MCP Tools Reference: chronicle.googleapis.com

Tool: list_rules

List security detection rules configured in Chronicle SIEM, with support for pagination and filtering.

Retrieves the definitions of detection rules currently active or configured within the Chronicle SIEM instance.

Workflow Integration: - Useful for understanding the detection capabilities currently deployed in the SIEM. - Can help identify the specific rule that generated a SIEM alert (obtained via SIEM alert tools or from case management/SOAR system details). - Provides context for rule tuning, development, or understanding alert logic.

Use Cases: - Review the logic or scope of a specific detection rule identified from an alert. - Audit the set of active detection rules within the SIEM. - Understand which rules might be relevant to a particular threat scenario or TTP. - Filter rules based on reference lists, data tables, or display name.

Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). page_size (int): Maximum number of rules to return. Defaults to 100. Max is 1000. page_token (str | None): Page token for pagination. filter (str | None): An optional filter string to apply to the list of rules. Supported filters (using the "has" operator, e.g., 'display_name:"foo"'): - 'reference_lists:"{full_resource_name}"' - 'data_tables:"{full_resource_name}"' - 'display_name:"{display_name}"' Note: For 'reference_lists' and 'data_tables', you must provide the full resource name, e.g., 'projects/my-project/locations/us/instances/my-customer/dataTables/my_table'.

Returns: Dict[str, Any]: Raw response from the Chronicle API, typically containing a list of rule objects with their definitions and metadata. Returns an error structure if the API call fails.

Example Usage: # List rules with a display name containing "suspicious" list_rules( project_id="my-project", customer_id="my-customer", region="us", filter='display_name:"suspicious"' )

# List rules using a specific data table by its full resource name
        list_rules(
            project_id="my-project",
            customer_id="my-customer",
            region="us",
            filter='data_tables:"projects/my-project/locations/us/instances/my-customer/dataTables/my_table"'
        )

Next Steps (using MCP-enabled tools): - Analyze the rule definition (e.g., the YARA-L code) to understand its trigger conditions. - Correlate rule details with specific alerts retrieved from the SIEM or case management system. - Use insights for rule optimization, false positive analysis, or developing related detections. - Document relevant rule information in associated cases using a case management tool. - Use 'get_rule' to fetch the full details of a specific rule.

The following sample demonstrate how to use curl to invoke the list_rules MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "list_rules",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for ListRules.

ListRulesRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "pageSize": integer,
  "pageToken": string,
  "filter": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
pageSize

integer

The maximum number of rules to return.
pageToken

string

A page token, received from a previous ListRules call.
filter

string

A filter string to apply to the list of rules.

Output Schema

Response message for ListRules method.

ListRulesResponse

JSON representation 
{
  "rules": [
    {
      object (Rule)
    }
  ],
  "nextPageToken": string
}
Fields
rules[]

object (Rule)

The rules from the specified instance.
nextPageToken

string

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

Rule

JSON representation 
{
  "name": string,
  "revisionId": string,
  "displayName": string,
  "text": string,
  "author": string,
  "severity": {
    object (Severity)
  },
  "metadata": {
    string: string,
    ...
  },
  "createTime": string,
  "revisionCreateTime": string,
  "compilationState": enum (CompilationState),
  "type": enum (RuleType),
  "referenceLists": [
    string
  ],
  "allowedRunFrequencies": [
    enum (RunFrequency)
  ],
  "etag": string,
  "scope": string,
  "compilationDiagnostics": [
    {
      object (CompilationDiagnostic)
    }
  ],
  "nearRealTimeLiveRuleEligible": boolean,
  "dataTables": [
    string
  ],
  "inputsUsed": {
    object (InputsUsed)
  },
  "ruleOwner": enum (RuleOwner),
  "tags": [
    string
  ],
  "alertingEnabled": boolean,
  "liveModeEnabled": boolean,
  "archived": boolean,
  "runFrequency": enum (RunFrequency),
  "currentDayDetectionCount": integer,
  "executionState": enum (ExecutionState)
}
Fields
name

string

Identifier. Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}
revisionId

string

Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
displayName

string

Output only. Display name of the rule. Populated in BASIC view and FULL view.
text

string

The YARA-L content of the rule. Populated in FULL view.
author

string

Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
severity

object (Severity)

Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view.
metadata

map (key: string, value: string)

Output only. Additional metadata specified in the meta section of text. Populated in FULL view.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
createTime

string (Timestamp format)

Output only. The timestamp of when the rule was created. Populated in FULL view.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
revisionCreateTime

string (Timestamp format)

Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
compilationState

enum (CompilationState)

Output only. The current compilation state of the rule. Populated in FULL view.
type

enum (RuleType)

Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view.
referenceLists[]

string

Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
allowedRunFrequencies[]

enum (RunFrequency)

Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
etag

string

The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
scope

string

Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}.
compilationDiagnostics[]

object (CompilationDiagnostic)

Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view.
nearRealTimeLiveRuleEligible

boolean

Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
dataTables[]

string

Output only. Resource names of the data tables used in this rule.
inputsUsed

object (InputsUsed)

Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true.
ruleOwner

enum (RuleOwner)

Output only. The rule owner (i.e., whether the rule is customer or Google-authored).
tags[]

string

Output only. Resource names of the tags used in this rule. Example: [ "projects/{project}/locations/{location}/instances/{instance}/ tags/google.mitre.TA000", "projects/{project}/locations/{location}/instances/{instance}/ "tags/google.CloudThreats", ]
alertingEnabled

boolean

Output only. Alerting status for the rule.
liveModeEnabled

boolean

Output only. Live Status for the rule.
archived

boolean

Output only. The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated.
runFrequency

enum (RunFrequency)

Output only. The chosen run frequencies for the rule.
currentDayDetectionCount

integer

Output only. The number of matched events for the current day in UTC time.
executionState

enum (ExecutionState)

Output only. The execution state of the rule.

Severity

JSON representation 
{
  "displayName": string
}
Fields
displayName

string

The display name of the severity level. Extracted from the meta section of the rule text.

MetadataEntry

JSON representation 
{
  "key": string,
  "value": string
}
Fields
key

string
value

string

Timestamp

JSON representation 
{
  "seconds": string,
  "nanos": integer
}
Fields
seconds

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
nanos

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

CompilationDiagnostic

JSON representation 
{
  "message": string,
  "position": {
    object (CompilationPosition)
  },
  "severity": enum (Severity),
  "uri": string
}
Fields
message

string

Output only. The diagnostic message.
position

object (CompilationPosition)

Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty.
severity

enum (Severity)

Output only. The severity of a rule's compilation diagnostic.
uri

string

Output only. Link to documentation that describes a diagnostic in more detail.

CompilationPosition

JSON representation 
{
  "startLine": integer,
  "startColumn": integer,
  "endLine": integer,
  "endColumn": integer
}
Fields
startLine

integer

Output only. Start line number, beginning at 1.
startColumn

integer

Output only. Start column number, beginning at 1.
endLine

integer

Output only. End line number, beginning at 1.
endColumn

integer

Output only. End column number, beginning at 1.

InputsUsed

JSON representation 
{
  "usesUdm": boolean,
  "usesEntity": boolean,
  "usesDetection": boolean
}
Fields
usesUdm

boolean

Optional. Whether the rule queries UDM events.
usesEntity

boolean

Optional. Whether the rule queries entity events.
usesDetection

boolean

Optional. Whether the rule queries detections.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌