MCP Tools Reference: chronicle.googleapis.com

Tool: generate_rules

Generates one or more YARA-L (YL2) rules based on the provided Threat Detection Opportunity (TDO).

Creates draft detection rules and initial metadata (name, description, MITRE ATT&CK mapping) from a structured threat description. This tool is essential for closing coverage gaps when an emerging threat is identified but not adequately detected by existing rules.

Workflow Integration:

  • This tool is typically called AFTER generate_threat_detection_opportunity and if a subsequent coverage analysis identifies a gap.
  • The resulting rules can be validated against synthetic UDM events if provided in the request.
  • Generated rules are intended to be reviewed by a detection engineer before deployment.

Use Cases:

  • Generate a new YARA-L rule for a provided Threat Detection Opportunity (TDO).
  • Create detection logic for a specific TTP (Tactics, Techniques, and Procedures) identified in threat intelligence.

Example: Rule: rule suspicious_powershell_execution { meta: description = "Detects suspicious powershell execution with encoded command line arguments" mitre_attack_tactic = "Execution" mitre_attack_technique = "Command and Scripting Interpreter: PowerShell" events: $e.metadata.event_type = "PROCESS_LAUNCH" $e.target.process.command_line = /powershell.*(-e|-enc|-encodedcommand).*/i condition: $e }

Example Usage:

  • generate_rules(projectId='my-project', customerId='my-customer', region='us', threatDetectionOpportunity=my_tdo)

The following sample demonstrate how to use curl to invoke the generate_rules MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "generate_rules",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for GenerateRulesRequest.

GenerateRulesRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,

  // Union field rule_gen_source can be only one of the following:
  "threatDetectionOpportunity": {
    object (ThreatDetectionOpportunity)
  }
  // End of list of possible types for union field rule_gen_source.
}
Fields
projectId

string

Required. Google Cloud project ID.
customerId

string

Required. Chronicle customer ID.
region

string

Required. Chronicle region (e.g., "us", "europe").
Union field rule_gen_source. The originating artifacts that should be used to generate a rule. rule_gen_source can be only one of the following:
threatDetectionOpportunity

object (ThreatDetectionOpportunity)

The structured threat description (TDO) used as the basis for rule generation.

ThreatDetectionOpportunity

JSON representation 
{
  "summary": string,
  "mitreInfo": {
    object (MitreInfo)
  },
  "supportingEvidence": [
    string
  ],
  "observables": {
    object (ObservableCollection)
  },
  "logTypes": [
    string
  ]
}
Fields
summary

string

Concise, one sentence summary.
mitreInfo

object (MitreInfo)

MITRE ATT&CK details for the Threat Detection Opportunity.
supportingEvidence[]

string

Free-form text of supporting evidence for the Threat Detection Opportunity extracted from the threat.
observables

object (ObservableCollection)

Detection opportunity observables - hostnames, IP's, etc.
logTypes[]

string

Resource names of log types associated with the Threat Detection Opportunity.

MitreInfo

JSON representation 
{
  "tactics": [
    string
  ],
  "techniques": [
    string
  ],
  "platform": string,
  "procedure": string,
  "detectionStrategy": string
}
Fields
tactics[]

string

Optional. MITRE ATT&CK tactics.
techniques[]

string

Optional. MITRE ATT&CK techniques.
platform

string

Platform the technique is associated with.
procedure

string

MITRE ATT&CK procedure.
detectionStrategy

string

Detection strategy for the Threat Detection Opportunity.

ObservableCollection

JSON representation 
{
  "atomics": {
    object (AtomicIndicatorCollection)
  },
  "procedures": {
    object (ProcedureCollection)
  }
}
Fields
atomics

object (AtomicIndicatorCollection)

Context-free IOCs.
procedures

object (ProcedureCollection)

Context-dependent tactics, techniques, and procedures.

AtomicIndicatorCollection

JSON representation 
{
  "hashes": [
    string
  ],
  "domains": [
    string
  ],
  "urls": [
    string
  ],
  "ipAddresses": [
    string
  ],
  "emails": [
    string
  ],
  "ports": [
    integer
  ]
}
Fields
hashes[]

string

File hashes associated with the threat.
domains[]

string

Domains associated with the threat.
urls[]

string

URLs associated with the threat.
ipAddresses[]

string

IP addresses associated with the threat.
emails[]

string

Email addresses associated with the threat.
ports[]

integer

Ports associated with the threat.

ProcedureCollection

JSON representation 
{
  "files": [
    string
  ],
  "registryKeys": [
    string
  ],
  "processes": [
    string
  ],
  "parentProcesses": [
    string
  ],
  "userAccounts": [
    string
  ]
}
Fields
files[]

string

Files associated with the threat.
registryKeys[]

string

Registry keys associated with the threat.
processes[]

string

Processes associated with the threat.
parentProcesses[]

string

Parent process names associated with the threat.
userAccounts[]

string

User accounts associated with the threat.

Output Schema

Response message for GenerateRulesRequest.

GenerateRulesResponse

JSON representation 
{
  "generatedRules": [
    {
      object (GeneratedRule)
    }
  ]
}
Fields
generatedRules[]

object (GeneratedRule)

The generated Rules.

GeneratedRule

JSON representation 
{
  "ruleText": string,
  "feedbackId": string
}
Fields
ruleText

string

The core rule text for the generated Rule.
feedbackId

string

The UUID of the feedback report.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ✅ | Open World Hint: ❌