MCP Tools Reference: chronicle.googleapis.com

Tool: get_case_alert

Retrieves a single alert by its resource name.

Fetches all details for a specific alert within a case, including its properties (such as status, priority, and product), as well as optionally expanding to include related information like its SLA and involved entities. This tool is fundamental for drilling down into a specific alert after identifying it through a list view or search.

Workflow Integration: - Used when an analyst clicks on an alert within a case to view its full details in an investigation UI. - Essential for automated playbooks that need to retrieve the current state of an alert before taking action, such as enrichment or remediation. - Provides the necessary data to populate an alert investigation screen, showing all relevant information in one place. - Can be used to verify the result of an update operation by fetching the alert after the update has been applied.

Use Cases: - An analyst retrieves an alert to begin an investigation and understand its context, such as the rule that triggered it and the involved entities. - An automated system fetches an alert to extract entities (IPs, domains, hashes) for further enrichment from other threat intelligence sources. - A manager views an alert to review its details, check the SLA status, and see if a playbook has been run. - A reporting script fetches alert details to generate a detailed incident report.

Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). case_id (str): The numeric ID of the case (e.g., '12345'). case_alert_id (str): The numeric ID of the case alert to retrieve (e.g., '12345'). Do NOT use the alert title or identifier string. expand (str, optional): A comma-separated list of related resources to include in the response. This allows you to get a more complete picture of the alert in a single call. Supported values: 'sla', 'involvedRelations'.

Returns: CaseAlert: The full CaseAlert object with all its details. If the 'expand' parameter is used, the corresponding related resources will be included. The CaseAlert object contains the following key fields: - Name (str): The full resource name of the alert. - Id (int): The unique identifier for the alert. - DisplayName (str): The title or display name of the alert. - Priority (str): The priority of the alert (e.g., "HIGH"). - Status (str): The current status of the alert (e.g., "OPEN"). - CreateTime (int): The creation timestamp of the alert in milliseconds. - UpdateTime (int): The last update timestamp of the alert in milliseconds. - Product (str): The product that generated the alert. - Vendor (str): The vendor of the product that generated the alert. - RuleGenerator (str): The rule that generated the alert. Returns an error message if the alert is not found or the user does not have permission to view it.

Example Usage: # Get basic details for a specific alert get_case_alert(project_id='123', region='us', customer_id='abc', case_id='456', case_alert_id='789')

The following sample demonstrate how to use curl to invoke the get_case_alert MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "get_case_alert",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for GetCaseAlert. Next ID: 7

GetCaseAlertRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "caseId": string,
  "caseAlertId": string,
  "expand": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
caseId

string

Case ID.
caseAlertId

string

Case alert ID.
expand

string

Expand.

Output Schema

This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. Alerts are tied to data identified as a threat by your security systems. Investigating alerts gives you context about the alert and related entities.

CaseAlert

JSON representation 
{
  "name": string,
  "identifier": string,
  "caseId": integer,
  "createTime": string,
  "updateTime": string,
  "ruleGenerator": string,
  "sourceGroupingIdentifier": string,
  "product": string,
  "displayName": string,
  "vendor": string,
  "environment": string,
  "ticketId": string,
  "sourceSystemName": string,
  "closureDetails": {
    object (AlertClosureDetails)
  },
  "sla": {
    object (Sla)
  },
  "manual": boolean,
  "priority": enum (LegacyCasePriority),
  "sourceIdentifier": string,
  "additionalProperties": string,
  "status": enum (AlertStatus),
  "startTime": string,
  "endTime": string,
  "involvedRelations": [
    {
      object (InvolvedRelation)
    }
  ],
  "siemAlertId": string,
  "sourceUrl": string,
  "sourceRuleUrl": string,
  "sourceSystemUrl": string,
  "sourceRuleIdentifier": string,
  "playbookStatus": enum (WorkflowStatus),
  "attachedPlaybookName": string,
  "nestingDepth": integer,
  "alertGroupIdentifier": string,
  "eventCount": integer,

  // Union field _playbook_run_count can be only one of the following:
  "playbookRunCount": integer
  // End of list of possible types for union field _playbook_run_count.
}
Fields
name

string

Identifier. The unique name(ID) of the CaseAlert. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseAlerts/{case_alert}
identifier

string

Output only. Title + Guid, e.g. ACCESS DISABLED ACCOUNTS_3A0C90F9-A87E-4E94-8727-7884F686ECDA Legacy identifier of alert used across the legacy modules in the system. Char limit: 2100
caseId

integer

Output only. Case associated with the alert. Added for convenience to be used by the UI.
createTime

string (int64 format)

Output only. The creation time of the record in milliseconds.
updateTime

string (int64 format)

Output only. The modification time of the record in milliseconds.
ruleGenerator

string

Output only. Which rule triggered the alert on the third party. This can be any rule defined in the third party Such SIEM, Splunk, CrowdStrike. Characters limit: 250.
sourceGroupingIdentifier

string

Output only. A key on the alert that can be used to group alerts to the same case. Characters limit: 2100
product

string

Output only. The product associated with the alert. E.g. DLP, WinEventLog:Security
displayName

string

Output only. The display name of the alert. E.g. "DATA EXFILTRATION"
vendor

string

Output only. The vendor of the alert. E.g. "Microsoft". Characters limit: 2100
environment

string

Output only. The environment of the alert.
ticketId

string

Output only. Third party ticket id, can be originated from SIEM or other tools. E.g. "3a0c90f9-a87e-4e94-8727-7884f686ecda"
sourceSystemName

string

Output only. Which alerting system raises the alert. E.g. "QRadar", "Arcsight", "Microsoft CASB". The Integration Name in soar.
closureDetails

object (AlertClosureDetails)

Optional. Defines the close reason of an alert if any.
sla

object (Sla)

Optional. SLA (Service Level Agreement) for the specific alert, used also to calculate aggregate case sla.
manual

boolean

Output only. Whether the alert was created manually.
priority

enum (LegacyCasePriority)

Optional. Default value is HIGH.
sourceIdentifier

string

Output only. Stores the identifier of the source of the alert, could be a connector identifier etc.
additionalProperties

string

Output only. Stores additional data on specific alerts, currently used by connectors, in JSON format.
status

enum (AlertStatus)

Optional. Alert status. Default value is OPEN.
startTime

string (int64 format)

Output only. When the alert was created on the third party product (SIEM, IPS, etc).
endTime

string (int64 format)

Output only. When the alert was closed on the third party product (SIEM, IPS, etc).
involvedRelations[]

object (InvolvedRelation)

Output only. All involved relations for the alert. Directional connection between entities in a given alert.
siemAlertId

string

Output only. The identifier of the alert int SIEM.
sourceUrl

string

Output only. The source URL of the alert.
sourceRuleUrl

string

Output only. The source rule URL of the alert.
sourceSystemUrl

string

Output only. The source system URL.
sourceRuleIdentifier

string

Output only. The source rule identifier.
playbookStatus

enum (WorkflowStatus)

Output only. Alert playbook status.
attachedPlaybookName

string

Output only. The attached playbook name.
nestingDepth

integer

Output only. The nesting depth of the alert.
alertGroupIdentifier

string

Output only. The alert group identifier.
eventCount

integer

Output only. The number of events that triggered the alert.

Union field _playbook_run_count.

_playbook_run_count can be only one of the following:
playbookRunCount

integer

Output only. The number of times the first playbook was run on the alert.

AlertClosureDetails

JSON representation 
{
  "reason": enum (CloseReason),
  "comment": string,
  "rootCause": string,
  "closingTimeMs": string
}
Fields
reason

enum (CloseReason)

Output only. Alert closure reason.
comment

string

Output only. Alert closure comment.
rootCause

string

Output only. Alert closure root cause.
closingTimeMs

string (int64 format)

Output only. Alert closure time in unix format as milliseconds.

Sla

JSON representation 
{
  "expirationTime": string,
  "criticalExpirationTime": string,
  "expirationStatus": enum (SlaExpirationStatus),
  "remainingTimeSinceLastPause": integer
}
Fields
expirationTime

string (int64 format)

Required. SLA expiration time in unix format as milliseconds. Old prop: SlaExpiration.
criticalExpirationTime

string (int64 format)

Required. SLA critical expiration time in unix format as milliseconds, old prop: SlaCriticalExpiration.
expirationStatus

enum (SlaExpirationStatus)

Output only. SLA expiration status.
remainingTimeSinceLastPause

integer

Output only. Remaining time since last pause.

InvolvedRelation

JSON representation 
{
  "identifier": string,
  "alertIdentifier": string,
  "caseId": integer,
  "relationType": string,
  "from": {
    object (EntityKey)
  },
  "to": {
    object (EntityKey)
  },
  "deviceProduct": string,
  "deviceVendor": string,
  "categoryOutcome": string,
  "destinationPort": string,
  "eventClassId": string,
  "startTime": string,
  "endTime": string,
  "additionalProperties": string
}
Fields
identifier

string

Required. The identifier of the relation.
alertIdentifier

string

Output only. The identifier of the alert the relation belongs to.
caseId

integer

Output only. The id of the case the relation belongs to.
relationType

string

Output only. The type of the relation.
from

object (EntityKey)

Output only. The source of the relation.
to

object (EntityKey)

Output only. The destination of the relation.
deviceProduct

string

Output only. The product.
deviceVendor

string

Output only. The vendor.
categoryOutcome

string

Output only. The category outcome. Blocked/Allowed/null.
destinationPort

string

Output only. The destination port, if relevant
eventClassId

string

Output only. Event display name. For example: Email Check, Data Exfiltration, IRC etc.
startTime

string (int64 format)

Output only. Start time of the involved relation.
endTime

string (int64 format)

Output only. End time of the involved relation.
additionalProperties

string

Output only. Additional data, stored in JSON format.

EntityKey

JSON representation 
{
  "identifier": string,
  "type": string
}
Fields
identifier

string

Output only. The identifier of the entity.
type

string

Output only. The type of the entity.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌