MCP Tools Reference: chronicle.googleapis.com

Tool: `activate_parser`

Activate a parser for a specific log type in Chronicle.

Activates a parser, making it the active parser for the specified log type. Once activated, the parser will be used to process all incoming logs of that type. Only one parser can be active for each log type at a time.

Workflow Integration:

Use after creating and testing a parser to make it operational.
Essential step for putting new or updated parsers into production.
Enables the parser to process incoming logs and generate searchable UDM events.
Required before logs of the specified type can be properly parsed and analyzed.

Use Cases:

Activate a newly created parser after successful testing.
Switch to an updated parser version with improved parsing logic.
Restore a previously working parser after troubleshooting parsing issues.
Deploy parser changes as part of log ingestion pipeline updates.

Example Usage:

activate_parser(logType="CUSTOM_APP", parserId="pa_12345678-1234-1234-1234-123456789012", projectId="my-project", customerId="my-customer", region="us")

Next Steps (using MCP-enabled tools):

Verify the parser is active using get_parser.
Ingest test logs using import_logs to verify the parser is working correctly.
Monitor parsing success rates and troubleshoot any issues.
Search for parsed events using udm_search to confirm proper UDM conversion.
Create detection rules that leverage the newly parsed UDM fields.
Set up monitoring for the log type to ensure continued parsing success.

The following sample demonstrate how to use curl to invoke the activate_parser MCP tool.

Curl Request
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "activate_parser", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }'

Curl Request

                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "activate_parser",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for ActivateParser.

ActivateParserRequest

JSON representation
{ "projectId": string, "customerId": string, "region": string, "logType": string, "parserId": string }

Fields
`projectId`	`string` Required. Google Cloud project ID.
`customerId`	`string` Required. Chronicle customer ID.
`region`	`string` Required. Chronicle region (e.g., "us", "europe").
`logType`	`string` Chronicle log type identifier for the parser.
`parserId`	`string` Unique identifier of the parser to activate (without revision ID).

Output Schema

A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance:

service Foo {
  rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
}

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌

MCP Tools Reference: chronicle.googleapis.com Stay organized with collections Save and categorize content based on your preferences.

Tool: activate_parser