MCP Tools Reference: chronicle.googleapis.com

string

Project ID of the customer.

string

Customer ID of the customer.

string

Region of the customer.

string

The unique ID of the feed.

object (Feed)

The feed to update.

string (FieldMask format)

The fields to update.

This is a comma-separated list of fully qualified names of fields. Example: "user.displayName,photo".

string

The resource name of the feed. Format: projects/{project}/locations/{location}/instances/{instance}/feeds/{feed}

string

Output only. Unique identifier for the feed.

string

Customer-provided feed name.

object (FeedDetails)

Additional details of the feed, these details are dynamic and will be different for each of the feeds.

enum (State)

Output only. State of the feed.

string

Output only. Details about the most recent failure when feed state is FAILED.

boolean

Output only. Whether this feed can be updated or deleted.

string (Timestamp format)

Output only. Latest timestamp when the transfer was successful for the feed.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

object (FeedFailureDetails)

Output only. Failure details for the feed. If the feed is in the failure state, this field will contain the details of the error cause and actions.

string

Output only. Reference ID, this field will contain the legacy id of the feed.

enum (FeedSourceType)

Source Type of the feed.

string

LogType. Format: projects/{project}/locations/{location}/instances/{instance}/logTypes/{log_type}

string

The asset namespace to apply to all logs ingested through this feed.

map (key: string, value: string)

The ingestion metadata labels to apply to all logs ingested through this feed, and the resulting normalized data.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

enum (STSMigrationReadiness)

Optional. The status of the feed's migration to STS.

object (AnomaliIocSettings)

Anomali IOC settings.

object (AzureADContextSettings)

Azure AD Context settings.

object (CloudPassageSettings)

Cloud Passage settings.

object (CortexXDRSettings)

Cortex XDR settings.

object (DuoAuthSettings)

Duo Auth settings.

object (DuoUserContextSettings)

Duo User Context settings.

object (MicrosoftGraphAlertSettings)

Microsoft Graph Alert settings.

object (MicrosoftSecurityCenterAlertSettings)

Microsoft Security center alert settings.

object (MimecastMailSettings)

Mimecast mail settings.

object (Office365Settings)

Office 365 settings.

object (ProofpointMailSettings)

Proofpoint mail settings.

object (RecordedFutureIocSettings)

Recorded Future IOC settings.

object (WorkdaySettings)

Workday settings.

object (PanIocSettings)

PAN IOC settings.

object (OktaSettings)

Okta settings.

object (OktaUserContextSettings)

Okta user context settings.

object (FoxITStixSettings)

Fox-IT STIX settings.

object (ThreatConnectIoCSettings)

ThreatConnect IOC settings.

object (ServiceNowCMDBSettings)

ServiceNow CMDB settings.

object (ImpervaWAFSettings)

Imperva WAF settings.

object (ThinkstCanarySettings)

Thinkst Canary settings.

object (RHIsacIocSettings)

RH-ISAC IOC settings.

object (Rapid7InsightSettings)

Rapid7 Insight settings.

object (SalesforceSettings)

Salesforce settings.

object (NetskopeAlertSettings)

Netskope alert settings.

object (AzureMDMIntuneSettings)

Azure MDM Intune settings.

object (AzureADSettings)

Azure AD settings.

object (ProofpointOnDemandSettings)

Proofpoint On-Demand settings.

object (WorkspaceUsersSettings)

Workspace users settings.

object (WorkspaceActivitySettings)

Workspace activity settings.

object (WorkspaceAlertsSettings)

Workspace alerts settings.

object (WorkspacePrivilegesSettings)

Workspace privileges settings.

object (WorkspaceMobileSettings)

Workspace mobile settings.

object (WorkspaceChromeOSSettings)

Workspace ChromeOS settings.

object (WorkspaceGroupsSettings)

Workspace Groups settings.

object (AzureADAuditSettings)

Azure AD Audit settings.

object (SymantecEventExportSettings)

Symantec Event Export settings.

object (QualysVMSettings)

Qualys VM settings

object (PanPrismaCloudSettings)

PAN Prisma Cloud settings.

object (GoogleCloudStorageSettings)

Google Cloud Storage settings.

object (HttpSettings)

HTTP settings.

object (SftpSettings)

SFTP settings.

object (AmazonS3Settings)

Amazon S3 settings.

object (AzureBlobStoreSettings)

Azure Blob Storage settings.

object (AmazonSQSSettings)

Amazon SQS settings.

object (GoogleCloudIdentityDevicesSettings)

Google Cloud Identity Devices settings.

object (GoogleCloudIdentityDeviceUsersSettings)

Google Cloud Identity Device Users settings.

object (CrowdStrikeDetectsSettings)

CrowdStrike Detects API settings.

object (MandiantIoCSettings)

Mandiant IOC settings.

object (SentineloneAlertSettings)

SentinelOne Alert settings.

object (QualysScanSettings)

Qualys Scan Settings

object (PubsubSettings)

Pub/Sub settings.

object (AmazonKinesisFirehoseSettings)

Amazon Kinesis Firehose settings.

object (WebhookSettings)

Webhook settings.

object (DummyLogTypeSettings)

DummyLogType Settings.

object (HttpsPushGoogleCloudPubSubSettings)

Https push Google Pub/Sub settings.

object (HttpsPushAmazonKinesisFirehoseSettings)

Https push Amazon Kinesis Firehose settings.

object (HttpsPushWebhookSettings)

Https push Webhook settings.

object (AWSEC2HostsSettings)

AWS EC2 Hosts settings.

object (AWSEC2InstancesSettings)

AWS EC2 Instances settings.

object (AWSEC2VpcsSettings)

AWS EC2 Vpcs settings.

object (AWSIAMSettings)

AWS IAM settings.

object (NetskopeAlertV2Settings)

Netskope alert V2 settings.

object (GoogleCloudStorageV2Settings)

Settings for Google Cloud Storage Omniflow feeds.

object (AmazonS3V2Settings)

Settings for S3 Omniflow feeds.

object (AmazonSQSV2Settings)

Settings for SQS Omniflow feeds.

object (AzureEventHubSettings)

Settings for Omniflow based native ingestion from azure event hub.

object (TrellixHxHostsSettings)

Settings for Trellix HX Host Metadata.

object (AzureBlobStoreV2Settings)

Settings for Azure Blobstore Omniflow feeds.

object (TrellixHxAlertsSettings)

Settings for Trellix HX Alerts Metadata.

object (GoogleCloudStorageEventDrivenSettings)

Settings for Omniflow based Google Cloud Storage event driven feeds.

object (CrowdStrikeAlertsSettings)

CrowdStrike Alerts API settings.

object (TrellixHxBulkAcqsSettings)

Settings for Trellix HX Bulk Acquisitions Metadata.

object (MimecastMailV2Settings)

Required. Mimecast mail v2 settings.

object (ThreatConnectIoCV3Settings)

Threat Connect IOC V3 settings.

object (UsernameSecretAuth)

Input only. Authentication.

string

Username of an identity used for authentication.

string

Secret of the account identified by user_name.

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.

boolean

Whether to retrieve device information in user context.

boolean

Whether to retrieve group information in user context.

string

Tenant ID.

string

API Hostname.

string

API Auth Endpoint.

string

Client ID.

string

Client secret.

object (UsernameSecretAuth)

Input only. Authentication.

string

Event types filter for the events API.

object (HttpHeaderAuth)

Input only. Authentication.

string

API Hostname.

string

API Endpoint.

object (HeaderKeyValue)

Header key-value pairs.

string

Key.

string

Value.

object (UsernameSecretAuth)

Input only. Authentication.

string

API Hostname.

object (UsernameSecretAuth)

Input only. Authentication.

string

API hostname.

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.

string

Tenant ID.

string

API Hostname.

string

API Auth Endpoint.

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.

string

Subscription ID of the Microsoft security center alert settings alert.

string

Tenant ID.

string

API Hostname.

string

API Auth Endpoint.

object (HttpHeaderAuth)

Input only. Authentication.

string

API Hostname.

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.

string

Tenant ID.

enum (ContentType)

Supported office 365 content type.

string

API Hostname.

string

API Auth Endpoint.

object (UsernameSecretAuth)

Input only. Authentication.

object (HttpHeaderAuth)

Input only. Authentication.

object (WorkdayAuth)

Input only. Authentication.

string

API Hostname.

string

Tenant ID.

string

Username. This is unused: Workday feeds were originally configured using a username and secret authentication method, but only the secret field was used, and it was used to supply the OAuth access token.

string

The access token used to authenticate against Workday. This field is called "secret" to maintain backwards compatibility. Workday was (only) configured using username (which was unused) and secret (which is used as the access token). Either this field or all of the other OAuth fields below must be specified.

string

Token endpoint to get the OAuth token from.

string

Client ID.

string

Client Secret.

string

Refresh Token.

object (HttpHeaderAuth)

Input only. Authentication.

string

PAN IOC feed ID.

string

PAN IOC feed name.

object (HttpHeaderAuth)

Input only. Authentication.

string

API Hostname.

object (HttpHeaderAuth)

Input only. Authentication.

string

API Hostname.

string

Manager id reference field.

object (UsernameSecretAuth)

Input only. Authentication.

object (SSLClientKeypair)

SSL client key pair.

string

TAXII poll service URI.

string

Collection available at the poll service.

string

The encoded private key. The string should be a private key in PEM format, and should include the begin header and end footer lines. It may also include newlines.

Example: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,F23074E02CF47304

-----END RSA PRIVATE KEY-----

string

The encoded SSL certificate. The string should be an SSL certificate in PEM format, and should include the begin header and end footer lines. It may also include newlines.

Example: -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----

object (UsernameSecretAuth)

Input only. Authentication.

string

API Hostname.

string

Owners.

object (UsernameSecretAuth)

Input only. Authentication.

string

API Hostname.

string

Feedname.

object (HttpHeaderAuth)

Input only. Authentication.

object (HttpHeaderAuth)

Input only. Authentication.

string

API Hostname.

object (OAuthClientCredentials)

Input only. Authentication.

string

Token endpoint.

string

Client ID.

string

Client secret.

object (HttpHeaderAuth)

Input only. Authentication.

string

Rapid7 API endpoint. Should be "vulnerabilities" or "assets".

string

API Hostname.

string

API hostname.

object (OAuthPasswordGrantCredentials)

Input only. OAuthPasswordGrantCredentials auth.

object (OAuthJWTCredentials)

Input only. OAuthJWTCredentials auth.

string

Token endpoint to get the OAuth token from.

string

Client ID.

string

Client secret.

string

Username.

string

Password.

string

Token endpoint to get the OAuth token from.

object (Claims)

Claims.

object (RSCredentials)

RS credentials.

string

Private key in PEM format.

string

Issuer. Usually the client_id.

string

Subject. Usually the email.

string

Audience.

object (HttpHeaderAuth)

Input only. Authentication.

string

API Hostname.

string

Feedname.

string

Content type.

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.

string

Tenant ID.

string

API Hostname.

string

API Auth Endpoint.

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.

string

Tenant ID.

string

API Hostname.

string

API Auth Endpoint.

object (HttpHeaderAuth)

Input only. Authentication.

string

Cluster ID.

object (OAuthJWTCredentials)

Input only. Authentication.

string

Customer ID.

enum (ProjectionType)

Optional. Projection Type.

object (OAuthJWTCredentials)

Input only. Authentication.

string

Customer ID.

string

Applications.

object (OAuthJWTCredentials)

Input only. Authentication.

string

Customer ID.

object (OAuthJWTCredentials)

Input only. Authentication.

string

Customer ID.

object (OAuthJWTCredentials)

Input only. Authentication.

string

Customer ID.

object (OAuthJWTCredentials)

Input only. Authentication.

string

Customer ID.

object (OAuthJWTCredentials)

Input only. Authentication.

string

Customer ID.

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.

string

Tenant ID.

string

API Hostname.

string

API Auth Endpoint.

object (OAuthRefreshToken)

Input only. Authentication.

string

Token endpoint to get the OAuth token from.

string

Client ID.

string

Client secret.

string

Refresh token.

object (UsernameSecretAuth)

Input only. Authentication.

string

API Hostname.

object (PanPrismaAuth)

Input only. Authentication.

string

API Hostname.

string

Username.

string

Password.

string

Bucket URI.

enum (URISourceType)

The URI source type.

enum (SourceDeletionOption)

Source deletion option.

string

Output only. Service Account Chronicle will be using to pull data.

string

HTTP URI.

enum (URISourceType)

The URI source type.

enum (SourceDeletionOption)

Source deletion option.

object (SftpAuth)

Input only. Authentication.

string

SFTP URI.

enum (URISourceType)

The URI source type.

enum (SourceDeletionOption)

Source deletion option.

string

Username. Used for username and password authentication.

string

Password. Used for username and password authentication.

string

Private key. Used for private key authentication.

string

Private key passphrase. Used for private key authentication.

object (S3Auth)

Input only. Authentication.

string

S3 URI.

enum (URISourceType)

The URI source type.

enum (SourceDeletionOption)

Source deletion option.

string

Access key ID. Used when using access key auth.

string

Secret access key. Used when using access key auth.

string

Client ID. Used when using OAuth auth.

string

Client secret. Used when using OAuth auth.

string

Refresh URI. Used when using OAuth auth.

enum (S3Region)

S3 Region.

object (AzureAuth)

Input only. Authentication.

string

Azure URI.

enum (URISourceType)

The URI source type.

enum (SourceDeletionOption)

Source deletion option.

string

Shared Key.

string

SAS Token.

enum (S3Region)

S3 Region.

string

Name of the queue.

string

Account number of the owner of the queue.

object (SQSAuth)

Input only. Authentication.

enum (SourceDeletionOption)

Source deletion option.

object (SQSAccessKeySecretAuth)

SQS access key secret auth.

object (AdditionalS3AccessKeySecretAuth)

Authentication for the S3 bucket referred to by the items in the SQS queue. This is only required if it is different from the authentication for the queue.

string

Access key ID.

string

Secret access key.

string

Access key ID.

string

Secret access key.

object (OAuthJWTCredentials)

Input only. Authentication

string

API Version

object (OAuthJWTCredentials)

Input only. Authentication.

object (OAuthClientCredentials)

Input only. OAuthClientCredentials.

string

API Hostname.

enum (IngestionType)

Optional. Ingestion Type.

object (HttpHeaderAuth)

Input only. Authentication.

string (Timestamp format)

time since when to start fetching the IOCs

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

object (HttpHeaderAuth)

Input only. Authentication.

string

Hostname of SentinelOne alert settings.

string

initialStartTime from when to fetch the alerts

boolean

Is the customer subscribed to Alerts Api

object (UsernameSecretAuth)

Input only. Authentication

string

Hostname.

enum (ApiType)

Supported Qualys Scan api type.

string

Google Service Account Email.

object (HttpHeaderAuth)

Input only. Authentication.

string

Full API Endpoint.

string

Optional. Delimiter to split on for the feed.

string

Optional. Delimiter to split on for the feed.

string

Optional. Delimiter to split on for the feed.

object (UsernameSecretAuth)

Input only. UsernameSecretAuth.

object (UsernameSecretAuth)

Input only. UsernameSecretAuth.

object (UsernameSecretAuth)

Input only. UsernameSecretAuth.

object (UsernameSecretAuth)

Input only. Authentication

enum (ApiType)

Supported AWS IAM api type.

object (HttpHeaderAuth)

Input only. Authentication.

string

API Hostname.

string

Content Category.

string

Content type.

string

Required. Google Cloud Storage Bucket URI for the feed.

enum (SourceDeletionOptionV2)

Optional. Source deletion option determines if the data from the source is to be deleted after ingestion.

string

Output only. SA that will read data, this is Storage Transfer Service SA of Customer's Tenancy Project.

integer

Optional. Maximum File Age to ingest in days.

object (S3AuthV2)

Required. Authentication.

string

Required. S3 URI.

enum (SourceDeletionOptionV2)

Optional. Source deletion option.

integer

Optional. Maximum File Age to ingest in days.

string

Output only. SA that will read data, this is Storage Transfer Service SA of Customer's Tenancy Project.

object (S3V2AccessKeySecretAuth)

Access Key ID and Secret Access Key for an AWS account.

object (S3V2AwsIamRoleAuth)

AWS IAM Role Auth for Identity Federation.

string

Required. Access Key ID for an AWS account (a 20-character, alphanumeric string).

string

Required. Secret Access Key for an AWS account (a 40-character string).

string

AWS IAM Role for Identity Federation.

string

Subject ID to use for S3.

string

Required. Amazon Resource Name(ARN) of the queue.

string

Required. S3 URI.

object (SQSAuthV2)

Required. Authentication.

enum (SourceDeletionOptionV2)

Optional. Source deletion option.

integer

Optional. Maximum File Age to ingest in days.

string

Output only. SA that will read data, this is Storage Transfer Service SA of Customer's Tenancy Project.

object (SQSV2AccessKeySecretAuth)

Required. Auth key and secret for the SQS queue.

object (SQSV2AwsIamRoleAuth)

Required. AWS IAM Role for Identity Federation.

string

Access key ID of the S3 bucket. Ex: AKIABCDEFGHIJKL.

string

Secret access key to access the S3 bucket.

string

AWS IAM Role for Identity Federation.

string

Subject ID to use for SQS.

string

Required. Event hub to read from.

string

Required. Event hub consumer group to read from.

string

Required. Event hub connection string for authentication.

string

Optional. Blob store connection string for authentication.

string

Optional. Blob storage container name.

string

Optional. SAS token

string

Output only. Event hub namespace

object (TrellixStarXAuthentication)

Required. Authentication.

string

Required. Trellix HX Device URL. This must be a valid URL with an http or https scheme. It has no default. Usually a device URL is in the form of either: https://xxx.trellix.com/hx/id// - or - https://htapdeviceproxy.md.mandiant.net/dphb/hx//

object (MssoAuthentication)

Input only. MssoAuthentication auth type.

object (TrellixIAMAuthentication)

Input only. TrellixIAMAuthentication auth type.

string

Required. Username for MSSO authentication. There are no restrictions on the format of the username. It has no default, specifically enforced min / max length or character set. The username will have been provided by an MSSO administrator and it is assumed that they have provided a username that is internally consistent with MSSO authentication requirements / validation.

string

Required. Password of the account identified by username. There are no restrictions on the format of the password. It has no default, specifically enforced min / max length or character set. The password will have been provided by an MSSO administrator and it is assumed that they have provided a password that is internally consistent with MSSO authentication requirements / validation.

string

Required. The login api endpoint url. This must be a valid URL with an http or https scheme. It has no default.

string

Required. Client ID generated in Trellix IAM. This is a unique identifier for the user that is generated in Trellix IAM. It has no default, specifically enforced min / max length or character set. It is assumed that the Client ID generated in Trellix IAM is internally consistent with Trellix IAM authentication requirements / validation.

string

Required. Secret associated with the Client ID. This is the secret generated in Trellix IAM for the Client ID. It has no default, specifically enforced min / max length or character set. It is assumed that the secret generated in Trellix IAM is internally consistent with Trellix IAM authentication requirements / validation.

string

Required. OAUTH 2 scope to request for the authentication token. This is the OAUTH 2 scope to request for the authentication token. It has no default, specifically enforced min / max length or character set. It is assumed that the scope provided is internally consistent with Trellix IAM authentication requirements / validation.

string

Required. Azure URI.

object (AzureAuthV2)

Required. Authentication.

enum (SourceDeletionOptionV2)

Optional. Source deletion option.

integer

Optional. Maximum File Age to ingest in days.

string

Output only. SA that will read data, this is Storage Transfer Service SA of Customer's Tenancy Project.

string

Required. Access Key also known as shared key.

string

Required. SAS Token.

object (AzureV2WorkloadIdentityFederation)

Required. Azure V2 Workload Identity Federation.

string

Required. OAuth client ID.

string

Required. Tenant ID.

string

Required. Subject ID of the Azure subscription.

object (TrellixStarXAuthentication)

Required. Authentication.

string

Required. Trellix HX Device URL. This must be a valid URL with an http or https scheme. It has no default. Usually a device URL is in the form of either: https://xxx.trellix.com/hx/id// - or - https://htapdeviceproxy.md.mandiant.net/dphb/hx//

string

Required. Google Cloud Storage Bucket URI for the feed.

string

Required. Subscription name for pubsub topic.

enum (SourceDeletionOptionV2)

Optional. Source deletion option determines if the data from the source is to be deleted after ingestion.

string

Output only. SA that will read data, this is Storage Transfer Service SA of Customer's Tenancy Project.

integer

Optional. Maximum File Age to ingest in days.

object (OAuthClientCredentials)

Required. OAuthClientCredentials.

string

Required. API Hostname.

enum (IngestionType)

Optional. Ingestion Type.

object (TrellixStarXAuthentication)

Required. Authentication.

string

Required. Trellix HX Device URL. This must be a valid URL with an http or https scheme. It has no default. Usually a device URL is in the form of either: https://xxx.trellix.com/hx/id// - or - https://htapdeviceproxy.md.mandiant.net/dphb/hx//

object (MimecastV2OAuthClientCredentials)

Required. Mimecast OAuthClientCredentials.

string

Required. Client ID.

string

Required. Client Secret.

object (UsernameSecretAuth)

Required. Input only. UsernameSecretAuth.

string

Required. hostname.

string

Required. Owners.

string

Optional. ThreatConnect Query Language filter.

string

Optional. Fields

integer

Optional. Schedule

string

string