MCP Tools Reference: chronicle.googleapis.com

Tool: create_case_comment

Creates a new case comment in Google SecOps.

Adds a new, structured comment to an existing SOAR case, enabling analysts to log notes, updates, or decisions within an investigation. This is a critical function for maintaining a clear and auditable record of all activities related to a security case.

Workflow Integration:

  • A fundamental part of documenting an investigation and maintaining an audit trail for compliance and review.
  • Integrates seamlessly with UI actions, such as an "Add Comment" button on a case details page, allowing for manual entry of findings.
  • Allows for automated systems and playbooks to log their actions directly into a case, providing a unified timeline of both human and machine activities.
  • Can be used to trigger other automated workflows; for example, adding a comment with a specific tag could initiate a new playbook.

Use Cases:

  • An analyst adds a manual note about their findings after investigating an alert, such as "Confirmed phishing email from sender X."
  • An automated playbook adds a comment detailing an action it took, like "Successfully isolated host Y from the network."
  • A user attaches an artifact or file to the case with a descriptive comment, which can be done by providing attachment details within the comment.
  • A manager adds a comment to assign the case to a different analyst or to provide guidance on the next steps.

Example Usage:

  • create_case_comment(projectId='123', region='us', customerId='abc', caseId='456', comment='Investigated suspicious login from external IP. The IP has been added to the blocklist.')

Next Steps (using MCP-enabled tools):

  • Use 'list_case_comments' to see the newly created comment in the case's timeline along with other comments.
  • Use 'get_case_comment' with the returned resource name to retrieve its full details at a later time.
  • Use 'update_case' to change the status or other properties of the case based on the new comment.

The following sample demonstrate how to use curl to invoke the create_case_comment MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "create_case_comment",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for CreateCaseComment. Next ID: 7

CreateCaseCommentRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "caseId": string,
  "comment": string
}
Fields
projectId

string

Required. Google Cloud project ID.
customerId

string

Required. Chronicle customer ID.
region

string

Required. Chronicle region (e.g., "us", "europe").
caseId

string

Required. The numeric ID of the case to which the comment will be added (e.g., 12345).
comment

string

Required. The content of the comment. This can contain text, links, or other relevant information.

Output Schema

This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. Case Comment - Chronicle SOAR Case Comment.

CaseComment

JSON representation 
{
  "name": string,
  "createTime": string,
  "updateTime": string,
  "user": string,
  "comment": string,
  "deletionInvoker": string,
  "alertIdentifier": string,
  "caseAttachment": {
    object (CaseAttachment)
  },
  "userOwnerFullName": string,
  "lastEditorFullName": string,
  "deletedByUser": string,
  "case": string,

  // Union field _is_favorite can be only one of the following:
  "isFavorite": boolean
  // End of list of possible types for union field _is_favorite.

  // Union field _is_deleted can be only one of the following:
  "isDeleted": boolean
  // End of list of possible types for union field _is_deleted.
}
Fields
name

string

Output only. Identifier. The unique name(ID) of the CaseComment. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseComments/{case_comment}
createTime

string (int64 format)

Output only. The timestamp when the comment was created.
updateTime

string (int64 format)

Output only. The timestamp when the comment was last updated.
user

string

Output only. User owner of the comment.
comment

string

Required. The content of the comment.
deletionInvoker

string

Output only. The user who deleted the comment.
alertIdentifier

string

Optional. The alert associated with the comment.
caseAttachment

object (CaseAttachment)

Optional. The attachment associated with the comment.
userOwnerFullName

string

Output only. The user who created the comment.
lastEditorFullName

string

Output only. The user who last edited the comment.
deletedByUser

string

Output only. The user who deleted the comment.
case

string (int64 format)

Optional. The case associated with the comment.

Union field _is_favorite.

_is_favorite can be only one of the following:
isFavorite

boolean

Optional. Whether the comment is marked as a favorite.

Union field _is_deleted.

_is_deleted can be only one of the following:
isDeleted

boolean

Output only. Indicates if the comment has been softly deleted.

CaseAttachment

JSON representation 
{
  "attachmentBase64": string,
  "fileType": string,
  "fileName": string,
  "fileId": string
}
Fields
attachmentBase64

string

Required. Base64 encoded attachment associated with the comment (if exists).
fileType

string

Required. The file type of the attachment (if exists).
fileName

string

Required. The file name of the attachment (if it exists).
fileId

string (int64 format)

Output only. The file id of the attachment.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌