MCP Tools Reference: chronicle.googleapis.com

Tool: get_rule

Get the definition and metadata of a specific Chronicle SIEM detection rule.

Retrieves the full details of a rule, including its YARA-L code, metadata, revision history, and deployment status.

Workflow Integration: - Use to inspect the logic of a rule that generated an alert. - Essential for understanding rule behavior before modifying or disabling it. - Retrieve rule text for version comparison or backup.

Use Cases: - Get the YARA-L code for a rule ID found in a SIEM alert. - Review rule metadata like author, severity, and creation date. - Check the compilation status and diagnostics of a rule.

Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). rule_id (str): Unique ID of the rule to retrieve. Examples: "ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" (latest version), "ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@v_12345_67890" (specific version). view (str | None): The view to use for the rule. Defaults to "FULL". Possible values: "BASIC", "FULL", "REVISION_METADATA_ONLY", "CONFIG_ONLY", "TRENDS".

Returns: Dict[str, Any]: Raw response from the Chronicle API, typically containing the Rule object. Returns an error structure if the API call fails.

Example Usage: # Get the full definition of the latest version of a rule get_rule( project_id="my-project", customer_id="my-customer", region="us", rule_id="ru_12345678-1234-1234-1234-1234567890ab" )

# Get the basic view of a specific rule revision
        get_rule(
            project_id="my-project",
            customer_id="my-customer",
            region="us",
            rule_id="ru_12345678-1234-1234-1234-1234567890ab@v_abcdef_123456",
            view="BASIC"
        )

The following sample demonstrate how to use curl to invoke the get_rule MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "get_rule",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for GetRule.

GetRuleRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "ruleId": string,
  "view": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
ruleId

string

The rule to get.
view

string

The view to use.

Output Schema

The Rule resource represents a user-created rule. NEXT TAG: 31

Rule

JSON representation 
{
  "name": string,
  "revisionId": string,
  "displayName": string,
  "text": string,
  "author": string,
  "severity": {
    object (Severity)
  },
  "metadata": {
    string: string,
    ...
  },
  "createTime": string,
  "revisionCreateTime": string,
  "compilationState": enum (CompilationState),
  "type": enum (RuleType),
  "referenceLists": [
    string
  ],
  "allowedRunFrequencies": [
    enum (RunFrequency)
  ],
  "etag": string,
  "scope": string,
  "compilationDiagnostics": [
    {
      object (CompilationDiagnostic)
    }
  ],
  "nearRealTimeLiveRuleEligible": boolean,
  "dataTables": [
    string
  ],
  "inputsUsed": {
    object (InputsUsed)
  },
  "ruleOwner": enum (RuleOwner),
  "tags": [
    string
  ],
  "alertingEnabled": boolean,
  "liveModeEnabled": boolean,
  "archived": boolean,
  "runFrequency": enum (RunFrequency),
  "currentDayDetectionCount": integer,
  "executionState": enum (ExecutionState)
}
Fields
name

string

Identifier. Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
revisionId

string

Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
displayName

string

Output only. Display name of the rule. Populated in BASIC view and FULL view.
text

string

The YARA-L content of the rule. Populated in FULL view.
author

string

Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
severity

object (Severity)

Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view.
metadata

map (key: string, value: string)

Output only. Additional metadata specified in the meta section of text. Populated in FULL view.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
createTime

string (Timestamp format)

Output only. The timestamp of when the rule was created. Populated in FULL view.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
revisionCreateTime

string (Timestamp format)

Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
compilationState

enum (CompilationState)

Output only. The current compilation state of the rule. Populated in FULL view.
type

enum (RuleType)

Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view.
referenceLists[]

string

Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
allowedRunFrequencies[]

enum (RunFrequency)

Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
etag

string

The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
scope

string

Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}.
compilationDiagnostics[]

object (CompilationDiagnostic)

Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view.
nearRealTimeLiveRuleEligible

boolean

Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
dataTables[]

string

Output only. Resource names of the data tables used in this rule.
inputsUsed

object (InputsUsed)

Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true.
ruleOwner

enum (RuleOwner)

Output only. The rule owner (i.e., whether the rule is customer or Google-authored).
tags[]

string

Output only. Resource names of the tags used in this rule. Example: [ "projects/{project}/locations/{location}/instances/{instance}/ tags/google.mitre.TA000", "projects/{project}/locations/{location}/instances/{instance}/ "tags/google.CloudThreats", ]
alertingEnabled

boolean

Output only. Alerting status for the rule.
liveModeEnabled

boolean

Output only. Live Status for the rule.
archived

boolean

Output only. The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated.
runFrequency

enum (RunFrequency)

Output only. The chosen run frequencies for the rule.
currentDayDetectionCount

integer

Output only. The number of matched events for the current day in UTC time.
executionState

enum (ExecutionState)

Output only. The execution state of the rule.

Severity

JSON representation 
{
  "displayName": string
}
Fields
displayName

string

The display name of the severity level. Extracted from the meta section of the rule text.

MetadataEntry

JSON representation 
{
  "key": string,
  "value": string
}
Fields
key

string
value

string

Timestamp

JSON representation 
{
  "seconds": string,
  "nanos": integer
}
Fields
seconds

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
nanos

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

CompilationDiagnostic

JSON representation 
{
  "message": string,
  "position": {
    object (CompilationPosition)
  },
  "severity": enum (Severity),
  "uri": string
}
Fields
message

string

Output only. The diagnostic message.
position

object (CompilationPosition)

Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty.
severity

enum (Severity)

Output only. The severity of a rule's compilation diagnostic.
uri

string

Output only. Link to documentation that describes a diagnostic in more detail.

CompilationPosition

JSON representation 
{
  "startLine": integer,
  "startColumn": integer,
  "endLine": integer,
  "endColumn": integer
}
Fields
startLine

integer

Output only. Start line number, beginning at 1.
startColumn

integer

Output only. Start column number, beginning at 1.
endLine

integer

Output only. End line number, beginning at 1.
endColumn

integer

Output only. End column number, beginning at 1.

InputsUsed

JSON representation 
{
  "usesUdm": boolean,
  "usesEntity": boolean,
  "usesDetection": boolean
}
Fields
usesUdm

boolean

Optional. Whether the rule queries UDM events.
usesEntity

boolean

Optional. Whether the rule queries entity events.
usesDetection

boolean

Optional. Whether the rule queries detections.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌