Tool: update_case
Updates an existing case in Google SecOps.
Modifies various properties of a specific case. Only the fields provided in the arguments will be updated. Note: It is not possible to change the status of a case to 'CLOSED' using this tool. This can only be done via the 'execute_bulk_close_case' tool.
Workflow Integration: - A core function for managing the lifecycle of a security case, used in both manual and automated workflows. - Integrates with UI actions like assigning a case, changing its status, or adding a description. - Essential for automated playbooks that need to update a case's status after performing an action, such as "Case moved to 'Remediation' after host was isolated." - Can be used to synchronize case status with external ticketing or project management systems.
Use Cases: - An analyst assigns a case to themselves or another team member. - A SOC manager escalates a case by changing its priority from "Medium" to "Critical". - A user adds a detailed description or updates the title of a case to better reflect the investigation's findings. - Add or modify tags and products associated with the case.
Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). case_id (str): The numeric ID of the Case to update (e.g., '12345'). This is a required field. display_name (str, optional): The new display name for the case. stage (str, optional): The new stage of the case. The Stage options are: ['Research', 'Improvement', 'Incident', 'Investigation', 'Assessment', 'Triage']. priority (backstory.Priority, optional): The new priority of the case (e.g., "PRIORITY_HIGH", "PRIORITY_CRITICAL"). important (bool, optional): Whether the case is marked as important. incident (bool, optional): Whether the case is marked as an incident. assignee (str, optional): The user or role to assign to the case. description (str, optional): The new description for the case. environment (str, optional): The environment associated with the case. move_environment (google.cloud.chronicle.v1alpha.Case.MoveEnvironment, optional): Details about moving the case to a different environment.
Returns: Case: The updated Case object with the new values. The Case object contains the following key fields: - Name (str): The full resource name of the case. - Id (int): The unique identifier for the case. - DisplayName (str): The title or display name of the case. - Stage (str): The current stage of the case (e.g., "Triage", "Investigation"). - Priority (str): The priority of the case (e.g., "PRIORITY_HIGH"). - Assignee (str): The user or group assigned to the case. - Description (str): A detailed description of the case. - Status (str): The current status of the case (e.g., "OPENED", "CLOSED"). - CreateTime (int): The creation timestamp of the case in milliseconds. - UpdateTime (int): The last update timestamp of the case in milliseconds. - Tags (list of str): A list of tags associated with the case. - Products (list of str): A list of products associated with the case. Returns an error message if the case is not found, the user lacks permission, or the update is invalid.
Example Usage: # Update the assignee and priority of a case update_case( project_id='123', region='us', customer_id='abc', case_id='456', assignee='new_user@example.com', priority='PRIORITY_CRITICAL' )
# Change the stage and add a description
update_case(
project_id='123',
region='us',
customer_id='abc',
case_id='789',
stage='Investigation',
description='Escalated for further investigation due to new IOCs.'
)
# Mark as important
update_case(
project_id='123',
region='us',
customer_id='abc',
case_id='101',
important=True
)
Next Steps (using MCP-enabled tools): - Use 'get_case' with the case's resource name to verify that the case has been updated correctly. - Use 'list_case_comments' to see if any comments were added as part of the update. - Use 'create_case_comment' to add a note explaining why the case was updated.
The following sample demonstrate how to use curl to invoke the update_case MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "update_case", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for UpdateCase. Next ID: 21
UpdateCaseRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string, "caseId": string, "tags": [ { object ( |
| Fields | |
|---|---|
projectId |
Project ID of the customer. |
customerId |
Customer ID of the customer. |
region |
Region of the customer. |
caseId |
Case ID of the case to update. |
tags[] |
CaseTags associated with the case. |
products[] |
Products associated with the case. |
Union field
|
|
displayName |
Case to update. |
Union field
|
|
stage |
The stage of the Case. For example, "Triage", "Incident", "Investigation". Stages are defined in "chronicle.googleapis.com/CaseStageDefinition". The default stage option is "Triage". |
Union field
|
|
priority |
Default value is HIGH. Case priority. For example, "Informative", "Low", "Medium", "High", "Critical". |
Union field
|
|
important |
Additional way to specify case importance. The default is false. |
Union field
|
|
incident |
Additional way to specify if the case marked as incident. The default is false. |
Union field
|
|
assignee |
This can be a user or a @SocRole, default value is the default soc-role defined in Settings. |
Union field
|
|
description |
Case description. Limit chars to 1000. |
Union field
|
|
type |
Case type |
Union field
|
|
environment |
Case environment. |
Union field
|
|
moveEnvironment |
Case environment move details. |
Union field
|
|
score |
Attack exposure score, how risky the case. |
Union field
|
|
sla |
SLA for the case. |
Union field
|
|
involvedSuspiciousEntity |
If has involved suspicious entity in the case. |
Union field
|
|
closureDetails |
Case closure details. |
MoveEnvironment
| JSON representation |
|---|
{ "shouldDeleteOldCase": boolean } |
| Fields | |
|---|---|
shouldDeleteOldCase |
Optional. If the case should be deleted on move to the new environment. |
Sla
| JSON representation |
|---|
{
"expirationTime": string,
"criticalExpirationTime": string,
"expirationStatus": enum ( |
| Fields | |
|---|---|
expirationTime |
Required. SLA expiration time in unix format as milliseconds. Old prop: SlaExpiration. |
criticalExpirationTime |
Required. SLA critical expiration time in unix format as milliseconds, old prop: SlaCriticalExpiration. |
expirationStatus |
Output only. SLA expiration status. |
remainingTimeSinceLastPause |
Output only. Remaining time since last pause. |
CaseTag
| JSON representation |
|---|
{ "displayName": string, "alert": string, // Union field |
| Fields | |
|---|---|
displayName |
Output only. The name of the tag |
alert |
Output only. For tags set by playbook action, this is relevant during MoveAlert. Replaces old property: "Indicator". |
Union field
|
|
priority |
Output only. During ingestion if more than one tag matches the criteria, the one with the priority will be chosen. Available options: 1-5. |
CaseProduct
| JSON representation |
|---|
{ "displayName": string, "alert": string } |
| Fields | |
|---|---|
displayName |
Output only. Display name of the product. |
alert |
Output only. Replaces old property: "AlertIdentifier". |
CaseClosureDetails
| JSON representation |
|---|
{ "reason": enum ( |
| Fields | |
|---|---|
reason |
Output only. Case closure reason. |
rootCause |
Output only. Case closure root cause. |
caseClosedAction |
Output only. Case closed action. |
comment |
Output only. Case closure comment. |
Output Schema
This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. Cases provides analysts a way to investigate incoming security alerts and safeguard workstations. Cases are generated by alerts from the SIEM platform. Further alerts linked to the same entities may be grouped into an existing case based on a flexible configuration. In addition, analysts can create manual cases and simulated cases and ingest specific data.
Case
| JSON representation |
|---|
{ "name": string, "creatorUserId": string, "creatorUser": string, "lastModifyingUserId": string, "lastModifyingUser": string, "createTime": string, "updateTime": string, "displayName": string, "alertCount": integer, "stage": string, "priority": enum ( |
| Fields | |
|---|---|
name |
Identifier. The unique name(ID) of the Case. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case} |
creatorUserId |
Output only. Case creator id. Used for homepage/requests feature. |
creatorUser |
Output only. Resource association for the creator. |
lastModifyingUserId |
Output only. Last user who modified the case. replaced old property name: LastModifyingUser. |
lastModifyingUser |
Output only. Resource association for the modifying user. |
createTime |
Output only. The creation time of the record in milliseconds. |
updateTime |
Output only. The modification time of the record in milliseconds. |
displayName |
Required. Case title, limited to 200 characters. Replaces old property: Title. |
alertCount |
Output only. Alerts in case. |
stage |
Required. The stage of the Case. For example, "Triage", "Incident", "Investigation". Stages are defined in "chronicle.googleapis.com/CaseStageDefinition". The default stage option is "Triage". |
priority |
Required. Default value is HIGH. Case priority. For example, "Informative", "Low", "Medium", "High", "Critical". |
assignee |
Optional. This can be a user or a @SocRole, default value is the default soc-role defined in Settings. |
assignedUser |
Output only. Resource association for the assignee. |
description |
Optional. Case description. Limit chars to 1000. |
type |
Required. Case type. |
environment |
Required. Case logical environments. |
moveEnvironment |
Optional. Case environment move details. |
status |
Output only. Case data status. |
score |
Optional. Attack exposure score, how risky the case. |
workflowStatus |
Output only. Case playbook status. |
sla |
Optional. SLA for the case. |
alertsSla |
Optional. Aggregated alerts SLA. (alert has SLA as well). |
source |
Output only. The source that created the case. Possible values: "Server", "User", "Simulated", "Merge", "AlertMove" |
tags[] |
Optional. CaseTags associated with the case. |
products[] |
Optional. Products associated with the case. Contains Name of product (e.g. WinEventLog:Security/DLP_Product). Replaces old property: "Product". |
closureDetails |
Optional. Case closure details. |
tasks[] |
Output only. Tasks associated with the case. |
Union field
|
|
important |
Optional. Additional way to specify case importance. The default is false. |
Union field
|
|
incident |
Optional. Additional way to specify if the case marked as incident. The default is false. |
Union field
|
|
overflowCase |
Output only. Case without events, was reduced by the connector service due to a large amount of data. During ingestion if the "alert package" crosses a specific threshold, the alert will be trimmed due to security reasons (DDOS attacks, etc..) |
Union field
|
|
involvedSuspiciousEntity |
Optional. If has involved suspicious entity in the case. |
MoveEnvironment
| JSON representation |
|---|
{ "shouldDeleteOldCase": boolean } |
| Fields | |
|---|---|
shouldDeleteOldCase |
Optional. If the case should be deleted on move to the new environment. |
Sla
| JSON representation |
|---|
{
"expirationTime": string,
"criticalExpirationTime": string,
"expirationStatus": enum ( |
| Fields | |
|---|---|
expirationTime |
Required. SLA expiration time in unix format as milliseconds. Old prop: SlaExpiration. |
criticalExpirationTime |
Required. SLA critical expiration time in unix format as milliseconds, old prop: SlaCriticalExpiration. |
expirationStatus |
Output only. SLA expiration status. |
remainingTimeSinceLastPause |
Output only. Remaining time since last pause. |
CaseTag
| JSON representation |
|---|
{ "displayName": string, "alert": string, // Union field |
| Fields | |
|---|---|
displayName |
Output only. The name of the tag |
alert |
Output only. For tags set by playbook action, this is relevant during MoveAlert. Replaces old property: "Indicator". |
Union field
|
|
priority |
Output only. During ingestion if more than one tag matches the criteria, the one with the priority will be chosen. Available options: 1-5. |
CaseProduct
| JSON representation |
|---|
{ "displayName": string, "alert": string } |
| Fields | |
|---|---|
displayName |
Output only. Display name of the product. |
alert |
Output only. Replaces old property: "AlertIdentifier". |
CaseClosureDetails
| JSON representation |
|---|
{ "reason": enum ( |
| Fields | |
|---|---|
reason |
Output only. Case closure reason. |
rootCause |
Output only. Case closure root cause. |
caseClosedAction |
Output only. Case closed action. |
comment |
Output only. Case closure comment. |
Task
| JSON representation |
|---|
{ "name": string, "id": string, "createTime": string, "updateTime": string, "content": string, "dueTime": string, "title": string, "author": string, "lastAuthor": string, "assignee": string, "status": enum ( |
| Fields | |
|---|---|
name |
Identifier. The unique name(ID) of the task. Format: projects/{project}/locations/{location}/instances/{instance}/tasks/{task} |
id |
Output only. The unique ID of the task. |
createTime |
Output only. The creation time of the task. |
updateTime |
Output only. The last update time of the task. |
content |
Required. The task content, limited to 4096 characters. |
dueTime |
Optional. The due time for the task in ms. When specified during task creation, must be in the future. Is optional as deadlines can exist without a specific scheduled time. |
title |
Required. The task title, minimum length of 3 characters and maximum of 50 characters. |
author |
Output only. The user who created the task. |
lastAuthor |
Output only. The last editor of the task. |
assignee |
Required. The assignee of the task. |
status |
Required. The status of the task. todo change to task startus enum |
resolver |
Output only. The user who resolved the task. |
comment |
Required. Comment added during task resolution, limited to 4096 characters. |
resolutionTime |
Output only. The resolution time of the task in ms. |
caseId |
Optional. Associated case id (if task is related to a specific case) Can be optional as tasks may exist independently or be associated with a specific case. |
Union field
|
|
favorite |
Optional. Determines whether the task is marked as favorite. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌