MCP Tools Reference: chronicle.googleapis.com

Tool: create_parser

Create a new parser for a specific log type in Chronicle.

Creates a custom parser using Chronicle's parser configuration language to transform raw logs into Chronicle's Unified Data Model (UDM) format. The tool automatically handles the required Base64 encoding of the parser code.

Agent Responsibilities: - Provide the parser_code argument as a plain text string.

Workflow Integration: - Use when you need to ingest custom log formats that Chronicle doesn't natively support. - Essential for integrating custom applications, proprietary systems, or modified log formats. - Enables normalization of diverse log sources into a consistent UDM structure for analysis. - Prerequisite for meaningful analysis of custom log sources through Chronicle's detection capabilities.

Use Cases: - Create parsers for custom application logs with unique formats. - Parse proprietary security tool outputs into UDM format. - Handle modified versions of standard log formats that existing parsers can't process. - Transform legacy log formats for Chronicle ingestion during SIEM migrations. - Parse structured data from APIs or databases into security events.

Args: log_type (str): Chronicle log type identifier for this parser (e.g., "CUSTOM_APP", "WINDOWS_AD"). parser_code (str): Plain text parser configuration code using Chronicle's parser DSL. project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). validated_on_empty_logs (bool): Whether to validate the parser even on empty log samples. Defaults to True.

Returns: str: Success message with the created parser ID and details, or an error message.

Example Usage: # Define parser code in plain text parser_text = ''' filter { json { source => "message" } mutate { replace => { "event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT" "event1.idm.read_only_udm.metadata.vendor_name" => "ACME Labs" } } grok { match => { "message" => ["^(?P<_firstWord>[^\s]+)\s.*$"] } on_error => "_grok_message_failed" } if ![_grok_message_failed] { mutate { replace => { "event1.idm.read_only_udm.metadata.description" => "%{_firstWord}" } } } mutate { merge => { "@output" => "event1" } } } '''

create_parser(
            log_type="CUSTOM_APP",
            parser_code=parser_text,
            project_id="my-project",
            customer_id="my-customer",
            region="us"
        )

Next Steps (using MCP-enabled tools): - Test the parser using run_parser with sample log data. - Activate the parser using activate_parser once testing is complete. - Ingest logs using ingest_raw_log with the specified log_type. - Monitor parsing success and adjust the parser configuration if needed. - Create detection rules that leverage the parsed UDM fields.

The following sample demonstrate how to use curl to invoke the create_parser MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "create_parser",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for CreateParser.

CreateParserRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "logType": string,
  "parserCode": string,
  "validatedOnEmptyLogs": boolean
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
logType

string

Log type of the parser to create.
parserCode

string

The plain text parser code to create.
validatedOnEmptyLogs

boolean

Flag to bypass parser validation when no logs are found. If enabled, the parser won't be be rejected during the validation phase when no logs are found.

Output Schema

Parser is a representation of a parser.

Parser

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "logType": string,
  "parserId": string,
  "state": enum (State),
  "createTime": string,
  "code": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
logType

string

Log type of the parser to activate.
parserId

string

ID of the parser to activate.
state

enum (State)

State of the parser.
createTime

string (Timestamp format)

Time at which the parser was created.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
code

string

Code of the parser.

Timestamp

JSON representation 
{
  "seconds": string,
  "nanos": integer
}
Fields
seconds

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
nanos

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌