Tool: translate_udm_query
Translates a natural language question or statement into a Chronicle UDM search query.
Use this tool to convert a human-readable search description into the UDM query syntax required by the udm_search tool. This tool calls the Chronicle API AiService.TranslateUDMQuery.
Agent Responsibilities:
- Provide the natural language text to be translated in the 'text' argument.
- Parse the raw JSON response.
- Extract the UDM query string from the 'query' field.
- Extract any suggested time range from the 'time_range' field (which contains 'startTime' and 'endTime').
- Check the 'message' field for any warnings or errors from the translation service.
Example Usage:
translate_udm_query(text="Show me all network traffic from IP 192.0.2.10 last Tuesday", projectId="my-project", customerId="my-customer", region="us")translate_udm_query(text="Find events for user 'testuser'", projectId="my-project", customerId="my-customer", region="us")
Next Steps (using MCP-enabled tools):
- Use the output 'query' and 'time_range' as inputs to the
udm_searchtool to execute the search. - If the 'query' is null or the 'message' indicates issues, refine the natural language 'text' and try again.
The following sample demonstrate how to use curl to invoke the translate_udm_query MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "translate_udm_query", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for TranslateUDMQuery.
TranslateUDMQueryRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string, "text": string } |
| Fields | |
|---|---|
projectId |
Google Cloud project ID. Defaults to environment configuration. |
customerId |
Chronicle customer ID. Defaults to environment configuration. |
region |
Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. |
text |
Natural language description of the events you want to find. |
Output Schema
Response message for TranslateUDMQuery.
TranslateUDMQueryResponse
| JSON representation |
|---|
{
"query": string,
"timeRange": {
object ( |
| Fields | |
|---|---|
query |
Translated UDM Search query (if successful). |
timeRange |
Optional. Translated timerange (if the user specified a time range). |
message |
Optional. Message to be shown to the user, e.g. if the translation was unsuccessful or if confidence is low. |
Interval
| JSON representation |
|---|
{ "startTime": string, "endTime": string } |
| Fields | |
|---|---|
startTime |
Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
endTime |
Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Timestamp
| JSON representation |
|---|
{ "seconds": string, "nanos": integer } |
| Fields | |
|---|---|
seconds |
Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). |
nanos |
Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌