MCP Tools Reference: chronicle.googleapis.com

Tool: create_rule

Create a new detection rule in Chronicle SIEM.

Creates a new YARA-L 2.0 detection rule in Chronicle that can generate alerts when the rule conditions are met by ingested events. Rules are the core mechanism for automated threat detection and response in Chronicle.

Workflow Integration: - Essential for implementing custom detection logic based on your organization's security requirements. - Use after analyzing events, entities, or threat intelligence to codify detection patterns. - Complements existing detection capabilities by addressing specific use cases or threat scenarios. - Enables automated detection of TTPs, IOCs, or behavioral patterns identified through investigations.

Use Cases: - Create rules to detect specific attack patterns discovered during threat hunting. - Implement custom detection logic for proprietary applications or unique network configurations. - Detect compliance violations or policy breaches specific to your organization. - Create behavioral detection rules based on user or entity activity patterns. - Implement detection for specific threat intelligence indicators relevant to your environment.

Rule Development Best Practices: - Start with a clear understanding of what you want to detect and the data sources available. - Use precise conditions to minimize false positives while maintaining detection efficacy. - Include appropriate metadata (description, author, severity, MITRE ATT&CK mappings). - Test rules thoroughly using test_rule before deploying to production. - Consider the rule's performance impact on Chronicle's processing capabilities.

Args: rule_text (str): Complete YARA-L 2.0 rule definition including rule metadata, events, and conditions. project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required).

Returns: str: Raw JSON response from the API, typically containing the created Rule object. Returns an error message if rule creation fails.

Example Usage: rule_text = ''' rule suspicious_powershell_download { meta: description = "Detects PowerShell downloading files" author = "Security Team" severity = "Medium" events: $process.metadata.event_type = "PROCESS_LAUNCH" $process.principal.process.command_line = /powershell.*downloadfile/i condition: $process } '''

create_rule(
            rule_text=rule_text,
            project_id="my-project",
            customer_id="my-customer",
            region="us"
        )

Next Steps (using MCP-enabled tools): - Validate the rule syntax using validate_rule. - Use list_rule_errors to check for any runtime errors. - Test the rule using test_rule with historical data to validate its effectiveness. - Monitor the rule's performance and adjust thresholds or conditions as needed. - Review generated alerts using udm_search to assess rule quality. - Document the rule's purpose and expected behavior for operational teams.

The following sample demonstrate how to use curl to invoke the create_rule MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "create_rule",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for CreateRule.

CreateRuleRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "rule": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
rule

string

The rule to create.

Output Schema

The Rule resource represents a user-created rule. NEXT TAG: 31

Rule

JSON representation 
{
  "name": string,
  "revisionId": string,
  "displayName": string,
  "text": string,
  "author": string,
  "severity": {
    object (Severity)
  },
  "metadata": {
    string: string,
    ...
  },
  "createTime": string,
  "revisionCreateTime": string,
  "compilationState": enum (CompilationState),
  "type": enum (RuleType),
  "referenceLists": [
    string
  ],
  "allowedRunFrequencies": [
    enum (RunFrequency)
  ],
  "etag": string,
  "scope": string,
  "compilationDiagnostics": [
    {
      object (CompilationDiagnostic)
    }
  ],
  "nearRealTimeLiveRuleEligible": boolean,
  "dataTables": [
    string
  ],
  "inputsUsed": {
    object (InputsUsed)
  },
  "ruleOwner": enum (RuleOwner),
  "tags": [
    string
  ],
  "alertingEnabled": boolean,
  "liveModeEnabled": boolean,
  "archived": boolean,
  "runFrequency": enum (RunFrequency),
  "currentDayDetectionCount": integer,
  "executionState": enum (ExecutionState)
}
Fields
name

string

Identifier. Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
revisionId

string

Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
displayName

string

Output only. Display name of the rule. Populated in BASIC view and FULL view.
text

string

The YARA-L content of the rule. Populated in FULL view.
author

string

Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
severity

object (Severity)

Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view.
metadata

map (key: string, value: string)

Output only. Additional metadata specified in the meta section of text. Populated in FULL view.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
createTime

string (Timestamp format)

Output only. The timestamp of when the rule was created. Populated in FULL view.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
revisionCreateTime

string (Timestamp format)

Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
compilationState

enum (CompilationState)

Output only. The current compilation state of the rule. Populated in FULL view.
type

enum (RuleType)

Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view.
referenceLists[]

string

Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
allowedRunFrequencies[]

enum (RunFrequency)

Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
etag

string

The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
scope

string

Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}.
compilationDiagnostics[]

object (CompilationDiagnostic)

Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view.
nearRealTimeLiveRuleEligible

boolean

Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
dataTables[]

string

Output only. Resource names of the data tables used in this rule.
inputsUsed

object (InputsUsed)

Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true.
ruleOwner

enum (RuleOwner)

Output only. The rule owner (i.e., whether the rule is customer or Google-authored).
tags[]

string

Output only. Resource names of the tags used in this rule. Example: [ "projects/{project}/locations/{location}/instances/{instance}/ tags/google.mitre.TA000", "projects/{project}/locations/{location}/instances/{instance}/ "tags/google.CloudThreats", ]
alertingEnabled

boolean

Output only. Alerting status for the rule.
liveModeEnabled

boolean

Output only. Live Status for the rule.
archived

boolean

Output only. The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated.
runFrequency

enum (RunFrequency)

Output only. The chosen run frequencies for the rule.
currentDayDetectionCount

integer

Output only. The number of matched events for the current day in UTC time.
executionState

enum (ExecutionState)

Output only. The execution state of the rule.

Severity

JSON representation 
{
  "displayName": string
}
Fields
displayName

string

The display name of the severity level. Extracted from the meta section of the rule text.

MetadataEntry

JSON representation 
{
  "key": string,
  "value": string
}
Fields
key

string
value

string

Timestamp

JSON representation 
{
  "seconds": string,
  "nanos": integer
}
Fields
seconds

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
nanos

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

CompilationDiagnostic

JSON representation 
{
  "message": string,
  "position": {
    object (CompilationPosition)
  },
  "severity": enum (Severity),
  "uri": string
}
Fields
message

string

Output only. The diagnostic message.
position

object (CompilationPosition)

Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty.
severity

enum (Severity)

Output only. The severity of a rule's compilation diagnostic.
uri

string

Output only. Link to documentation that describes a diagnostic in more detail.

CompilationPosition

JSON representation 
{
  "startLine": integer,
  "startColumn": integer,
  "endLine": integer,
  "endColumn": integer
}
Fields
startLine

integer

Output only. Start line number, beginning at 1.
startColumn

integer

Output only. Start column number, beginning at 1.
endLine

integer

Output only. End line number, beginning at 1.
endColumn

integer

Output only. End column number, beginning at 1.

InputsUsed

JSON representation 
{
  "usesUdm": boolean,
  "usesEntity": boolean,
  "usesDetection": boolean
}
Fields
usesUdm

boolean

Optional. Whether the rule queries UDM events.
usesEntity

boolean

Optional. Whether the rule queries entity events.
usesDetection

boolean

Optional. Whether the rule queries detections.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌