Chronicle SecOps MCP Server

This function allows you to search for events using everyday language instead of requiring UDM query syntax. The natural language query will be automatically translated into a Chronicle UDM query for execution.

Examples of natural language queries:

- "Show me network connections from yesterday for the domain google.com" - "Display connections to IP address 192.168.1.100"

Args: text: Natural language description of the events you want to find project_id: Google Cloud project ID (defaults to config) customer_id: Chronicle customer ID (defaults to config) hours_back: How many hours to look back (default: 24) max_events: Maximum number of events to return (default: 100) region: Chronicle region (defaults to config)

Returns: Dictionary containing the UDM query and search results, including events and metadata.

{ "properties": { "customer_id": { "default": null, "title": "Customer Id", "type": "string" }, "hours_back": { "default": 24, "title": "Hours Back", "type": "integer" }, "max_events": { "default": 100, "title": "Max Events", "type": "integer" }, "project_id": { "default": null, "title": "Project Id", "type": "string" }, "region": { "default": null, "title": "Region", "type": "string" }, "text": { "title": "Text", "type": "string" } }, "required": [ "text" ], "title": "search_security_eventsArguments", "type": "object" }