MCP Tools Reference: chronicle.googleapis.com

Tool: fetch_enrichment_actions

Retrieves a curated list of SOAR integration actions available for enriching a specific SIEM alert. This tool is similar to list_integrations and list_integration_actions, but it filters specifically for actions that are suitable for enrichment and are enabled for the environment where the alert originated.

For each integration, it provides: - Integration ID and Display Name: To identify the tool provider (e.g., 'VirusTotal', 'SafeBreach'). - Available Actions: A list of specific enrichment functions (e.g., 'Get IP Report', 'Enrich Host'). - Action Parameters: Detailed information for each parameter, including: - name and description. - type (e.g., 'String', 'Boolean'). - mandatory flag. - default_value and optional_values_json for dropdowns. - AI Description: A detailed, structured description of the action designed for the AI. It typically includes: - General Description: What the action does and what data it retrieves. - Parameters Description: A table explaining each parameter's purpose and constraints. - Flow Description: A step-by-step breakdown of the action's execution logic. - Entity Types: A list of specific entity types that this action supports (e.g., 'ADDRESS', 'HOSTNAME', 'FILEHASH'). Crucial: You must only attempt to run this action on entities that match one of these types.

Workflow Integration: - Use this tool to discover what enrichment capabilities are available for the current alert. - Critical Step: Compare the entity_types of each available action against the actual entities found in the alert (via fetch_alert_data). Only plan to execute actions where there is a match. - The integration and display_name retrieved here are required for execute_actions.

Use Cases: - Discover available threat intelligence tools for enriching IPs or domains found in an alert. - Identify EDR actions that can provide host or process details for investigation. - Understand what parameters are required for specific enrichment actions.

Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). siem_alert_id (str): The unique identifier of the alert in SIEM (required).

Returns: FetchActionsResponse: A list of integrations and their available enrichment actions. Each action includes its name, description, AI description, supported entity types, and required parameters.

The following sample demonstrate how to use curl to invoke the fetch_enrichment_actions MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "fetch_enrichment_actions",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request for FetchActions.

FetchActionsRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "siemAlertId": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
siemAlertId

string

SIEM alert ID.

Output Schema

Response for FetchActions.

FetchActionsResponse

JSON representation 
{
  "parent": string,
  "integrations": [
    {
      object (AgentIntegrationDetails)
    }
  ]
}
Fields
parent

string

Output only. The parent, which owns the collection of actions.
integrations[]

object (AgentIntegrationDetails)

List of all integrations that can be used to execute actions on the SIEM alert.

AgentIntegrationDetails

JSON representation 
{
  "integration": string,
  "integrationInstance": string,
  "displayName": string,
  "description": string,
  "actions": [
    {
      object (AgentIntegrationAction)
    }
  ]
}
Fields
integration

string

Unique identifier of the integration.
integrationInstance

string

Unique identifier of the integration instance.
displayName

string

Display name of the integration.
description

string

Description of the integration.
actions[]

object (AgentIntegrationAction)

List of all actions that can be executed on the SIEM alert using this integration.

AgentIntegrationAction

JSON representation 
{
  "displayName": string,
  "description": string,
  "parameters": [
    {
      object (AgentActionParameter)
    }
  ],
  "entityTypes": [
    string
  ]
}
Fields
displayName

string

The name of the action.
description

string

The description of the action.
parameters[]

object (AgentActionParameter)

The parameters required for the action.
entityTypes[]

string

The entity types that the action supports.

AgentActionParameter

JSON representation 
{
  "mandatory": boolean,
  "defaultValue": string,
  "description": string,
  "name": string,
  "value": string,
  "type": string,
  "optionalValuesJson": string
}
Fields
mandatory

boolean

Required. Whether the parameter is mandatory.
defaultValue

string

The default value of the parameter.
description

string

The description of the parameter.
name

string

The name of the parameter.
value

string

The value of the parameter.
type

string

Required. The type of the parameter.
optionalValuesJson

string

The optional values for the parameter in JSON format.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌