MCP Tools Reference: chronicle.googleapis.com

Tool: generate_threat_detection_opportunity

Generates a Threat Detection Opportunity (TDO) for a given threat, which can be a GTI campaign, or a new threat described by the user from any external source.

It returns: A Threat Detection Opportunity (TDO) - a structured description of a threat containing MITRE information, observed contextual IOCs (atomics), and procedures used by the attacker, and a list of log types.

Workflow Integration:

  • This is typically the FIRST tool an agent should call for a user-supplied threat for detection engineering workflows.
  • The generated Threat Detection Opportunity (TDO) provides all the necessary information for subsequent tools to generate synthetic logs for a TDO, then evaluate existing rule coverage for those logs, and finally to create a new YL2 rule if coverage is insufficient.
  • Use the Threat Detection Opportunity (TDO) as input for subsequent tools that generate coverage analysis or new YL2 rules.

Security Note: The output Threat Detection Opportunity (TDO) is generated from user-supplied input via an LLM. It should be treated as untrusted. When using the TDO as input for subsequent tools, especially those generating or modifying security artifacts like YL2 rules, ensure there is a strict validation process or a human-in-the-loop review to prevent potential denial of service or security blind spots caused by malicious inputs.

Use Cases:

  • Determine rule coverage for a threat.
  • Generate a new YL2 rule for a threat.
  • Generate synthetic logs and enriched UDM events.

The following sample demonstrate how to use curl to invoke the generate_threat_detection_opportunity MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "generate_threat_detection_opportunity",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for GenerateThreatDetectionOpportunity.

GenerateThreatDetectionOpportunityRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "threat": string
}
Fields
projectId

string

Required. Google Cloud project ID.
customerId

string

Required. Chronicle customer ID.
region

string

Required. Chronicle region (e.g., "us", "europe").
threat

string

The text of the threat to generate a detection opportunity for.

Output Schema

Response message for GenerateThreatDetectionOpportunity.

GenerateThreatDetectionOpportunityResponse

JSON representation 
{
  "threatDetectionOpportunities": [
    {
      object (ThreatDetectionOpportunity)
    }
  ]
}
Fields
threatDetectionOpportunities[]

object (ThreatDetectionOpportunity)

A Threat Detection Opportunity (TDO) - a structured description of a threat containing MITRE information, observed contextual IOCs (atomics), and procedures used by the attacker, and a list of log types.

ThreatDetectionOpportunity

JSON representation 
{
  "summary": string,
  "mitreInfo": {
    object (MitreInfo)
  },
  "supportingEvidence": [
    string
  ],
  "observables": {
    object (ObservableCollection)
  },
  "logTypes": [
    string
  ]
}
Fields
summary

string

Concise, one sentence summary.
mitreInfo

object (MitreInfo)

MITRE ATT&CK details for the Threat Detection Opportunity.
supportingEvidence[]

string

Free-form text of supporting evidence for the Threat Detection Opportunity extracted from the threat.
observables

object (ObservableCollection)

Detection opportunity observables - hostnames, IP's, etc.
logTypes[]

string

Resource names of log types associated with the Threat Detection Opportunity.

MitreInfo

JSON representation 
{
  "tactics": [
    string
  ],
  "techniques": [
    string
  ],
  "platform": string,
  "procedure": string,
  "detectionStrategy": string
}
Fields
tactics[]

string

Optional. MITRE ATT&CK tactics.
techniques[]

string

Optional. MITRE ATT&CK techniques.
platform

string

Platform the technique is associated with.
procedure

string

MITRE ATT&CK procedure.
detectionStrategy

string

Detection strategy for the Threat Detection Opportunity.

ObservableCollection

JSON representation 
{
  "atomics": {
    object (AtomicIndicatorCollection)
  },
  "procedures": {
    object (ProcedureCollection)
  }
}
Fields
atomics

object (AtomicIndicatorCollection)

Context-free IOCs.
procedures

object (ProcedureCollection)

Context-dependent tactics, techniques, and procedures.

AtomicIndicatorCollection

JSON representation 
{
  "hashes": [
    string
  ],
  "domains": [
    string
  ],
  "urls": [
    string
  ],
  "ipAddresses": [
    string
  ],
  "emails": [
    string
  ],
  "ports": [
    integer
  ]
}
Fields
hashes[]

string

File hashes associated with the threat.
domains[]

string

Domains associated with the threat.
urls[]

string

URLs associated with the threat.
ipAddresses[]

string

IP addresses associated with the threat.
emails[]

string

Email addresses associated with the threat.
ports[]

integer

Ports associated with the threat.

ProcedureCollection

JSON representation 
{
  "files": [
    string
  ],
  "registryKeys": [
    string
  ],
  "processes": [
    string
  ],
  "parentProcesses": [
    string
  ],
  "userAccounts": [
    string
  ]
}
Fields
files[]

string

Files associated with the threat.
registryKeys[]

string

Registry keys associated with the threat.
processes[]

string

Processes associated with the threat.
parentProcesses[]

string

Parent process names associated with the threat.
userAccounts[]

string

User accounts associated with the threat.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ✅ | Open World Hint: ❌