search_security_events
Search Chronicle for security events using natural language queries. Automatically translates your input into Chronicle UDM queries to find specific events within a specified timeframe.
Instructions
Search for security events in Chronicle using natural language.
This function allows you to search for events using everyday language instead of requiring
UDM query syntax. The natural language query will be automatically translated into a
Chronicle UDM query for execution.
Examples of natural language queries:
- "Show me network connections from yesterday for the domain google.com"
- "Display connections to IP address 192.168.1.100"
Args:
text: Natural language description of the events you want to find
project_id: Google Cloud project ID (defaults to config)
customer_id: Chronicle customer ID (defaults to config)
hours_back: How many hours to look back (default: 24)
max_events: Maximum number of events to return (default: 100)
region: Chronicle region (defaults to config)
Returns:
Dictionary containing the UDM query and search results, including events and metadata.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| customer_id | No | ||
| hours_back | No | ||
| max_events | No | ||
| project_id | No | ||
| region | No | ||
| text | Yes |
Input Schema (JSON Schema)
{
"properties": {
"customer_id": {
"default": null,
"title": "Customer Id",
"type": "string"
},
"hours_back": {
"default": 24,
"title": "Hours Back",
"type": "integer"
},
"max_events": {
"default": 100,
"title": "Max Events",
"type": "integer"
},
"project_id": {
"default": null,
"title": "Project Id",
"type": "string"
},
"region": {
"default": null,
"title": "Region",
"type": "string"
},
"text": {
"title": "Text",
"type": "string"
}
},
"required": [
"text"
],
"title": "search_security_eventsArguments",
"type": "object"
}