feat(integrations): add Google SecOps Detection Engine integration

[generalplantain]

Summary

Adds Google SecOps Detection Engine API integration for YARA-L rule management and threat detection automation.

Changes

• 16 new UDF functions for Detection Engine management
• Icon added for the Google SecOps Detection namespace
• Rule CRUD operations (create, read, update, delete)
• Rule verification and deployment control
• Detection querying with time filters
• Retrohunt management for historical threat hunting
• Error monitoring for rule debugging

Functions Included (16 total)

Rule Management (6)

Function	Description
list_rules	List all detection rules
get_rule	Get rule details
create_rule	Create new YARA-L rule
update_rule	Update existing rule
delete_rule	Delete a rule
verify_rule	Validate rule syntax

Rule Deployment (3)

Function	Description
enable_rule	Enable live alerting
disable_rule	Disable alerting
get_rule_deployment	Get deployment status

Detections (1)

Function	Description
list_detections	Get detections for a rule

Retrohunts (4)

Function	Description
create_retrohunt	Run rule on historical data
get_retrohunt	Get retrohunt status
list_retrohunts	List all retrohunts
cancel_retrohunt	Cancel running retrohunt

Errors (1)

Function	Description
list_rule_errors	Get rule errors

Authentication

Uses Tracecat's native Google Service Account integration (client_credentials grant).

• Provider: google
• Token: GOOGLE_SERVICE_TOKEN
• Required scope: https://www.googleapis.com/auth/chronicle-backstory

Additional config secret: chronicle_config with CHRONICLE_REGION

Use Cases

• Rule Management: Create, test, and deploy YARA-L detection rules
• Threat Hunting: Run retrohunts to search historical data
• Detection Monitoring: Query detections and track alerts
• Rule Testing: Verify syntax before deployment
• Alerting Control: Enable/disable rules as needed

Breaking Changes

None - This is a new integration.

Checklist

• Code follows project style guidelines
• Uses Tracecat's native Google OAuth integration
• Functions documented with clear descriptions
• Icon added for UI display

---

Summary by cubic

Adds Google SecOps Detection Engine integration with 16 UDFs to manage YARA-L rules, deployments, detections, retrohunts, and errors. Enables end-to-end detection automation in Tracecat.

• New Features

  • Rule management: list, get, create, update, delete, verify.
  • Deployment control: enable, disable, get status.
  • Detections: query by rule with time filters and pagination.
  • Retrohunts: create, get, list, cancel.
  • Errors: list compilation/execution errors.

• Migration

  • Configure Tracecat Google Service Account (client_credentials) with scope https://www.googleapis.com/auth/chronicle-backstory.
  • Pass base_url to each function using the region endpoint (US: https://backstory.googleapis.com, EU: https://europe-backstory.googleapis.com, Asia: https://asia-southeast1-backstory.googleapis.com).

^{Written for commit 7013699. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 2 files

[topher-lo]

Same question re proper return schema for 204. I suggest just return {"status_code": request.status_code}? Since content is None but we also want to inform the user it was a successful call?