Tool: update_case_alert
Updates an existing case alert in Google SecOps.
This function modifies the priority, status, or closure_details of a specific alert within a case.
Workflow Integration: - A core function for managing the lifecycle of an alert, used in both manual and automated workflows. - Integrates with UI actions for changing an alert's priority, status (e.g., open, closed), or closing it with details. - Essential for automated playbooks that need to programmatically update an alert's state, such as escalating priority based on new findings or closing an alert after remediation. - Can be used to synchronize alert status and details with external ticketing or project management systems.
Use Cases: - A playbook automatically updates an alert's status to 'CLOSE' and sets closure_details with a reason of 'NOT_MALICIOUS' after automated analysis. - An analyst manually changes the priority of an alert to 'HIGH' based on their assessment. - An analyst updates the status to 'OPEN' to indicate they are actively investigating. - A SOC manager updates the closure_details for a set of related alerts after a breach investigation is complete.
Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). case_id (str): The numeric ID of the parent case containing the alert (e.g., '12345'). case_alert_id (str): The numeric ID of the alert to update (e.g., '12345'). Do NOT use the alert title or identifier string. priority (google.cloud.chronicle.v1alpha.LegacyCasePriority, optional): The new priority for the alert. Possible values are: - UNCHANGED - INFORMATIVE - LOW - MEDIUM - HIGH - CRITICAL status (google.cloud.chronicle.v1alpha.AlertStatus, optional): The new status for the alert. Possible values are: - OPEN - CLOSE closure_details (google.cloud.chronicle.v1alpha.AlertClosureDetails, optional): The closure details object. Providing this typically accompanies setting the status to CLOSE. - reason (enum): The reason for closing the alert (required). One of: - MALICIOUS - NOT_MALICIOUS - MAINTENANCE - INCONCLUSIVE - UNKNOWN - root_cause (str): The root cause of the alert (required). - comment (str): A comment about the alert. Optional.
Returns: CaseAlert: The updated CaseAlert object with the new values. The CaseAlert object contains the following key fields: - Name (str): The full resource name of the alert. - Id (int): The unique identifier for the alert. - DisplayName (str): The title or display name of the alert. - Priority (str): The priority of the alert (e.g., "HIGH"). - Status (str): The current status of the alert (e.g., "OPEN"). - CreateTime (int): The creation timestamp of the alert in milliseconds. - UpdateTime (int): The last update timestamp of the alert in milliseconds. - Product (str): The product that generated the alert. - Vendor (str): The vendor of the product that generated the alert. - RuleGenerator (str): The rule that generated the alert. Returns an error message if the alert is not found, the user lacks permission, or the update is invalid.
Example Usage: # Close a case alert as 'NOT_MALICIOUS' with a comment update_case_alert( project_id='123', region='us', customer_id='abc', case_id='456', case_alert_id='789', status='CLOSE', closure_details={ 'reason': 'NOT_MALICIOUS', 'root_cause': 'Benign activity verified', 'comment': 'Verified benign.' } )
# Update the priority of a case alert update_case_alert( project_id='123', region='us', customer_id='abc', case_id='456', case_alert_id='789', priority='HIGH' )
# Re-open an alert update_case_alert( project_id='123', region='us', customer_id='abc', case_id='456', case_alert_id='789', status='OPEN' )
Next Steps (using MCP-enabled tools): - Use 'get_case_alert' with the alert's resource name to verify that the alert has been updated correctly. - Use 'create_case_comment' to add a note to the parent case explaining why the alert was changed. - Use 'list_case_alerts' to see the updated status of the alert in the context of other alerts in the case.
The following sample demonstrate how to use curl to invoke the update_case_alert MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "update_case_alert", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for UpdateCaseAlert. Next ID: 10
UpdateCaseAlertRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string, "caseId": string, "caseAlertId": string, // Union field |
| Fields | |
|---|---|
projectId |
Project ID of the customer. |
customerId |
Customer ID of the customer. |
region |
Region of the customer. |
caseId |
Case ID. |
caseAlertId |
Case alert ID. |
Union field
|
|
priority |
Alert Priority. |
Union field
|
|
status |
Alert status. Changed this line |
Union field
|
|
closureDetails |
Alert closure details. |
AlertClosureDetails
| JSON representation |
|---|
{
"reason": enum ( |
| Fields | |
|---|---|
reason |
Output only. Alert closure reason. |
comment |
Output only. Alert closure comment. |
rootCause |
Output only. Alert closure root cause. |
closingTimeMs |
Output only. Alert closure time in unix format as milliseconds. |
Output Schema
This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. Alerts are tied to data identified as a threat by your security systems. Investigating alerts gives you context about the alert and related entities.
CaseAlert
| JSON representation |
|---|
{ "name": string, "identifier": string, "caseId": integer, "createTime": string, "updateTime": string, "ruleGenerator": string, "sourceGroupingIdentifier": string, "product": string, "displayName": string, "vendor": string, "environment": string, "ticketId": string, "sourceSystemName": string, "closureDetails": { object ( |
| Fields | |
|---|---|
name |
Identifier. The unique name(ID) of the CaseAlert. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseAlerts/{case_alert} |
identifier |
Output only. Title + Guid, e.g. ACCESS DISABLED ACCOUNTS_3A0C90F9-A87E-4E94-8727-7884F686ECDA Legacy identifier of alert used across the legacy modules in the system. Char limit: 2100 |
caseId |
Output only. Case associated with the alert. Added for convenience to be used by the UI. |
createTime |
Output only. The creation time of the record in milliseconds. |
updateTime |
Output only. The modification time of the record in milliseconds. |
ruleGenerator |
Output only. Which rule triggered the alert on the third party. This can be any rule defined in the third party Such SIEM, Splunk, CrowdStrike. Characters limit: 250. |
sourceGroupingIdentifier |
Output only. A key on the alert that can be used to group alerts to the same case. Characters limit: 2100 |
product |
Output only. The product associated with the alert. E.g. DLP, WinEventLog:Security |
displayName |
Output only. The display name of the alert. E.g. "DATA EXFILTRATION" |
vendor |
Output only. The vendor of the alert. E.g. "Microsoft". Characters limit: 2100 |
environment |
Output only. The environment of the alert. |
ticketId |
Output only. Third party ticket id, can be originated from SIEM or other tools. E.g. "3a0c90f9-a87e-4e94-8727-7884f686ecda" |
sourceSystemName |
Output only. Which alerting system raises the alert. E.g. "QRadar", "Arcsight", "Microsoft CASB". The Integration Name in soar. |
closureDetails |
Optional. Defines the close reason of an alert if any. |
sla |
Optional. SLA (Service Level Agreement) for the specific alert, used also to calculate aggregate case sla. |
manual |
Output only. Whether the alert was created manually. |
priority |
Optional. Default value is HIGH. |
sourceIdentifier |
Output only. Stores the identifier of the source of the alert, could be a connector identifier etc. |
additionalProperties |
Output only. Stores additional data on specific alerts, currently used by connectors, in JSON format. |
status |
Optional. Alert status. Default value is OPEN. |
startTime |
Output only. When the alert was created on the third party product (SIEM, IPS, etc). |
endTime |
Output only. When the alert was closed on the third party product (SIEM, IPS, etc). |
involvedRelations[] |
Output only. All involved relations for the alert. Directional connection between entities in a given alert. |
siemAlertId |
Output only. The identifier of the alert int SIEM. |
sourceUrl |
Output only. The source URL of the alert. |
sourceRuleUrl |
Output only. The source rule URL of the alert. |
sourceSystemUrl |
Output only. The source system URL. |
sourceRuleIdentifier |
Output only. The source rule identifier. |
playbookStatus |
Output only. Alert playbook status. |
attachedPlaybookName |
Output only. The attached playbook name. |
nestingDepth |
Output only. The nesting depth of the alert. |
alertGroupIdentifier |
Output only. The alert group identifier. |
eventCount |
Output only. The number of events that triggered the alert. |
Union field
|
|
playbookRunCount |
Output only. The number of times the first playbook was run on the alert. |
AlertClosureDetails
| JSON representation |
|---|
{
"reason": enum ( |
| Fields | |
|---|---|
reason |
Output only. Alert closure reason. |
comment |
Output only. Alert closure comment. |
rootCause |
Output only. Alert closure root cause. |
closingTimeMs |
Output only. Alert closure time in unix format as milliseconds. |
Sla
| JSON representation |
|---|
{
"expirationTime": string,
"criticalExpirationTime": string,
"expirationStatus": enum ( |
| Fields | |
|---|---|
expirationTime |
Required. SLA expiration time in unix format as milliseconds. Old prop: SlaExpiration. |
criticalExpirationTime |
Required. SLA critical expiration time in unix format as milliseconds, old prop: SlaCriticalExpiration. |
expirationStatus |
Output only. SLA expiration status. |
remainingTimeSinceLastPause |
Output only. Remaining time since last pause. |
InvolvedRelation
| JSON representation |
|---|
{ "identifier": string, "alertIdentifier": string, "caseId": integer, "relationType": string, "from": { object ( |
| Fields | |
|---|---|
identifier |
Required. The identifier of the relation. |
alertIdentifier |
Output only. The identifier of the alert the relation belongs to. |
caseId |
Output only. The id of the case the relation belongs to. |
relationType |
Output only. The type of the relation. |
from |
Output only. The source of the relation. |
to |
Output only. The destination of the relation. |
deviceProduct |
Output only. The product. |
deviceVendor |
Output only. The vendor. |
categoryOutcome |
Output only. The category outcome. Blocked/Allowed/null. |
destinationPort |
Output only. The destination port, if relevant |
eventClassId |
Output only. Event display name. For example: Email Check, Data Exfiltration, IRC etc. |
startTime |
Output only. Start time of the involved relation. |
endTime |
Output only. End time of the involved relation. |
additionalProperties |
Output only. Additional data, stored in JSON format. |
EntityKey
| JSON representation |
|---|
{ "identifier": string, "type": string } |
| Fields | |
|---|---|
identifier |
Output only. The identifier of the entity. |
type |
Output only. The type of the entity. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌