Tool: list_case_comments
Lists all case comments for a given case in Google SecOps.
Retrieves a paginated list of all comments associated with a specific SOAR case, allowing for a comprehensive overview of the investigation history. This tool is essential for understanding the timeline of a case, reviewing actions taken, and gathering context from analyst notes.
Workflow Integration:
- Used to build a complete timeline of an investigation in a SOAR UI or report.
- Essential for generating audit trails or summaries of case activity for compliance or review.
- Enables analysts to programmatically search and filter through all comments to find relevant information, such as notes from a specific user or comments made during a certain time frame.
- Provides the necessary context for automated playbooks to make decisions based on the history of a case.
Use Cases:
- Generate a complete audit trail of all actions and notes for a specific case to understand the investigation process.
- Find a specific comment by filtering based on the user who wrote it, its content, or other metadata.
- Display a chronological history of comments on a case detail page in a custom security dashboard.
- Automate the process of reviewing cases by searching for keywords in comments.
Filtering and Ordering:
- The 'filter' parameter allows for precise searching within comments. You can filter on fields like 'user', 'comment' content, 'create_time', and more.
- The 'order_by' parameter controls the sorting of the returned comments. You can sort by fields like 'create_time' or 'update_time' in ascending or descending order.
Example Usage:
list_case_comments(projectId='123', region='us', customerId='abc', caseId='456')list_case_comments(projectId='123', region='us', customerId='abc', caseId='456', filter="user='user@example.com'", orderBy="update_time desc")
Next Steps (using MCP-enabled tools):
- Iterate through the list of comments to extract key information or indicators.
- Use 'create_case_comment' to add a new comment to the case based on your findings.
- Use 'get_case_comment' with a comment's resource name to fetch its full details if needed.
The following sample demonstrate how to use curl to invoke the list_case_comments MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "list_case_comments", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for ListCaseComments. Next ID: 9
ListCaseCommentsRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string, "caseId": string, "pageSize": integer, "pageToken": string, "filter": string, "orderBy": string } |
| Fields | |
|---|---|
projectId |
Required. Google Cloud project ID. |
customerId |
Required. Chronicle customer ID. |
region |
Required. Chronicle region (e.g., "us", "europe"). |
caseId |
Required. The numeric Case ID to list comments for (e.g., |
pageSize |
The maximum number of comments to return in a single response. If unspecified, the server will use a default page size. The maximum value is 1000. |
pageToken |
A token for fetching a specific page of results. This is obtained from a previous call to list_case_comments. |
filter |
A filter string to apply to the list of comments. Supported fields include 'CreateTime', 'UpdateTime', 'User', 'Comment', 'DeletedByUser', 'IsFavorite', 'AlertIdentifier', and 'IsDeleted'. Example: filter="User='GUID' AND Comment='suspicious'" |
orderBy |
A comma-separated list of fields to sort the results by. Add 'desc' for descending order. Supported fields are the same as for filtering. Example: "CreateTime desc" |
Output Schema
Response message for ListCaseComments.
ListCaseCommentsResponse
| JSON representation |
|---|
{
"caseComments": [
{
object ( |
| Fields | |
|---|---|
caseComments[] |
The list of CaseComments. |
nextPageToken |
A token, which can be sent as |
totalSize |
The total number of CaseComments. |
CaseComment
| JSON representation |
|---|
{ "name": string, "createTime": string, "updateTime": string, "user": string, "comment": string, "deletionInvoker": string, "alertIdentifier": string, "caseAttachment": { object ( |
| Fields | |
|---|---|
name |
Output only. Identifier. The unique name(ID) of the CaseComment. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseComments/{case_comment} |
createTime |
Output only. The timestamp when the comment was created. |
updateTime |
Output only. The timestamp when the comment was last updated. |
user |
Output only. User owner of the comment. |
comment |
Required. The content of the comment. |
deletionInvoker |
Output only. The user who deleted the comment. |
alertIdentifier |
Optional. The alert associated with the comment. |
caseAttachment |
Optional. The attachment associated with the comment. |
userOwnerFullName |
Output only. The user who created the comment. |
lastEditorFullName |
Output only. The user who last edited the comment. |
deletedByUser |
Output only. The user who deleted the comment. |
case |
Optional. The case associated with the comment. |
Union field
|
|
isFavorite |
Optional. Whether the comment is marked as a favorite. |
Union field
|
|
isDeleted |
Output only. Indicates if the comment has been softly deleted. |
CaseAttachment
| JSON representation |
|---|
{ "attachmentBase64": string, "fileType": string, "fileName": string, "fileId": string } |
| Fields | |
|---|---|
attachmentBase64 |
Required. Base64 encoded attachment associated with the comment (if exists). |
fileType |
Required. The file type of the attachment (if exists). |
fileName |
Required. The file name of the attachment (if it exists). |
fileId |
Output only. The file id of the attachment. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌