MCP Tools Reference: chronicle.googleapis.com

Tool: `validate_rule`

Validate YARA-L 2.0 rule text syntax and compilation in Chronicle SIEM.

Verifies the syntax and compilation of a YARA-L 2.0 detection rule without creating or deploying it. This tool checks for syntax errors, compilation issues, and other problems that would prevent the rule from functioning correctly when deployed.

Workflow Integration: - Essential validation step during rule development before creating or updating rules. - Use to catch syntax errors and compilation issues early in the development process. - Helps ensure rule quality and reduces deployment failures in production environments. - Can be integrated into CI/CD pipelines for automated rule validation.

Use Cases: - Validate new YARA-L rule syntax before attempting to create the rule in Chronicle. - Check existing rule modifications for syntax errors before deployment. - Troubleshoot rule compilation issues during development or debugging. - Verify rule syntax as part of automated testing or quality assurance processes. - Validate rule text copied from external sources or documentation.

Agent Responsibilities: - Provide the complete YARA-L rule text to be validated. - Parse the JSON response to check the 'success' field and examine any messages in 'compilationDiagnostics'.

Args: rule_text (str): Complete YARA-L 2.0 rule definition to validate. This should include rule metadata, events, and conditions sections. project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required).

Returns: str: Raw JSON response from the API. This will typically include: - success (bool): Whether the rule text was successfully validated. - compilationDiagnostics (list): List of objects containing 'message', 'severity', and 'position' for any errors or warnings.

Example Usage: # Validate a simple detection rule rule_text = ''' rule test_process_launch { meta: description = "Test rule for process launches" author = "Security Team" severity = "Low" yara_version = "YL2.0" events: $e.metadata.event_type = "PROCESS_LAUNCH" $e.principal.hostname != "" condition: $e } ''' validate_rule( rule_text=rule_text, project_id="my-project", customer_id="my-customer", region="us" )

Next Steps (using MCP-enabled tools): - If validation succeeds, use 'test_rule' to test the rule against historical data. - If validation fails, review the messages in 'compilationDiagnostics' and fix syntax errors in the rule_text. - Once validated and tested, use 'create_rule' to deploy the rule to Chronicle. - Use 'list_rule_errors' after deployment to monitor for runtime issues.

The following sample demonstrate how to use curl to invoke the validate_rule MCP tool.

Curl Request
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "validate_rule", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }'

Curl Request

                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "validate_rule",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for VerifyRuleText.

VerifyRuleTextRequest

JSON representation
{ "projectId": string, "customerId": string, "region": string, "rule": string }

Fields
`projectId`	`string` Project ID of the customer.
`customerId`	`string` Customer ID of the customer.
`region`	`string` Region of the customer.
`rule`	`string` The rule text to verify.

Output Schema

Response message for VerifyRuleText method.

VerifyRuleTextResponse

JSON representation
{ "success": boolean, "compilationDiagnostics": [ { object (`CompilationDiagnostic`) } ] }

Fields

Fields
`success`	`boolean` Whether or not the rule text was successfully verified.
`compilationDiagnostics[]`	`object (CompilationDiagnostic)` A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings.

success

boolean

Whether or not the rule text was successfully verified.

compilationDiagnostics[]

object (CompilationDiagnostic)

A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings.

CompilationDiagnostic

JSON representation
{ "message": string, "position": { object (`CompilationPosition`) }, "severity": enum (`Severity`), "uri": string }

Fields
`message`	`string` Output only. The diagnostic message.
`position`	`object (CompilationPosition)` Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty.
`severity`	`enum (Severity)` Output only. The severity of a rule's compilation diagnostic.
`uri`	`string` Output only. Link to documentation that describes a diagnostic in more detail.

CompilationPosition

JSON representation
{ "startLine": integer, "startColumn": integer, "endLine": integer, "endColumn": integer }

Fields
`startLine`	`integer` Output only. Start line number, beginning at 1.
`startColumn`	`integer` Output only. Start column number, beginning at 1.
`endLine`	`integer` Output only. End line number, beginning at 1.
`endColumn`	`integer` Output only. End column number, beginning at 1.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌

MCP Tools Reference: chronicle.googleapis.com Stay organized with collections Save and categorize content based on your preferences.

Tool: validate_rule