Tool: get_case
Retrieves a single case by its resource name.
Fetches all details for a specific case, including its properties (such as priority, stage, and assignee), as well as any associated tasks, tags, and products. This tool is fundamental for drilling down into a specific incident after identifying it through a list view or search.
Usage Guidelines: When using this tool, you should typically also call the list_case_alerts tool for the same case ID to fetch the associated alerts. You should then synthesize the information from both tools to provide a comprehensive response. The response should include case details, associated alerts, and a summary of comments if available.
Here are the details for Case ID [Case ID]:
Case Details:
Name: [Name] Display Name: [Display Name] Status: [Status] Stage: [Stage] Priority: [Priority] Assignee: [Assignee] Last Modifying User ID: [Last Modifying User ID] Created Time: [Create Time] Updated Time: [Update Time] Alert Count: [Alert Count (calculate from list_case_alerts)] Important: [Important] Incident: [Incident] Type: [Type] Overflow Case: [Overflow Case] Environment: [Environment] Workflow Status: [Workflow Status] Source: [Source] Involved Suspicious Entity: [Involved Suspicious Entity] Move Environment: [Move Environment]
Associated Alerts:
Alert ID: [Alert ID] Display Name: [Alert Display Name] Rule Generator: [Rule Generator] Product: [Product] Vendor: [Vendor] Source System: [Source System (if available)] Priority: [Priority] Status: [Status] Start Time: [Start Time (if available)] End Time: [End Time (if available)] Source URL: [Source URL (if available)]
Comments: There are [Number of comments] comments associated with this case, including notes about [Topic 1], [Topic 2], and entries like "[Comment Snippet]" by [Author].
Example: There are 23 comments associated with this case, including notes about Meta-Analysis Reports, Triage Reports, and entries like "OneMCP works!" by Soary Siem.
Workflow Integration:
- Used when an analyst clicks on a case in a queue or dashboard to view its full details in an investigation UI.
- Essential for automated playbooks that need to retrieve the current state of a case before taking action, such as enrichment or remediation.
- Provides the necessary data to populate a case investigation screen, showing all relevant information in one place.
- Can be used to verify the result of an update operation by fetching the case after the update has been applied.
Use Cases:
- An analyst retrieves a case to begin an investigation and understand its context.
- An automated system fetches a case to extract entities for further enrichment from other threat intelligence sources.
- A manager views a case to review its progress, check the SLA status, and see the latest comments.
- A reporting script fetches case details to generate a detailed incident report.
Example Usage:
get_case(projectId='123', region='us', customerId='abc', caseId='456')get_case(projectId='123', region='us', customerId='abc', caseId='456', expand='tasks,tags')
Next Steps (using MCP-enabled tools):
- Use 'list_case_alerts' to fetch the details of all alerts associated with this case.
- Use 'list_case_comments' to see the full history of comments and actions taken on the case.
The following sample demonstrate how to use curl to invoke the get_case MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "get_case", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for GetCase. Next ID: 6
GetCaseRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string, "caseId": string, "expand": string } |
| Fields | |
|---|---|
projectId |
Required. Google Cloud project ID. |
customerId |
Required. Chronicle customer ID. |
region |
Required. Chronicle region (e.g., "us", "europe"). |
caseId |
Required. The numeric ID of the Case to retrieve (e.g., |
expand |
A comma-separated list of related resources to include in the response. This allows you to get a more complete picture of the case in a single call. Supported values: 'tasks', 'tags', 'products'. |
Output Schema
A Case represents a security investigation in SecOps. Cases group related alerts and provide a central location for analysts to document their findings, track progress, and collaborate on resolving security incidents.
Case
| JSON representation |
|---|
{ "name": string, "creatorUserId": string, "creatorUser": string, "lastModifyingUserId": string, "lastModifyingUser": string, "createTime": string, "updateTime": string, "displayName": string, "alertCount": integer, "stage": string, "priority": enum ( |
| Fields | |
|---|---|
name |
Identifier. The unique name(ID) of the Case. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case} |
creatorUserId |
Output only. Case creator id. Used for homepage/requests feature. |
creatorUser |
Output only. Resource association for the creator. |
lastModifyingUserId |
Output only. Last user who modified the case. replaced old property name: LastModifyingUser. |
lastModifyingUser |
Output only. Resource association for the modifying user. |
createTime |
Output only. The creation time of the record in milliseconds. |
updateTime |
Output only. The modification time of the record in milliseconds. |
displayName |
Required. Case title, limited to 200 characters. Replaces old property: Title. |
alertCount |
Output only. Alerts in case. |
stage |
Required. The stage of the Case. For example, "Triage", "Incident", "Investigation". Stages are defined in "chronicle.googleapis.com/CaseStageDefinition". The default stage option is "Triage". |
priority |
Required. Default value is HIGH. Case priority. For example, "Informative", "Low", "Medium", "High", "Critical". |
assignee |
Optional. This can be a user or a @SocRole, default value is the default soc-role defined in Settings. |
assignedUser |
Output only. Resource association for the assignee. |
description |
Optional. Case description. Limit chars to 1000. |
type |
Required. Case type. |
environment |
Required. Case logical environments. |
status |
Output only. Case data status. |
score |
Optional. Attack exposure score, how risky the case. |
workflowStatus |
Output only. Case playbook status. |
sla |
Optional. SLA for the case. |
alertsSla |
Optional. Aggregated alerts SLA. (alert has SLA as well). |
source |
Output only. The source that created the case. Possible values: "Server", "User", "Simulated", "Merge", "AlertMove" |
tags[] |
Optional. CaseTags associated with the case. |
products[] |
Optional. Products associated with the case. Contains Name of product (e.g. WinEventLog:Security/DLP_Product). Replaces old property: "Product". |
closureDetails |
Optional. Case closure details. |
tasks[] |
Output only. Tasks associated with the case. |
moveEnvironment |
Optional. Case environment move details. |
dataAccessScopes[] |
Output only. Data Access Scopes. |
customFieldValues[] |
Optional. Custom field values associated with the case. |
Union field
|
|
important |
Optional. Additional way to specify case importance. The default is false. |
Union field
|
|
incident |
Optional. Additional way to specify if the case marked as incident. The default is false. |
Union field
|
|
overflowCase |
Output only. Case without events, was reduced by the connector service due to a large amount of data. During ingestion if the "alert package" crosses a specific threshold, the alert will be trimmed due to security reasons (DDOS attacks, etc..) |
Union field
|
|
involvedSuspiciousEntity |
Optional. If has involved suspicious entity in the case. |
Sla
| JSON representation |
|---|
{
"expirationTime": string,
"criticalExpirationTime": string,
"expirationStatus": enum ( |
| Fields | |
|---|---|
expirationTime |
Required. SLA expiration time in unix format as milliseconds. Old prop: SlaExpiration. |
criticalExpirationTime |
Required. SLA critical expiration time in unix format as milliseconds, old prop: SlaCriticalExpiration. |
expirationStatus |
Output only. SLA expiration status. |
remainingTimeSinceLastPause |
Output only. Remaining time since last pause. |
CaseTag
| JSON representation |
|---|
{ "displayName": string, "alert": string, // Union field |
| Fields | |
|---|---|
displayName |
Output only. The name of the tag |
alert |
Output only. For tags set by playbook action, this is relevant during MoveAlert. Replaces old property: "Indicator". |
Union field
|
|
priority |
Output only. During ingestion if more than one tag matches the criteria, the one with the priority will be chosen. Available options: 1-5. |
CaseProduct
| JSON representation |
|---|
{ "displayName": string, "alert": string } |
| Fields | |
|---|---|
displayName |
Output only. Display name of the product. |
alert |
Output only. Replaces old property: "AlertIdentifier". |
CaseClosureDetails
| JSON representation |
|---|
{ "reason": enum ( |
| Fields | |
|---|---|
reason |
Output only. Case closure reason. |
rootCause |
Output only. Case closure root cause. |
caseClosedAction |
Output only. Case closed action. |
comment |
Output only. Case closure comment. |
Task
| JSON representation |
|---|
{ "name": string, "id": string, "createTime": string, "updateTime": string, "content": string, "dueTime": string, "title": string, "author": string, "lastAuthor": string, "assignee": string, "status": enum ( |
| Fields | |
|---|---|
name |
Identifier. The unique name(ID) of the task. Format: projects/{project}/locations/{location}/instances/{instance}/tasks/{task} |
id |
Output only. The unique ID of the task. |
createTime |
Output only. The creation time of the task. |
updateTime |
Output only. The last update time of the task. |
content |
Required. The task content, limited to 4096 characters. |
dueTime |
Optional. The due time for the task in ms. When specified during task creation, must be in the future. Is optional as deadlines can exist without a specific scheduled time. |
title |
Required. The task title, minimum length of 3 characters and maximum of 50 characters. |
author |
Output only. The user who created the task. |
lastAuthor |
Output only. The last editor of the task. |
assignee |
Required. The assignee of the task. |
status |
Required. The status of the task. todo change to task startus enum |
resolver |
Output only. The user who resolved the task. |
comment |
Required. Comment added during task resolution, limited to 4096 characters. |
resolutionTime |
Output only. The resolution time of the task in ms. |
caseId |
Optional. Associated case id (if task is related to a specific case) Can be optional as tasks may exist independently or be associated with a specific case. |
Union field
|
|
favorite |
Optional. Determines whether the task is marked as favorite. |
MoveEnvironment
| JSON representation |
|---|
{ "shouldDeleteOldCase": boolean } |
| Fields | |
|---|---|
shouldDeleteOldCase |
Optional. If the case should be deleted on move to the new environment. |
CustomFieldValue
| JSON representation |
|---|
{
"name": string,
"customFieldId": string,
"scope": enum ( |
| Fields | |
|---|---|
name |
Identifier. Unique identifier of the resource. |
customFieldId |
Required. The id of the parent CustomField that owns this CustomFieldValue |
scope |
Output only. Scope of the value. |
scopeId |
Required. Identifier of the value referencing case or alert. |
values[] |
Required. The custom field value. |
valuesSearchText |
Output only. Specific field represents the |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌