MCP Tools Reference: chronicle.googleapis.com

Tool: list_rule_errors

Lists execution errors for a specific Chronicle SIEM rule.

Helps in troubleshooting rules that might not be generating detections as expected or are failing during execution.

Agent Responsibilities: - Parse the JSON response to extract the list from the ruleExecutionErrors key. - Handle the nextPageToken for pagination if more results exist.

Workflow Integration: - Rule Troubleshooting: If a rule is not producing expected detections or alerts, check for execution errors. - Rule Development: After deploying a new or modified rule, check for errors to ensure it's syntactically correct and running properly. - SIEM Health Monitoring: Periodically check for rules with high error counts to maintain SIEM operational health.

Use Cases: - Investigate why a specific rule (e.g., "ru_...") has not generated any detections. - Check for errors after modifying and saving a YARA-L rule. - Get details of compilation or runtime errors for a given rule version.

Args: rule_id (str): Unique ID of the rule to list errors for. Examples: "ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" (latest version), "ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@v_12345_67890" (specific version), "ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@-" (all versions). project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). page_size (Optional[int]): The maximum number of errors to return. Defaults to 1000. page_token (Optional[str]): A page token received from a previous call.

Returns: str: Raw JSON response from the API, containing a list of 'ruleExecutionErrors' and potentially a 'nextPageToken'. The agent must parse this response.

Example Usage: # List errors for the latest version of a rule list_rule_errors( rule_id="ru_12345678-1234-1234-1234-1234567890ab", project_id="my-project", customer_id="my-customer", region="us" )

# List errors for a specific rule revision
        list_rule_errors(
            rule_id="ru_12345678-1234-1234-1234-1234567890ab@v_abcdef_123456",
            project_id="my-project",
            customer_id="my-customer",
            region="us",
            page_size=10
        )

        # List errors for all revisions of a rule
        list_rule_errors(
            rule_id="ru_12345678-1234-1234-1234-1234567890ab@-",
            project_id="my-project",
            customer_id="my-customer",
            region="us"
        )

Next Steps (using MCP-enabled tools): - Review Rule Code: If errors are found, retrieve the rule definition using get_rule with the specific rule_id and revision. - Validate Rule Syntax: Use validate_rule to check for syntax issues in the rule text. - Modify Rule: Correct the rule based on error messages and update it using create_rule (as there's no update function). - Re-test: Use test_rule to verify the fix.

The following sample demonstrate how to use curl to invoke the list_rule_errors MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "list_rule_errors",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for ListRuleExecutionErrors.

ListRuleExecutionErrorsRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "ruleId": string,
  "pageSize": integer,
  "pageToken": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
ruleId

string

Rule ID of the rule execution errors to list.
pageSize

integer

The maximum number of rule execution errors to return. The service may return fewer than this value. If unspecified, at most 1000 rule execution errors will be returned. The maximum value is 10000; values above 10000 will be coerced to 10000.
pageToken

string

A page token, received from a previous ListRuleExecutionErrors call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListRuleExecutionErrors must match the call that provided the page token.

Output Schema

Response message for ListRuleExecutionErrors.

ListRuleExecutionErrorsResponse

JSON representation 
{
  "ruleExecutionErrors": [
    {
      object (RuleExecutionError)
    }
  ],
  "nextPageToken": string
}
Fields
ruleExecutionErrors[]

object (RuleExecutionError)

List of rule execution errors.
nextPageToken

string

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

RuleExecutionError

JSON representation 
{
  "name": string,
  "error": {
    object (Status)
  },
  "timeRange": {
    object (Interval)
  },

  // Union field source can be only one of the following:
  "rule": string,
  "curatedRule": string
  // End of list of possible types for union field source.
}
Fields
name

string

Output only. The resource name of the rule execution error. Format: projects/{project}/locations/{location}/instances/{instance}/ruleExecutionErrors/{rule_execution_error}
error

object (Status)

Output only. The error status corresponding with the rule execution error.
timeRange

object (Interval)

Output only. The event time range that the rule execution error corresponds with.
Union field source. The resource name of the source that generated the rule execution error. source can be only one of the following:
rule

string

Output only. The resource name of the rule that generated the rule execution error.
curatedRule

string

Output only. The resource name of the curated rule that generated the rule execution error.

Status

JSON representation 
{
  "code": integer,
  "message": string,
  "details": [
    {
      "@type": string,
      field1: ...,
      ...
    }
  ]
}
Fields
code

integer

The status code, which should be an enum value of google.rpc.Code.
message

string

A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.
details[]

object

A list of messages that carry the error details. There is a common set of message types for APIs to use.

An object containing fields of an arbitrary type. An additional field "@type" contains a URI identifying the type. Example: { "id": 1234, "@type": "types.example.com/standard/id" }.

Any

JSON representation 
{
  "typeUrl": string,
  "value": string
}
Fields
typeUrl

string

Identifies the type of the serialized Protobuf message with a URI reference consisting of a prefix ending in a slash and the fully-qualified type name.

Example: type.googleapis.com/google.protobuf.StringValue

This string must contain at least one / character, and the content after the last / must be the fully-qualified name of the type in canonical form, without a leading dot. Do not write a scheme on these URI references so that clients do not attempt to contact them.

The prefix is arbitrary and Protobuf implementations are expected to simply strip off everything up to and including the last / to identify the type. type.googleapis.com/ is a common default prefix that some legacy implementations require. This prefix does not indicate the origin of the type, and URIs containing it are not expected to respond to any requests.

All type URL strings must be legal URI references with the additional restriction (for the text format) that the content of the reference must consist only of alphanumeric characters, percent-encoded escapes, and characters in the following set (not including the outer backticks): /-.~_!$&()*+,;=. Despite our allowing percent encodings, implementations should not unescape them to prevent confusion with existing parsers. For example, type.googleapis.com%2FFoo should be rejected.

In the original design of Any, the possibility of launching a type resolution service at these type URLs was considered but Protobuf never implemented one and considers contacting these URLs to be problematic and a potential security issue. Do not attempt to contact type URLs.
value

string (bytes format)

Holds a Protobuf serialization of the type described by type_url.

A base64-encoded string.

Interval

JSON representation 
{
  "startTime": string,
  "endTime": string
}
Fields
startTime

string (Timestamp format)

Optional. Inclusive start of the interval.

If specified, a Timestamp matching this interval will have to be the same or after the start.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
endTime

string (Timestamp format)

Optional. Exclusive end of the interval.

If specified, a Timestamp matching this interval will have to be before the end.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Timestamp

JSON representation 
{
  "seconds": string,
  "nanos": integer
}
Fields
seconds

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
nanos

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌