Tool: fetch_alert_data
Retrieves a comprehensive profile of a specific SIEM alert, aggregating data from multiple sources to provide full context for the enrichment process. This tool is a powerful combination of several other tools: list_case_alerts (for alert metadata), list_involved_entities (for entity details), and list_connector_events (for raw event data). It builds a "comprehensive profile" by aggregating all relevant data related to a specific alert ID.
It returns: - Case Alert Metadata: Basic details like rule generator, product, vendor, and source system URLs. - Involved Entities: A detailed list of all entities associated with the alert (e.g., IPs, Hostnames, Users), including their type, whether they are marked as suspicious, attacker, or pivot, and any additional properties from the SOAR backend. - Involved Events: The raw event data that triggered the alert, including source system names and key-value pairs for all raw fields. - Executed Actions History: A history of manual actions previously executed on this alert, including their status, result messages, and JSON outputs. - Most Recent Investigation: Details of the latest AI-driven or manual investigation, including the verdict, confidence level, summary, and specific investigation steps taken. - Comments: A list of all analyst comments and notes associated with the alert.
Workflow Integration: - This is typically the FIRST tool an agent should call after receiving a SIEM Alert ID. - It provides all the necessary context to decide which enrichment actions are needed. - Use the entity identifiers and types from this tool to target specific entities in subsequent enrichment calls.
Use Cases: - Build a complete understanding of an alert's context before planning any response or enrichment. - Identify all relevant entities and events that require further investigation. - Review previous actions and investigations to avoid duplicate work and leverage existing findings.
Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). siem_alert_id (str): The unique identifier of the alert in SIEM (required).
Returns: FetchAlertDataResponse: A comprehensive response object containing the alert metadata, involved entities, events, executed actions, investigation details, and comments.
The following sample demonstrate how to use curl to invoke the fetch_alert_data MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "fetch_alert_data", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request for FetchAlertData.
FetchAlertDataRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string, "siemAlertId": string } |
| Fields | |
|---|---|
projectId |
Project ID of the customer. |
customerId |
Customer ID of the customer. |
region |
Region of the customer. |
siemAlertId |
SIEM alert ID. |
Output Schema
Response for GetAlertData.
FetchAlertDataResponse
| JSON representation |
|---|
{ "parent": string, "caseAlert": { object ( |
| Fields | |
|---|---|
parent |
Output only. The parent, which owns the collection of actions. |
caseAlert |
The case alert. |
entities[] |
The entities involved in the alert. |
events[] |
The events involved in the alert. |
comments[] |
The comments on the alert. |
MinimalInvolvedThreatIndicator
| JSON representation |
|---|
{ "ruleGenerator": string, "product": string, "displayName": string, "vendor": string, "sourceSystemName": string, "originalName": string, "sourceSystemUrl": string, "sourceRuleIdentifier": string } |
| Fields | |
|---|---|
ruleGenerator |
The rule generator. |
product |
The product. |
displayName |
The display name. |
vendor |
The vendor. |
sourceSystemName |
The source system name. |
originalName |
The original name. |
sourceSystemUrl |
The source system URL. |
sourceRuleIdentifier |
The source rule identifier. |
MinimalInvolvedEntity
| JSON representation |
|---|
{ "entityType": string, "entityId": string, "threatSource": string, "operationSystem": string, "networkName": string, "networkPriority": integer, "additionalProperties": { string: string, ... }, "sourceSystemUrl": string, // Union field |
| Fields | |
|---|---|
entityType |
The entity type. |
entityId |
The entity identifier. |
threatSource |
The threat source. |
operationSystem |
The operation system. |
networkName |
The network name. |
networkPriority |
The network priority. |
additionalProperties |
Additional properties. An object containing a list of |
sourceSystemUrl |
The source system URL. |
Union field
|
|
isSuspicious |
Whether the entity is suspicious. |
Union field
|
|
isAttacker |
Whether the entity is an attacker. |
Union field
|
|
isPivot |
Whether the entity is a pivot. |
Union field
|
|
isInternal |
Whether the entity is internal. |
AdditionalPropertiesEntry
| JSON representation |
|---|
{ "key": string, "value": string } |
| Fields | |
|---|---|
key |
|
value |
|
MinimalInvolvedMappedEvent
| JSON representation |
|---|
{ "product": string, "sourceSystemName": string, "data": string } |
| Fields | |
|---|---|
product |
The product. |
sourceSystemName |
The source system name. |
data |
|
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌