MCP Tools Reference: chronicle.googleapis.com

Tool: import_logs

Ingest raw logs directly into Chronicle SIEM.

Allows ingestion of raw log data in various formats (JSON, XML, CEF, etc.) into Chronicle for parsing and normalization into UDM format. Supports both single log and batch ingestion.

Agent Responsibilities:

  1. Obtain forwarder_id: You should provide a valid forwarder_id. Use forwarder management tools if needed.
  2. Timestamp Formatting: Ensure any provided timestamps are in the correct ISO 8601 format.

Workflow Integration:

  • Use this tool to feed external log sources directly into Chronicle for analysis.
  • Ingested logs are automatically parsed using Chronicle's configured parsers for the specified log type.
  • Parsed logs become searchable through UDM queries and can trigger detection rules.
  • Essential for integrating custom applications, legacy systems, or non-standard log sources with Chronicle.

Use Cases:

  • Ingest OKTA authentication logs for user behavior analysis.
  • Feed custom application logs into Chronicle for security monitoring.
  • Batch ingest historical logs during initial Chronicle deployment.
  • Import logs from external SIEM or log management systems.
  • Ingest Windows Event logs in XML format for endpoint monitoring.

Example Usage:

  • import_logs(logType="OKTA", projectId="my-project", customerId="my-customer", region="us", forwarderId="b1a2d3c4-....", logs=[okta_log])
  • import_logs(logType="WINEVTLOG_XML", logs=["<Event>...</Event>", "<Event>...</Event>"], projectId="my-project", customerId="my-customer", region="us", forwarderId="b1a2d3c4-....")

Next Steps (using MCP-enabled tools):

  • Verify ingestion success by searching for the ingested logs using udm_search.
  • Monitor for any parsing errors or failed ingestion through Chronicle's ingestion status APIs.
  • Create or update detection rules to analyze the newly ingested log types.
  • Set up alerting for important events found in the ingested logs.
  • Use entity lookup tools to analyze indicators found in the ingested data.

The following sample demonstrate how to use curl to invoke the import_logs MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "import_logs",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for importing logs.

ImportLogsRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "logType": string,
  "logs": [
    string
  ],
  "forwarderId": string
}
Fields
projectId

string

Required. Google Cloud project ID.
customerId

string

Required. Chronicle customer ID.
region

string

Required. Chronicle region (e.g., "us", "europe").
logType

string

Chronicle log type identifier (e.g., "OKTA", "WINEVTLOG_XML", "AWS_CLOUDTRAIL"). Use list_log_types to see supported types.
logs[]

string

A list of prepared log entry objects as described in Agent Responsibilities.
forwarderId

string

Required. Custom forwarder ID for log routing. This is REQUIRED.

Output Schema

A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance:

service Foo {
  rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
}

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌