_search import *
 from .search import *
 from .feed_management import *
+from .curated_rules_management import *