MCP Tools Reference: chronicle.googleapis.com

Tool: list_connector_events

Lists all connector events for a given case alert in Chronicle SIEM.

Retrieves a paginated list of all connector events associated with a specific SOAR case alert, allowing for a comprehensive overview of the events related to an investigation.

Workflow Integration: - Used to populate a list of connector events in the SOAR UI for a given case alert. - Essential for automated playbooks that need to iterate through all events in a case alert. - Enables an analyst to quickly see all related events when starting an investigation.

Use Cases: - Display all connector events on a case alert detail page. - A playbook iterates through all events to check for specific indicators. - Generate a report summarizing all events associated with a case alert.

Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). case_id (str): The Case ID of the case alert. case_alert_id (str): The Case Alert ID to list connector events for. page_size (int, optional): The maximum number of connector events to return. page_token (str, optional): A token for fetching the next page of results. filter (str, optional): A filter to apply to the list of connector events. Supported filter fields: 'entity_identifier', 'entity_type', 'action', and 'environments_json'. Example: filter="entity_identifier='ConnectorEvent 1'" order_by (str, optional): The field to order the results by. Supported fields: 'entity_identifier'. If not specified, connector events are returned in descending order of their create time. expand (str, optional): A comma-separated list of fields to expand in the response (e.g., 'event_json_data').

Returns: ListConnectorEventsResponse: A response object containing a list of ConnectorEvent objects and a next page token. Each ConnectorEvent object contains base fields like ID, CreateTime, and UpdateTime. To see the full raw event details, including fields like Host Name, User ID, Process Name, Hashes, and Summary, you MUST use the 'expand' parameter with 'event_json_data'. The detailed fields will be nested within the 'event_json_data' field in the response. Returns an error message if the parent case alert is not found.

Example Usage: # List all connector events for a specific case alert list_connector_events(project_id='123', region='us', customer_id='abc', case_id='456', case_alert_id='789')

# List all connector events with full event details expanded
        list_connector_events(project_id='123', region='us', customer_id='abc', case_id='456', case_alert_id='789', expand='event_json_data')

Next Steps (using MCP-enabled tools): - Iterate through the list to get details on individual events using 'get_connector_event', potentially also with expand='event_json_data'. - If 'event_json_data' was expanded, parse the JSON content to extract specific fields like hostnames, user IDs, process names, and hashes for further analysis or enrichment.

The following sample demonstrate how to use curl to invoke the list_connector_events MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "list_connector_events",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for ListConnectorEvents.

ListConnectorEventsRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "caseId": string,
  "caseAlertId": string,
  "pageSize": integer,
  "pageToken": string,
  "filter": string,
  "orderBy": string,
  "expand": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
caseId

string

Case ID of the case alert.
caseAlertId

string

Case alert ID of the case alert.
pageSize

integer

The maximum number of ConnectorEvents to return. The service may return fewer than this value. If unspecified, at most 50 ConnectorEvents will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.
pageToken

string

A page token, received from a previous ListConnectorEvents call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListConnectorEvents must match the call that provided the page token.
filter

string

A filter to apply to the list of ConnectorEvents. Supported filter fields: * entity_identifier: Filter by the user-facing name. * entity_type: Filter by the entity type. * action: Filter by the action. * environments_json: Filter by the environments. Example: filter="entity_identifier='ConnectorEvent 1'"
orderBy

string

Configures ordering of ConnectorEvents in the response. If not specified, ConnectorEvents are returned in descending order of their create time. The default ordering is by create time in descending order. The order_by string is a comma separated list of fields. Supported fields: * entity_identifier
expand

string

Configures expansion of ConnectorEvents in the response. If not specified, ConnectorEvents are returned without any expansion. The expand string is a comma separated list of fields. Supported fields: * event_json_data

Output Schema

Response message for ListConnectorEvents.

ListConnectorEventsResponse

JSON representation 
{
  "connectorEvents": [
    {
      object (ConnectorEvent)
    }
  ],
  "nextPageToken": string,
  "totalSize": integer
}
Fields
connectorEvents[]

object (ConnectorEvent)

The list of ConnectorEvents. Ordered by Id by default.
nextPageToken

string

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.
totalSize

integer

The total number of ConnectorEvents.

ConnectorEvent

JSON representation 
{
  "name": string,
  "createTime": string,
  "updateTime": string,
  "alertIdentifier": string,
  "environment": string,
  "eventIdentifier": string,
  "alertGroupIdentifier": string,
  "mappedEventJson": string,
  "eventJsonData": {
    object (RawEventData)
  },
  "caseId": string,
  "id": string
}
Fields
name

string

Identifier. The resource name of the ConnectorEvent. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseAlerts/{case_alert}/connectorEvents/{connector_event}
createTime

string (int64 format)

Output only. The create_time of the ConnectorEvent.
updateTime

string (int64 format)

Output only. The update_time of the ConnectorEvent.
alertIdentifier

string

Output only. The alert_identifier of the ConnectorEvent.
environment

string

Output only. The environment of the ConnectorEvent.
eventIdentifier

string

Output only. The event_identifier of the ConnectorEvent.
alertGroupIdentifier

string

Output only. The alert_group_identifier of the ConnectorEvent.
mappedEventJson

string

Output only. The mapped_event_json of the ConnectorEvent.
eventJsonData

object (RawEventData)

Output only. The raw_event of the ConnectorEvent.
caseId

string (int64 format)

Output only. The case_id of the ConnectorEvent.
id

string (int64 format)

Output only. The id of the ConnectorEvent.

RawEventData

JSON representation 
{
  "rawEvent": string
}
Fields
rawEvent

string

Output only. The raw event of the ConnectorEvent.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌