SecOps MCP Tools Reference#
This document provides a reference for the tools available in the SecOps MCP server.
Available Tools#
search_security_events#
Search for security events in Chronicle SIEM using natural language.
Arguments:
text(str): Natural language description of the events you want to find.project_id(str, optional): Google Cloud project ID.customer_id(str, optional): Chronicle customer ID.hours_back(int, optional): How many hours back from the current time to search. Defaults to 24.max_events(int, optional): Maximum number of event records to return. Defaults to 100.region(str, optional): Chronicle region (e.g., “us”, “europe”).
Returns:
Dict[str, Any]: A dictionary containing the UDM query and the search results.
get_security_alerts#
Get security alerts directly from Chronicle SIEM.
Arguments:
project_id(str, optional): Google Cloud project ID.customer_id(str, optional): Chronicle customer ID.hours_back(int, optional): How many hours to look back for alerts. Defaults to 24.max_alerts(int, optional): Maximum number of alerts to return. Defaults to 10.status_filter(str, optional): Query string to filter alerts by status. Defaults to excluding closed alerts.region(str, optional): Chronicle region (e.g., “us”, “europe”).
Returns:
str: A formatted string summarizing the retrieved security alerts.
get_security_alert_by_id#
Get security alert by ID directly from Chronicle SIEM.
Arguments:
project_id(str, optional): Google Cloud project ID.customer_id(str, optional): Chronicle customer ID.region(str, optional): Chronicle region (e.g., “us”, “europe”).alert_id(str, optional): The ID of the alert to retrieve.include_detections(bool, optional): Whether to include detections in the response. Defaults to True.
Returns:
str: A formatted string summarizing the retrieved security alert.
do_update_security_alert#
Update security alert attributes directly in Chronicle SIEM.
Arguments:
alert_id(str): The unique ID of the Chronicle security alert to update.project_id(str, optional): Google Cloud project ID.customer_id(str, optional): The Chronicle customer ID.region(str, optional): The Google Cloud region where the Chronicle instance is hosted.reason(str, optional): Reason for closing an alert.priority(str, optional): Alert priority.status(str, optional): Alert status.verdict(str, optional): Verdict on the alert.severity(int, optional): Severity score [0-100] of the alert.comment(str, optional): Analyst comment.root_cause(str, optional): Alert root cause.
Returns:
str: A confirmation message indicating whether the alert was updated successfully.
lookup_entity#
Look up an entity (IP, domain, hash, user, etc.) in Chronicle SIEM for enrichment.
Arguments:
entity_value(str): Value to look up (e.g., IP address, domain name, file hash, username).project_id(str, optional): Google Cloud project ID.customer_id(str, optional): Chronicle customer ID.hours_back(int, optional): How many hours of historical data to consider for the summary. Defaults to 24.region(str, optional): Chronicle region (e.g., “us”, “europe”).
Returns:
str: A formatted string summarizing the entity information found in Chronicle.
list_security_rules#
List security detection rules configured in Chronicle SIEM.
Arguments:
project_id(str, optional): Google Cloud project ID.customer_id(str, optional): Chronicle customer ID.region(str, optional): Chronicle region (e.g., “us”, “europe”).
Returns:
Dict[str, Any]: Raw response from the Chronicle API, typically containing a list of rule objects.
search_security_rules#
Search security detection rules configured in Chronicle SIEM.
Arguments:
query(str): Regex string to use for searching SecOps rules.project_id(str, optional): Google Cloud project ID.customer_id(str, optional): Chronicle customer ID.region(str, optional): Chronicle region (e.g., “us”, “europe”).
Returns:
Dict[str, Any]: Raw response from the Chronicle API, typically containing a list of rule objects.
get_rule_detections#
Retrieves historical detections generated by a specific Chronicle SIEM rule.
Arguments:
rule_id(str): Unique ID of the rule to list detections for.alert_state(str, optional): If provided, filter by alert state.page_size(int, optional): The maximum number of detections to return in a single response.page_token(str, optional): A token to retrieve the next page of results for pagination.project_id(str, optional): Google Cloud project ID.customer_id(str, optional): Chronicle customer ID.region(str, optional): Chronicle region (e.g., “us”, “europe”).
Returns:
Dict[str, Any]: A dictionary containing the list of detections and pagination information.
list_rule_errors#
Lists execution errors for a specific Chronicle SIEM rule.
Arguments:
rule_id(str): Unique ID of the rule to list errors for.project_id(str, optional): Google Cloud project ID.customer_id(str, optional): Chronicle customer ID.region(str, optional): Chronicle region (e.g., “us”, “europe”).
Returns:
Dict[str, Any]: A dictionary containing rule execution errors.
get_ioc_matches#
Get Indicators of Compromise (IoCs) matches from Chronicle SIEM.
Arguments:
project_id(str, optional): Google Cloud project ID.customer_id(str, optional): Chronicle customer ID.hours_back(int, optional): How many hours back to look for IoC matches. Defaults to 24.max_matches(int, optional): Maximum number of IoC matches to return. Defaults to 20.region(str, optional): Chronicle region (e.g., “us”, “europe”).
Returns:
str: A formatted string summarizing the IoC matches found.
get_threat_intel#
Get answers to security questions using Chronicle’s integrated Gemini model.
Arguments:
query(str): The security or threat intelligence question to ask Gemini.project_id(str, optional): Google Cloud project ID.customer_id(str, optional): Chronicle customer ID.region(str, optional): Chronicle region (e.g., “us”, “europe”).
Returns:
str: A formatted answer generated by the Gemini model based on the query.