MCP Tools Reference: chronicle.googleapis.com

Tool: get_involved_entity

Retrieves a specific involved entity associated with a case alert in Chronicle SIEM.

Provides detailed information about a single involved entity.

Workflow Integration: - Used to drill down into a specific entity from a list of entities within a case alert. - Enables other systems to get the current state of an entity before taking action.

Use Cases: - An analyst clicks on an entity in the SOAR UI to view its full details. - An automated playbook fetches an entity to extract specific indicators of compromise (IoCs).

Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). case_id (str): The numeric ID of the parent case (e.g., "1"). case_alert_id (str): The numeric ID of the specific alert within the case (e.g., "789"). This is not the descriptive alert identifier string. You can find this numeric ID as the last part of the 'Name' field when you list alerts using 'list_case_alerts'. involved_entity_id (str): The ID of the involved entity to retrieve (required).

Returns: InvolvedEntity: The full InvolvedEntity object with all its details. Returns an error message if the involved entity is not found.

Example Usage: # Get details for a specific involved entity get_involved_entity(project_id='123', region='us', customer_id='abc', case_id='456', case_alert_id='789', involved_entity_id='101112')

Next Steps (using MCP-enabled tools): - Use 'list_involved_entities' to see other entities in the same case alert.

The following sample demonstrate how to use curl to invoke the get_involved_entity MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "get_involved_entity",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for GetInvolvedEntity.

GetInvolvedEntityRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "caseId": string,
  "caseAlertId": string,
  "involvedEntityId": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
caseId

string

Case ID of the case alert.
caseAlertId

string

Case alert ID of the case alert.
involvedEntityId

string

Involved entity ID of the involved entity.

Output Schema

This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. This resource represents entities that are associated with both cases and caseAlerts, or with all caseAlerts related to a specific case. These entities are uniquely identified by their entityIdentifier and type. Additionally, we have another entity resource in our system that is not connected to cases and caseAlerts - 'Unique Entity' and represents every unique entity in the system. Unique entities is a separate collection of all distinct entities in the system, not in the context of case/alert. Unique entities get updated (if needed) during ingestion when new entities arrive.

InvolvedEntity

JSON representation 
{
  "name": string,
  "id": string,
  "type": string,
  "threatSource": string,
  "operatingSystem": string,
  "networkTitle": string,
  "environment": string,
  "additionalProperties": string,
  "sourceSystemUri": string,
  "entityUri": string,
  "fields": [
    {
      object (ContextGroup)
    }
  ],
  "alertIdentifier": string,
  "caseId": integer,
  "identifier": string,

  // Union field _suspicious can be only one of the following:
  "suspicious": boolean
  // End of list of possible types for union field _suspicious.

  // Union field _internal can be only one of the following:
  "internal": boolean
  // End of list of possible types for union field _internal.

  // Union field _network_priority can be only one of the following:
  "networkPriority": integer
  // End of list of possible types for union field _network_priority.

  // Union field _attacker can be only one of the following:
  "attacker": boolean
  // End of list of possible types for union field _attacker.

  // Union field _pivot can be only one of the following:
  "pivot": boolean
  // End of list of possible types for union field _pivot.

  // Union field _manually_created can be only one of the following:
  "manuallyCreated": boolean
  // End of list of possible types for union field _manually_created.

  // Union field _enriched can be only one of the following:
  "enriched": boolean
  // End of list of possible types for union field _enriched.

  // Union field _artifact can be only one of the following:
  "artifact": boolean
  // End of list of possible types for union field _artifact.

  // Union field _vulnerable can be only one of the following:
  "vulnerable": boolean
  // End of list of possible types for union field _vulnerable.
}
Fields
name

string

Identifier. The unique name(ID) of the InvolvedEntity. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseAlerts/{case_alert}/involvedEntities/{involved_entity}
id

string (int64 format)

Required. Immutable. The id of the entity.
type

string

Required. Immutable. The type of the entity. Could be: HOSTNAME, USB, PROCESS, ADDRESS, …
threatSource

string

Optional. Threat source of the entity.
operatingSystem

string

Optional. Operating system related to the entity.
networkTitle

string

Optional. Network name related to the entity.
environment

string

Output only. Immutable. The environment the entity belongs to. Derived from the case and alert.
additionalProperties

string

Optional. Stores additional properties, as a JSON format.
sourceSystemUri

string

Optional. Output only. Immutable. Link to the source system.
entityUri

string

Optional. Output only. The full url of the entity, calculated using the source_system_uri and the entity data. Optional if the source_system_uri is not defined.
fields[]

object (ContextGroup)

Output only. A list of context group items, which are calculated based on the entity's properties.
alertIdentifier

string

Output only. The alert identifier of the alert that the involved entity is associated with.
caseId

integer

Output only. The id of the case that the involved entity is associated with.
identifier

string

Output only. The identifier name of the involved entity.

Union field _suspicious.

_suspicious can be only one of the following:
suspicious

boolean

Required. Describes if the entity is suspicious or not.

Union field _internal.

_internal can be only one of the following:
internal

boolean

Required. Indicates whether this entity is internal. This setting is configured in the application's settings, and any entity type can be designated as internal.

Union field _network_priority.

_network_priority can be only one of the following:
networkPriority

integer

Optional. Network priority of a related network.

Union field _attacker.

_attacker can be only one of the following:
attacker

boolean

Optional. Describes if the entity represents an attacker or not.

Union field _pivot.

_pivot can be only one of the following:
pivot

boolean

Optional. Describes if the entity is a pivot or not. A pivot entity is an entity which is common to two or more cases. In the case graph, it is connected to other entities by a dotted line.

Union field _manually_created.

_manually_created can be only one of the following:
manuallyCreated

boolean

Output only. Immutable. Describes if the entity was created by the system (as part of the ingestion flow), or manually by the user.

Union field _enriched.

_enriched can be only one of the following:
enriched

boolean

Output only. Indicates whether the entity has been enriched. An entity is enriched when an action adds information from an external system.

Union field _artifact.

_artifact can be only one of the following:
artifact

boolean

Output only. Describes if the entity is an artifact or not.

Union field _vulnerable.

_vulnerable can be only one of the following:
vulnerable

boolean

Output only. Describes if the entity is vulnerable or not.

ContextGroup

JSON representation 
{
  "displayName": string,
  "items": [
    {
      object (ContextGroupItem)
    }
  ],

  // Union field _highlighted can be only one of the following:
  "highlighted": boolean
  // End of list of possible types for union field _highlighted.

  // Union field _hidden can be only one of the following:
  "hidden": boolean
  // End of list of possible types for union field _hidden.
}
Fields
displayName

string

Output only. The name of the context group. Default context group is called "Default".
items[]

object (ContextGroupItem)

Output only. A list of items in the group.

Union field _highlighted.

_highlighted can be only one of the following:
highlighted

boolean

Output only. Is the context group highlighted.

Union field _hidden.

_hidden can be only one of the following:
hidden

boolean

Output only. Is the context group hidden.

ContextGroupItem

JSON representation 
{
  "name": string,
  "originalName": string,
  "value": string
}
Fields
name

string

Output only. The name of the property
originalName

string

Output only. The original name of the property.
value

string

Output only. The property's value.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌