MCP Tools Reference: chronicle.googleapis.com

Tool: `validate_rule`

Validate YARA-L 2.0 rule text syntax and compilation in Chronicle SIEM.

Verifies the syntax and compilation of a YARA-L 2.0 detection rule without creating or deploying it. This tool checks for syntax errors, compilation issues, and other problems that would prevent the rule from functioning correctly when deployed.

Workflow Integration:

Essential validation step during rule development before creating or updating rules.
Use to catch syntax errors and compilation issues early in the development process.
Helps ensure rule quality and reduces deployment failures in production environments.
Can be integrated into CI/CD pipelines for automated rule validation.

Use Cases:

Validate new YARA-L rule syntax before attempting to create the rule in Chronicle.
Check existing rule modifications for syntax errors before deployment.
Troubleshoot rule compilation issues during development or debugging.
Verify rule syntax as part of automated testing or quality assurance processes.
Validate rule text copied from external sources or documentation.

Agent Responsibilities:

Provide the complete YARA-L rule text to be validated.
Parse the JSON response to check the 'success' field and examine any messages in 'compilationDiagnostics'.

Example Usage:

validate_rule(ruleText=rule_text, projectId="my-project", customerId="my-customer", region="us")

Next Steps (using MCP-enabled tools):

If validation succeeds, use 'test_rule' to test the rule against historical data.
If validation fails, review the messages in 'compilationDiagnostics' and fix syntax errors in the rule_text.
Once validated and tested, use 'create_rule' to deploy the rule to Chronicle.
Use 'list_rule_errors' after deployment to monitor for runtime issues.

The following sample demonstrate how to use curl to invoke the validate_rule MCP tool.

Curl Request
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "validate_rule", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }'

Curl Request

                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "validate_rule",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for VerifyRuleText.

VerifyRuleTextRequest

JSON representation
{ "projectId": string, "customerId": string, "region": string, "rule": string }

Fields
`projectId`	`string` Required. Google Cloud project ID.
`customerId`	`string` Required. Chronicle customer ID.
`region`	`string` Required. Chronicle region (e.g., "us", "europe").
`rule`	`string` Complete YARA-L 2.0 rule definition to validate. This should include rule metadata, events, and conditions sections.

Output Schema

Response message for VerifyRuleText method.

VerifyRuleTextResponse

JSON representation
{ "success": boolean, "compilationDiagnostics": [ { object (`CompilationDiagnostic`) } ] }

Fields

Fields
`success`	`boolean` Whether or not the rule text was successfully verified.
`compilationDiagnostics[]`	`object (CompilationDiagnostic)` A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings.

success

boolean

Whether or not the rule text was successfully verified.

compilationDiagnostics[]

object (CompilationDiagnostic)

A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings.

CompilationDiagnostic

JSON representation
{ "message": string, "position": { object (`CompilationPosition`) }, "severity": enum (`Severity`), "uri": string }

Fields
`message`	`string` Output only. The diagnostic message.
`position`	`object (CompilationPosition)` Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty.
`severity`	`enum (Severity)` Output only. The severity of a rule's compilation diagnostic.
`uri`	`string` Output only. Link to documentation that describes a diagnostic in more detail.

CompilationPosition

JSON representation
{ "startLine": integer, "startColumn": integer, "endLine": integer, "endColumn": integer }

Fields
`startLine`	`integer` Output only. Start line number, beginning at 1.
`startColumn`	`integer` Output only. Start column number, beginning at 1.
`endLine`	`integer` Output only. End line number, beginning at 1.
`endColumn`	`integer` Output only. End column number, beginning at 1.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌

MCP Tools Reference: chronicle.googleapis.com Stay organized with collections Save and categorize content based on your preferences.

Tool: validate_rule