Tool: get_agent_settings
Retrieves the current configuration settings for the SecOps Investigation Agent within a specific SecOps instance.
This tool allows users or other agents to inspect the behavior of the automated investigation agent, such as whether it's enabled, how long it waits before starting an investigation, and any filters controlling which alerts it processes.
Workflow Integration: - Conversational Interfaces: Enables a chat agent to answer user questions about the Investigation Agent's current setup (e.g., "Is auto-investigation turned on?", "What is the current alert filter for the investigation agent?"). - Pre-check for Updates: Useful to call before attempting an update via update_agent_settings to see the current state of the investigation agent. - Auditing & Verification: Allows administrators to verify that the investigation agent is configured as expected.
Use Cases: - Chat Q&A: User: "Is the Investigation Agent active?" - Chat Q&A: User: "What's the delay before the investigation agent starts an auto-investigation?" - Chat Q&A: User: "Are there any filters applied to the Investigation Agent?" - An administrator checks the settings before making changes to the investigation agent's behavior. - An automated script fetches the settings to ensure compliance with security policies.
Args: project_id (str): Google Cloud project ID (e.g., "my-chronicle-project"). Required. customer_id (str): SecOps customer ID (UUID). Required. region (str): SecOps region (e.g., "us", "europe"). Required.
Returns: AgentSettings: The current AgentSettings object for the instance. Key fields include: - name (str): The resource name of the settings object. - auto_investigation_enabled (bool): True if the investigation agent automatically starts investigations based on new alerts and the filter. - alert_filter (str): An AIP-160 format string used to filter alerts. Only alerts matching the filter will trigger automatic investigations. An empty string means no filter is applied. Examples: "detection.rule_name = /enumeration/", "detection.detection.rule_id !=1234". - auto_investigation_delay (Duration): The time the investigation agent waits after an alert is detected before starting the investigation (e.g., "300s"). This delay is only applicable if auto_investigation_enabled is true.
Returns an error message if the settings cannot be retrieved (e.g., permissions issue).
Example Usage: # Get the current settings for the investigation agent get_agent_settings( project_id='secops-ai-staging', region='us', customer_id='eb3b937b-3ab6-47e5-8185-24837b826691' )
Next Steps (using MCP-enabled tools): - Based on the returned settings, the user/agent might decide to: - Trigger a manual investigation using trigger_investigation if auto-investigation is disabled or the alert was filtered out. - Inform the user of the current configuration in response to their query.
The following sample demonstrate how to use curl to invoke the get_agent_settings MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "get_agent_settings", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
This message represents the request to get the agent settings for a customer.
GetAgentSettingsRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string } |
| Fields | |
|---|---|
projectId |
Project ID of the customer. |
customerId |
Customer ID of the customer. |
region |
Region of the customer. |
Output Schema
This message represents the agent settings for an instance
AgentSettings
| JSON representation |
|---|
{
"name": string,
"autoInvestigationEnabled": boolean,
"alertFilter": string,
"autoInvestigationDelay": string,
"quotaInfo": {
object ( |
| Fields | |
|---|---|
name |
Identifier. The resource name of the AgentSettings. Format: projects/{project}/locations/{location}/instances/{instance}/agentSettings |
autoInvestigationEnabled |
Optional. Whether auto investigation is enabled for the instance. |
alertFilter |
Optional. A single AIP-160 string representing the instance provided alert filters used for auto investigation when default settings are disabled, e.g. “detection.rule_name = /enumeration/ AND detection.detection.rule_id != 1234 AND udm.metadata.event_type = /USER_LOGIN/”. |
autoInvestigationDelay |
Optional. The delay after which auto investigation will be triggered for an alert when default settings are disabled. This is only applied if A duration in seconds with up to nine fractional digits, ending with ' |
quotaInfo |
Output only. The quota information for the instance. |
Duration
| JSON representation |
|---|
{ "seconds": string, "nanos": integer } |
| Fields | |
|---|---|
seconds |
Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
nanos |
Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 |
QuotaInfo
| JSON representation |
|---|
{ "autoInvestigationsQuotaLimit": string, "manualInvestigationsQuotaLimit": string } |
| Fields | |
|---|---|
autoInvestigationsQuotaLimit |
Output only. The quota limit for auto investigations for the instance. |
manualInvestigationsQuotaLimit |
Output only. The quota limit for manual investigations for the instance. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌