MCP Tools Reference: chronicle.googleapis.com

Tool: `get_connector_event`

Retrieves a specific connector event associated with a case alert in Chronicle SIEM.

Provides detailed information about a single connector event, including its raw data.

Workflow Integration:

Used to drill down into a specific connector event from a list of events within a case alert.
Enables other systems to get the current state of a connector event before taking action.

Use Cases:

An analyst clicks on a connector event in the SOAR UI to view its full details.
An automated playbook fetches a connector event to extract specific indicators of compromise (IoCs).

Important Note:

The connector_event_id, case_id, and case_alert_id arguments should be the integer IDs of the respective entities.
If you have a non-integer identifier (e.g., a GUID or event identifier), use list_connector_events to get the integer IDs first.
Then use get_connector_event with the integer IDs.

Example Usage:

get_connector_event(projectId='123', region='us', customerId='abc', caseId='456', case_alert_id='789', connectorEventId='101112')
get_connector_event(projectId='123', region='us', customerId='abc', caseId='456', case_alert_id='789', connectorEventId='101112', expandEventJsonData=true)

Next Steps (using MCP-enabled tools):

Use 'list_connector_events' to see other connector events in the same case alert.
Suggest enabling 'expandEventJsonData' to get the full event details.

The following sample demonstrate how to use curl to invoke the get_connector_event MCP tool.

Curl Request
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "get_connector_event", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }'

Curl Request

                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "get_connector_event",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for GetConnectorEvent.

GetConnectorEventRequest

JSON representation
{ "projectId": string, "customerId": string, "region": string, "caseId": string, "caseAlertId": string, "connectorEventId": string, "expandEventJsonData": boolean }

Fields
`projectId`	`string` Required. Google Cloud project ID.
`customerId`	`string` Required. Chronicle customer ID.
`region`	`string` Required. Chronicle region (e.g., "us", "europe").
`caseId`	`string` The integer Case ID of the connector event to retrieve.
`caseAlertId`	`string` The integer Case Alert ID of the connector event to retrieve.
`connectorEventId`	`string` The integer ID of the connector event to retrieve.
`expandEventJsonData`	`boolean` Whether to expand the eventJsonData field. Defaults to `false`.

Output Schema

This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. ConnectorEvent - Chronicle Connector Event. Types of ConnectorEvents: general, case-spesific

ConnectorEvent

JSON representation

JSON representation
{ "name": string, "createTime": string, "updateTime": string, "alertIdentifier": string, "environment": string, "eventIdentifier": string, "alertGroupIdentifier": string, "mappedEventJson": string, "eventJsonData": { object (`RawEventData`) }, "caseId": string, "id": string }

{
  "name": string,
  "createTime": string,
  "updateTime": string,
  "alertIdentifier": string,
  "environment": string,
  "eventIdentifier": string,
  "alertGroupIdentifier": string,
  "mappedEventJson": string,
  "eventJsonData": {
    object (RawEventData)
  },
  "caseId": string,
  "id": string
}

Fields
`name`	`string` Identifier. The resource name of the ConnectorEvent. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseAlerts/{case_alert}/connectorEvents/{connector_event}
`createTime`	`string (int64 format)` Output only. The create_time of the ConnectorEvent.
`updateTime`	`string (int64 format)` Output only. The update_time of the ConnectorEvent.
`alertIdentifier`	`string` Output only. The alert_identifier of the ConnectorEvent.
`environment`	`string` Output only. The environment of the ConnectorEvent.
`eventIdentifier`	`string` Output only. The event_identifier of the ConnectorEvent.
`alertGroupIdentifier`	`string` Output only. The alert_group_identifier of the ConnectorEvent.
`mappedEventJson`	`string` Output only. The mapped_event_json of the ConnectorEvent.
`eventJsonData`	`object (RawEventData)` Output only. The raw_event of the ConnectorEvent.
`caseId`	`string (int64 format)` Output only. The case_id of the ConnectorEvent.
`id`	`string (int64 format)` Output only. The id of the ConnectorEvent.

RawEventData

JSON representation
{ "rawEvent": string }

Fields

Fields
`rawEvent`	`string` Output only. The raw event of the ConnectorEvent.

rawEvent

string

Output only. The raw event of the ConnectorEvent.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌

MCP Tools Reference: chronicle.googleapis.com Stay organized with collections Save and categorize content based on your preferences.

Tool: get_connector_event