MCP Tools Reference: chronicle.googleapis.com

Tool: `create_parser`

Create a new parser for a specific log type in Chronicle.

Creates a custom parser using Chronicle's parser configuration language to transform raw logs into Chronicle's Unified Data Model (UDM) format. The tool automatically handles the required Base64 encoding of the parser code.

Agent Responsibilities:

Provide the parser_code argument as a plain text string.

Workflow Integration:

Use when you need to ingest custom log formats that Chronicle doesn't natively support.
Essential for integrating custom applications, proprietary systems, or modified log formats.
Enables normalization of diverse log sources into a consistent UDM structure for analysis.
Prerequisite for meaningful analysis of custom log sources through Chronicle's detection capabilities.

Use Cases:

Create parsers for custom application logs with unique formats.
Parse proprietary security tool outputs into UDM format.
Handle modified versions of standard log formats that existing parsers can't process.
Transform legacy log formats for Chronicle ingestion during SIEM migrations.
Parse structured data from APIs or databases into security events.

Example Usage:

Define the parser code string: parser_text: "filter { json { source => "message" } ... }"

create_parser(logType="CUSTOM_APP", parserCode=parser_text, projectId="my-project", customerId="my-customer", region="us")

Next Steps (using MCP-enabled tools):

Test the parser using run_parser with sample log data.
Activate the parser using activate_parser once testing is complete.
Ingest logs using ingest_raw_log with the specified log_type.
Monitor parsing success and adjust the parser configuration if needed.
Create detection rules that leverage the parsed UDM fields.

The following sample demonstrate how to use curl to invoke the create_parser MCP tool.

Curl Request
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "create_parser", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }'

Curl Request

                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "create_parser",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for CreateParser.

CreateParserRequest

JSON representation
{ "projectId": string, "customerId": string, "region": string, "logType": string, "parserCode": string, "validatedOnEmptyLogs": boolean }

Fields
`projectId`	`string` Required. Google Cloud project ID.
`customerId`	`string` Required. Chronicle customer ID.
`region`	`string` Required. Chronicle region (e.g., "us", "europe").
`logType`	`string` Chronicle log type identifier for this parser (e.g., "CUSTOM_APP", "WINDOWS_AD").
`parserCode`	`string` Plain text parser configuration code using Chronicle's parser DSL.
`validatedOnEmptyLogs`	`boolean` Whether to validate the parser even on empty log samples. Defaults to True.

Output Schema

Parser is a representation of a parser.

Parser

JSON representation
{ "projectId": string, "customerId": string, "region": string, "logType": string, "parserId": string, "state": enum (`State`), "createTime": string, "code": string }

Fields
`projectId`	`string` Project ID of the customer.
`customerId`	`string` Customer ID of the customer.
`region`	`string` Region of the customer.
`logType`	`string` Log type of the parser to activate.
`parserId`	`string` ID of the parser to activate.
`state`	`enum (State)` State of the parser.
`createTime`	`string (Timestamp format)` Time at which the parser was created. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`code`	`string` Code of the parser.

Timestamp

JSON representation
{ "seconds": string, "nanos": integer }

Fields

Fields
`seconds`	`string (int64 format)` Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
`nanos`	`integer` Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

seconds

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).

nanos

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌

MCP Tools Reference: chronicle.googleapis.com Stay organized with collections Save and categorize content based on your preferences.

Tool: create_parser