MCP Tools Reference: chronicle.googleapis.com

Tool: list_case_alerts

Lists all alerts within a case. This tool also provides alert_group_identifiers for each alert.

Workflow Integration:

  • Used when an analyst needs to see all alerts within a case, such as when investigating a specific case or reviewing the status of multiple alerts.
  • Essential for automated playbooks that need to check the status of multiple alerts before taking action.
  • Provides a comprehensive view of all alerts within a case, allowing for easy navigation and status monitoring.
  • Can be used to verify the result of an update operation by fetching the alert after the update has been applied.

Use Cases:

  • An analyst views all alerts within a case to see if any other alerts are firing for the same host or user.
  • A SOC manager reviews all alerts within a case to prioritize their investigation.
  • An automated playbook checks the status of multiple alerts before taking action.
  • A reporting script fetches all alerts within a case to generate a detailed incident report.

Example Usage:

  • list_case_alerts(projectId='123', region='us', customerId='abc', caseId='456')
  • list_case_alerts(projectId='123', region='us', customerId='abc', caseId='456', filter='status="OPEN"')
  • list_case_alerts(projectId='123', region='us', customerId='abc', caseId='456', orderBy='createTime desc')

Next Steps (using MCP-enabled tools):

  • Use 'get_case_alert' with the alert's resource name to retrieve its full details.
  • Use 'create_case_comment' to add a note to the parent case explaining why the alert status was changed.
  • Use 'update_case_alert' to change the status of an alert.
  • Use 'list_case_comments' to see if any comments were added as part of the update.

The following sample demonstrate how to use curl to invoke the list_case_alerts MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "list_case_alerts",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for ListCaseAlerts. Next ID: 9

ListCaseAlertsRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "caseId": string,
  "pageSize": integer,
  "pageToken": string,
  "filter": string,
  "orderBy": string
}
Fields
projectId

string

Required. Google Cloud project ID.
customerId

string

Required. Chronicle customer ID.
region

string

Required. Chronicle region (e.g., "us", "europe").
caseId

string

Required. The numeric ID of the case to list alerts for (e.g., 12345).
pageSize

integer

The maximum number of alerts to return. The service may return fewer alerts than requested. If unspecified, the service will pick an appropriate default.
pageToken

string

A page token, received from a previous ListCaseAlerts call. Provide this to retrieve the subsequent page.
filter

string

A filter expression to filter the list of alerts. Supported fields include 'Status', 'Priority', 'CreateTime', 'UpdateTime', and 'AlertGroupIdentifier'. Note that field names are case-sensitive and follow PascalCase as used in the backend. Example: filter="AlertGroupIdentifier='Remote Failed loginJIuSrw6JxVEAQsav/ew994J+AnKNOB+vrsfNpkO3ZQI=_923ec98b-4fb6-4a3f-809d-d6de2f201795'"
orderBy

string

A comma-separated list of field names to order by. Supported fields: 'CreateTime', 'UpdateTime'.

Output Schema

Response message for ListCaseAlerts.

ListCaseAlertsResponse

JSON representation 
{
  "caseAlerts": [
    {
      object (CaseAlert)
    }
  ],
  "nextPageToken": string,
  "totalSize": integer
}
Fields
caseAlerts[]

object (CaseAlert)

The list of CaseAlerts.
nextPageToken

string

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.
totalSize

integer

The total number of results matching the request.

CaseAlert

JSON representation 
{
  "name": string,
  "identifier": string,
  "caseId": integer,
  "createTime": string,
  "updateTime": string,
  "ruleGenerator": string,
  "sourceGroupingIdentifier": string,
  "product": string,
  "displayName": string,
  "vendor": string,
  "environment": string,
  "ticketId": string,
  "sourceSystemName": string,
  "closureDetails": {
    object (AlertClosureDetails)
  },
  "sla": {
    object (Sla)
  },
  "manual": boolean,
  "priority": enum (LegacyCasePriority),
  "sourceIdentifier": string,
  "additionalProperties": string,
  "status": enum (AlertStatus),
  "startTime": string,
  "endTime": string,
  "involvedRelations": [
    {
      object (InvolvedRelation)
    }
  ],
  "siemAlertId": string,
  "sourceUrl": string,
  "sourceRuleUrl": string,
  "sourceSystemUrl": string,
  "sourceRuleIdentifier": string,
  "playbookStatus": enum (WorkflowStatus),
  "attachedPlaybookName": string,
  "nestingDepth": integer,
  "alertGroupIdentifier": string,
  "eventCount": integer,
  "tags": [
    {
      object (AlertTag)
    }
  ],

  // Union field _playbook_run_count can be only one of the following:
  "playbookRunCount": integer
  // End of list of possible types for union field _playbook_run_count.
}
Fields
name

string

Identifier. The unique name(ID) of the CaseAlert. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseAlerts/{case_alert}
identifier

string

Output only. Title + Guid, e.g. ACCESS DISABLED ACCOUNTS_3A0C90F9-A87E-4E94-8727-7884F686ECDA Legacy identifier of alert used across the legacy modules in the system. Char limit: 2100
caseId

integer

Output only. Case associated with the alert. Added for convenience to be used by the UI.
createTime

string (int64 format)

Output only. The creation time of the record in milliseconds.
updateTime

string (int64 format)

Output only. The modification time of the record in milliseconds.
ruleGenerator

string

Output only. Which rule triggered the alert on the third party. This can be any rule defined in the third party Such SIEM, Splunk, CrowdStrike. Characters limit: 250.
sourceGroupingIdentifier

string

Output only. A key on the alert that can be used to group alerts to the same case. Characters limit: 2100
product

string

Output only. The product associated with the alert. E.g. DLP, WinEventLog:Security
displayName

string

Output only. The display name of the alert. E.g. "DATA EXFILTRATION"
vendor

string

Output only. The vendor of the alert. E.g. "Microsoft". Characters limit: 2100
environment

string

Output only. The environment of the alert.
ticketId

string

Output only. Third party ticket id, can be originated from SIEM or other tools. E.g. "3a0c90f9-a87e-4e94-8727-7884f686ecda"
sourceSystemName

string

Output only. Which alerting system raises the alert. E.g. "QRadar", "Arcsight", "Microsoft CASB". The Integration Name in soar.
closureDetails

object (AlertClosureDetails)

Optional. Defines the close reason of an alert if any.
sla

object (Sla)

Optional. SLA (Service Level Agreement) for the specific alert, used also to calculate aggregate case sla.
manual

boolean

Output only. Whether the alert was created manually.
priority

enum (LegacyCasePriority)

Optional. Default value is HIGH.
sourceIdentifier

string

Output only. Stores the identifier of the source of the alert, could be a connector identifier etc.
additionalProperties

string

Output only. Stores additional data on specific alerts, currently used by connectors, in JSON format.
status

enum (AlertStatus)

Optional. Alert status. Default value is OPEN.
startTime

string (int64 format)

Output only. When the alert was created on the third party product (SIEM, IPS, etc).
endTime

string (int64 format)

Output only. When the alert was closed on the third party product (SIEM, IPS, etc).
involvedRelations[]

object (InvolvedRelation)

Output only. All involved relations for the alert. Directional connection between entities in a given alert.
siemAlertId

string

Output only. The identifier of the alert int SIEM.
sourceUrl

string

Output only. The source URL of the alert.
sourceRuleUrl

string

Output only. The source rule URL of the alert.
sourceSystemUrl

string

Output only. The source system URL.
sourceRuleIdentifier

string

Output only. The source rule identifier.
playbookStatus

enum (WorkflowStatus)

Output only. Alert playbook status.
attachedPlaybookName

string

Output only. The attached playbook name.
nestingDepth

integer

Output only. The nesting depth of the alert.
alertGroupIdentifier

string

Output only. The alert group identifier.
eventCount

integer

Output only. The number of events that triggered the alert.
tags[]

object (AlertTag)

Optional. AlertTags associated with the alert.

Union field _playbook_run_count.

_playbook_run_count can be only one of the following:
playbookRunCount

integer

Output only. The number of times the first playbook was run on the alert.

AlertClosureDetails

JSON representation 
{
  "reason": enum (CloseReason),
  "comment": string,
  "rootCause": string,
  "closingTimeMs": string
}
Fields
reason

enum (CloseReason)

Output only. Alert closure reason.
comment

string

Output only. Alert closure comment.
rootCause

string

Output only. Alert closure root cause.
closingTimeMs

string (int64 format)

Output only. Alert closure time in unix format as milliseconds.

Sla

JSON representation 
{
  "expirationTime": string,
  "criticalExpirationTime": string,
  "expirationStatus": enum (SlaExpirationStatus),
  "remainingTimeSinceLastPause": integer
}
Fields
expirationTime

string (int64 format)

Required. SLA expiration time in unix format as milliseconds. Old prop: SlaExpiration.
criticalExpirationTime

string (int64 format)

Required. SLA critical expiration time in unix format as milliseconds, old prop: SlaCriticalExpiration.
expirationStatus

enum (SlaExpirationStatus)

Output only. SLA expiration status.
remainingTimeSinceLastPause

integer

Output only. Remaining time since last pause.

InvolvedRelation

JSON representation 
{
  "identifier": string,
  "alertIdentifier": string,
  "caseId": integer,
  "relationType": string,
  "from": {
    object (EntityKey)
  },
  "to": {
    object (EntityKey)
  },
  "deviceProduct": string,
  "deviceVendor": string,
  "categoryOutcome": string,
  "destinationPort": string,
  "eventClassId": string,
  "startTime": string,
  "endTime": string,
  "additionalProperties": string
}
Fields
identifier

string

Required. The identifier of the relation.
alertIdentifier

string

Output only. The identifier of the alert the relation belongs to.
caseId

integer

Output only. The id of the case the relation belongs to.
relationType

string

Output only. The type of the relation.
from

object (EntityKey)

Output only. The source of the relation.
to

object (EntityKey)

Output only. The destination of the relation.
deviceProduct

string

Output only. The product.
deviceVendor

string

Output only. The vendor.
categoryOutcome

string

Output only. The category outcome. Blocked/Allowed/null.
destinationPort

string

Output only. The destination port, if relevant
eventClassId

string

Output only. Event display name. For example: Email Check, Data Exfiltration, IRC etc.
startTime

string (int64 format)

Output only. Start time of the involved relation.
endTime

string (int64 format)

Output only. End time of the involved relation.
additionalProperties

string

Output only. Additional data, stored in JSON format.

EntityKey

JSON representation 
{
  "identifier": string,
  "type": string
}
Fields
identifier

string

Output only. The identifier of the entity.
type

string

Output only. The type of the entity.

AlertTag

JSON representation 
{
  "tag": string
}
Fields
tag

string

Output only. The name of the tag

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌