Tool: execute_bulk_close_case
Closes one or more cases in bulk. This is the only tool that can change the status of a case to 'CLOSED'.
This tool allows for the efficient closure of multiple cases at once, which is useful for resolving incidents that have been fully investigated or for cleaning up old cases. It can also be used to close a single case.
Workflow Integration:
- Used in automated playbooks to close cases after a successful remediation workflow.
- Enables SOC managers or senior analysts to perform bulk cleanup of resolved or irrelevant cases from a queue.
- Can be integrated into custom scripts for case management tasks, such as automatically closing cases that have been inactive for a certain period.
Use Cases:
- A playbook automatically closes a set of related cases after the root cause has been addressed and all associated alerts have been triaged.
- An analyst closes a single case after completing their investigation and documenting the findings.
- A SOC manager selects multiple resolved cases from a dashboard and closes them in a single action.
Note: The ability to update custom fields via dynamic_parameters is intentionally omitted from this bulk operation, as the Google SecOps UI advises that custom fields are not updated during bulk closure and should be updated on a per-case basis.
Example Usage:
execute_bulk_close_case(projectId='123', region='us', customerId='abc', casesIds=[456], closeReason='NOT_MALICIOUS', rootCause='False positive identified', closeComment='Closing due to false positive.')execute_bulk_close_case(projectId='123', region='us', customerId='abc', casesIds=[101, 102, 103], closeReason='MALICIOUS', rootCause='Phishing campaign identified and blocked.')
Next Steps (using MCP-enabled tools):
- Use 'list_cases' with a filter for 'status="CLOSED"' to verify that the cases have been closed.
- Use 'get_case' for one of the closed cases to check that the close reason, root cause, and comment have been correctly applied.
The following sample demonstrate how to use curl to invoke the execute_bulk_close_case MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "execute_bulk_close_case", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for ExecuteBulkCloseCase. Next ID: 9
ExecuteBulkCloseCaseRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string, "casesIds": [ integer ], "closeReason": string, // Union field |
| Fields | |
|---|---|
projectId |
Required. Google Cloud project ID. |
customerId |
Required. Chronicle customer ID. |
region |
Required. Chronicle region (e.g., "us", "europe"). |
casesIds[] |
Required. A list of case IDs to be closed. Each ID uniquely identifies a case in Chronicle. |
closeReason |
Required. The reason for closing the cases. Possible values: 'MALICIOUS', 'NOT_MALICIOUS', 'MAINTENANCE', 'INCONCLUSIVE', 'UNKNOWN'. |
Union field
|
|
rootCause |
The root cause of the incident that led to the case closure. A detailed explanation of the underlying factor that caused the incident. |
Union field
|
|
closeComment |
A comment to be added to each case upon closure. This provides additional context or notes regarding the closure. |
Output Schema
Response message for ExecuteBulkCloseCase.
Tool Annotations
Destructive Hint: ✅ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌