MCP Tools Reference: chronicle.googleapis.com

Tool: list_connector_events

Lists all connector events for a given case alert in Chronicle SIEM.

Retrieves a paginated list of all connector events associated with a specific SOAR case alert, allowing for a comprehensive overview of the events related to an investigation.

Workflow Integration:

  • Used to populate a list of connector events in the SOAR UI for a given case alert.
  • Essential for automated playbooks that need to iterate through all events in a case alert.
  • Enables an analyst to quickly see all related events when starting an investigation.

Use Cases:

  • Display all connector events on a case alert detail page.
  • A playbook iterates through all events to check for specific indicators.
  • Generate a report summarizing all events associated with a case alert.

Example Usage:

  • list_connector_events(projectId='123', region='us', customerId='abc', caseId='456', caseAlertId='789')
  • list_connector_events(projectId='123', region='us', customerId='abc', caseId='456', caseAlertId='789', expandEventJsonData=true)

Next Steps (using MCP-enabled tools):

  • Iterate through the list to get details on individual events using 'get_connector_event', potentially also with expandEventJsonData=true.
  • Suggest enabling 'expandEventJsonData' to get the full event details.
  • If 'eventJsonData' was expanded, parse the JSON content to extract specific fields like hostnames, user IDs, process names, hashes and others for further analysis or enrichment.

The following sample demonstrate how to use curl to invoke the list_connector_events MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "list_connector_events",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for ListConnectorEvents.

ListConnectorEventsRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "caseId": string,
  "caseAlertId": string,
  "pageSize": integer,
  "pageToken": string,
  "filter": string,
  "orderBy": string,
  "expandEventJsonData": boolean
}
Fields
projectId

string

Required. Google Cloud project ID.
customerId

string

Required. Chronicle customer ID.
region

string

Required. Chronicle region (e.g., "us", "europe").
caseId

string

The Case ID of the case alert.
caseAlertId

string

The Case Alert ID to list connector events for.
pageSize

integer

The maximum number of ConnectorEvents to return. The service may return fewer than this value. If unspecified, at most 50 ConnectorEvents will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.
pageToken

string

A page token, received from a previous ListConnectorEvents call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListConnectorEvents must match the call that provided the page token.
filter

string

A filter to apply to the list of ConnectorEvents. Supported filter fields: * entity_identifier: Filter by the user-facing name. * entity_type: Filter by the entity type. * action: Filter by the action. * environments_json: Filter by the environments. Example: filter="entity_identifier='ConnectorEvent 1'"
orderBy

string

Configures ordering of ConnectorEvents in the response. If not specified, ConnectorEvents are returned in descending order of their create time. The default ordering is by create time in descending order. The order_by string is a comma separated list of fields. Supported fields: * entity_identifier
expandEventJsonData

boolean

Whether to expand the eventJsonData field. Defaults to false.

Output Schema

Response message for ListConnectorEvents.

ListConnectorEventsResponse

JSON representation 
{
  "connectorEvents": [
    {
      object (ConnectorEvent)
    }
  ],
  "nextPageToken": string,
  "totalSize": integer
}
Fields
connectorEvents[]

object (ConnectorEvent)

The list of ConnectorEvents. Ordered by Id by default.
nextPageToken

string

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.
totalSize

integer

The total number of ConnectorEvents.

ConnectorEvent

JSON representation 
{
  "name": string,
  "createTime": string,
  "updateTime": string,
  "alertIdentifier": string,
  "environment": string,
  "eventIdentifier": string,
  "alertGroupIdentifier": string,
  "mappedEventJson": string,
  "eventJsonData": {
    object (RawEventData)
  },
  "caseId": string,
  "id": string
}
Fields
name

string

Identifier. The resource name of the ConnectorEvent. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseAlerts/{case_alert}/connectorEvents/{connector_event}
createTime

string (int64 format)

Output only. The create_time of the ConnectorEvent.
updateTime

string (int64 format)

Output only. The update_time of the ConnectorEvent.
alertIdentifier

string

Output only. The alert_identifier of the ConnectorEvent.
environment

string

Output only. The environment of the ConnectorEvent.
eventIdentifier

string

Output only. The event_identifier of the ConnectorEvent.
alertGroupIdentifier

string

Output only. The alert_group_identifier of the ConnectorEvent.
mappedEventJson

string

Output only. The mapped_event_json of the ConnectorEvent.
eventJsonData

object (RawEventData)

Output only. The raw_event of the ConnectorEvent.
caseId

string (int64 format)

Output only. The case_id of the ConnectorEvent.
id

string (int64 format)

Output only. The id of the ConnectorEvent.

RawEventData

JSON representation 
{
  "rawEvent": string
}
Fields
rawEvent

string

Output only. The raw event of the ConnectorEvent.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌