MCP Tools Reference: chronicle.googleapis.com

Tool: create_case_comment

Creates a new case comment in Google SecOps.

Adds a new, structured comment to an existing SOAR case, enabling analysts to log notes, updates, or decisions within an investigation. This is a critical function for maintaining a clear and auditable record of all activities related to a security case.

Workflow Integration: - A fundamental part of documenting an investigation and maintaining an audit trail for compliance and review. - Integrates seamlessly with UI actions, such as an "Add Comment" button on a case details page, allowing for manual entry of findings. - Allows for automated systems and playbooks to log their actions directly into a case, providing a unified timeline of both human and machine activities. - Can be used to trigger other automated workflows; for example, adding a comment with a specific tag could initiate a new playbook.

Use Cases: - An analyst adds a manual note about their findings after investigating an alert, such as "Confirmed phishing email from sender X." - An automated playbook adds a comment detailing an action it took, like "Successfully isolated host Y from the network." - A user attaches an artifact or file to the case with a descriptive comment, which can be done by providing attachment details within the comment. - A manager adds a comment to assign the case to a different analyst or to provide guidance on the next steps.

Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). case_id (str): The numeric ID of the case to which the comment will be added (e.g., '12345'). This is a required field. comment (str): The content of the comment. This is a required field and can contain text, links, or other relevant information.

Returns: CaseComment: The newly created CaseComment object, including its unique, server-assigned resource name and creation timestamp. The CaseComment object contains the following key fields: - Name (str): The full resource name of the comment. - Id (int): The unique identifier for the comment. - Comment (str): The content of the comment. - UserOwnerFullName (str): The full name of the user who created the comment. - LastEditorFullName (str): The full name of the user who last edited the comment. - CreateTime (int): The creation timestamp of the comment in milliseconds. - UpdateTime (int): The last update timestamp of the comment in milliseconds. - IsFavorite (bool): Indicates if the comment is marked as a favorite. - IsDeleted (bool): Indicates if the comment has been deleted. - AlertIdentifier (str): The identifier of the alert associated with the comment, if any. Returns an error message if the parent case is not found, if the user does not have permission, or if the comment could not be created for other reasons.

Example Usage: # Create a new comment for a case create_case_comment( project_id='123', region='us', customer_id='abc', case_id='456', comment='Investigated suspicious login from external IP. The IP has been added to the blocklist.' )

Next Steps (using MCP-enabled tools): - Use 'list_case_comments' to see the newly created comment in the case's timeline along with other comments. - Use 'get_case_comment' with the returned resource name to retrieve its full details at a later time. - Use 'update_case' to change the status or other properties of the case based on the new comment.

The following sample demonstrate how to use curl to invoke the create_case_comment MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "create_case_comment",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for CreateCaseComment. Next ID: 7

CreateCaseCommentRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "caseId": string,
  "comment": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
caseId

string

Case ID.
comment

string

Comment.

Output Schema

This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. Case Comment - Chronicle SOAR Case Comment.

CaseComment

JSON representation 
{
  "name": string,
  "createTime": string,
  "updateTime": string,
  "user": string,
  "comment": string,
  "deletionInvoker": string,
  "alertIdentifier": string,
  "caseAttachment": {
    object (CaseAttachment)
  },
  "userOwnerFullName": string,
  "lastEditorFullName": string,
  "deletedByUser": string,
  "case": string,

  // Union field _is_favorite can be only one of the following:
  "isFavorite": boolean
  // End of list of possible types for union field _is_favorite.

  // Union field _is_deleted can be only one of the following:
  "isDeleted": boolean
  // End of list of possible types for union field _is_deleted.
}
Fields
name

string

Output only. Identifier. The unique name(ID) of the CaseComment. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseComments/{case_comment}
createTime

string (int64 format)

Output only. The timestamp when the comment was created.
updateTime

string (int64 format)

Output only. The timestamp when the comment was last updated.
user

string

Output only. User owner of the comment.
comment

string

Required. The content of the comment.
deletionInvoker

string

Output only. The user who deleted the comment.
alertIdentifier

string

Optional. The alert associated with the comment.
caseAttachment

object (CaseAttachment)

Optional. The attachment associated with the comment.
userOwnerFullName

string

Output only. The user who created the comment.
lastEditorFullName

string

Output only. The user who last edited the comment.
deletedByUser

string

Output only. The user who deleted the comment.
case

string (int64 format)

Optional. The case associated with the comment.

Union field _is_favorite.

_is_favorite can be only one of the following:
isFavorite

boolean

Optional. Whether the comment is marked as a favorite.

Union field _is_deleted.

_is_deleted can be only one of the following:
isDeleted

boolean

Output only. Indicates if the comment has been softly deleted.

CaseAttachment

JSON representation 
{
  "attachmentBase64": string,
  "fileType": string,
  "fileName": string,
  "fileId": string
}
Fields
attachmentBase64

string

Required. Base64 encoded attachment associated with the comment (if exists).
fileType

string

Required. The file type of the attachment (if exists).
fileName

string

Required. The file name of the attachment (if it exists).
fileId

string (int64 format)

Output only. The file id of the attachment.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌