Tool: list_case_alerts
Lists all alerts within a case. This tool also provides alert_group_identifiers
for each alert.
Workflow Integration:- Used when an analyst needs to see all alerts within a case, such as when investigating a specific case or reviewing the status of multiple alerts. - Essential for automated playbooks that need to check the status of multiple alerts before taking action. - Provides a comprehensive view of all alerts within a case, allowing for easy navigation and status monitoring. - Can be used to verify the result of an update operation by fetching the alert after the update has been applied.
Use Cases:- An analyst views all alerts within a case to see if any other alerts are firing for the same host or user. - A SOC manager reviews all alerts within a case to prioritize their investigation. - An automated playbook checks the status of multiple alerts before taking action. - A reporting script fetches all alerts within a case to generate a detailed incident report.
Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). case_id (str): The numeric ID of the case to list alerts for (e.g., '12345'). This is a required field. page_size (int, optional): The maximum number of alerts to return. The service may return fewer alerts than requested. If unspecified, the service will pick an appropriate default. page_token (str, optional): A page token, received from a previous ListCaseAlerts
call. Provide this to retrieve the subsequent page. filter (str, optional): A filter expression to filter the list of alerts. Supported fields include 'Status', 'Priority', 'CreateTime', 'UpdateTime', and 'AlertGroupIdentifier'. Note that field names are case-sensitive and follow PascalCase as used in the backend. Example: filter="AlertGroupIdentifier='Remote Failed loginJIuSrw6JxVEAQsav/ew994J+AnKNOB+vrsfNpkO3ZQI=_923ec98b-4fb6-4a3f-809d-d6de2f201795'" order_by (str, optional): A comma-separated list of field names to order by. Supported fields: 'CreateTime', 'UpdateTime'.
Returns: ListCaseAlertsResponse: A paginated list of CaseAlert objects, each representing a single alert within the case. Each CaseAlert object contains the following key fields: - Name
(str): The full resource name of the alert. - Id
(int): The unique identifier for the alert. - DisplayName
(str): The title or display name of the alert. - Priority
(str): The priority of the alert (e.g., "HIGH"). - Status
(str): The current status of the alert (e.g., "OPEN"). - CreateTime
(int): The creation timestamp of the alert in milliseconds. - UpdateTime
(int): The last update timestamp of the alert in milliseconds. - Product
(str): The product that generated the alert. - Vendor
(str): The vendor of the product that generated the alert. - RuleGenerator
(str): The rule that generated the alert. Returns an error message if the parent case is not found or the user does not have permission to view it.
Example Usage: # List all alerts within a case list_case_alerts(project_id='123', region='us', customer_id='abc', case_id='456')
# List all alerts within a case with a filter
list_case_alerts(project_id='123', region='us', customer_id='abc', case_id='456', filter='status="OPEN"')
# List all alerts within a case with ordering
list_case_alerts(project_id='123', region='us', customer_id='abc', case_id='456', order_by='create_time desc')
Next Steps (using MCP-enabled tools): - Use 'get_case_alert' with the alert's resource name to retrieve its full details. - Use 'create_case_comment' to add a note to the parent case explaining why the alert status was changed. - Use 'update_case_alert' to change the status of an alert. - Use 'list_case_comments' to see if any comments were added as part of the update.
The following sample demonstrate how to use curl
to invoke the list_case_alerts
MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "list_case_alerts", "arguments": { // provide these details according to the tool' s MCP specification } } , "jsonrpc" : "2.0" , "id" : 1 } ' |
Input Schema
Request message for ListCaseAlerts. Next ID: 9
ListCaseAlertsRequest
| JSON representation |
|---|
{ "projectId" : string , "customerId" : string , "region" : string , "caseId" : string , "pageSize" : integer , "pageToken" : string , "filter" : string , "orderBy" : string } |
| Fields | |
|---|---|
projectId
|
Project ID of the customer. |
customerId
|
Customer ID of the customer. |
region
|
Region of the customer. |
caseId
|
Case ID. |
pageSize
|
Page size. |
pageToken
|
Page token. |
filter
|
Filter. |
orderBy
|
Order by. |
Output Schema
Response message for ListCaseAlerts.
ListCaseAlertsResponse
| JSON representation |
|---|
{
"caseAlerts"
:
[
{
object (
|
| Fields | |
|---|---|
caseAlerts[]
|
The list of CaseAlerts. |
nextPageToken
|
A token, which can be sent as |
totalSize
|
The total number of results matching the request. |
CaseAlert
| JSON representation |
|---|
{ "name" : string , "identifier" : string , "caseId" : integer , "createTime" : string , "updateTime" : string , "ruleGenerator" : string , "sourceGroupingIdentifier" : string , "product" : string , "displayName" : string , "vendor" : string , "environment" : string , "ticketId" : string , "sourceSystemName" : string , "closureDetails" : { object ( |
name
string
Identifier. The unique name(ID) of the CaseAlert. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseAlerts/{case_alert}
identifier
string
Output only. Title + Guid, e.g. ACCESS DISABLED ACCOUNTS_3A0C90F9-A87E-4E94-8727-7884F686ECDA Legacy identifier of alert used across the legacy modules in the system. Char limit: 2100
caseId
integer
Output only. Case associated with the alert. Added for convenience to be used by the UI.
createTime
string ( int64
format)
Output only. The creation time of the record in milliseconds.
updateTime
string ( int64
format)
Output only. The modification time of the record in milliseconds.
ruleGenerator
string
Output only. Which rule triggered the alert on the third party. This can be any rule defined in the third party Such SIEM, Splunk, CrowdStrike. Characters limit: 250.
sourceGroupingIdentifier
string
Output only. A key on the alert that can be used to group alerts to the same case. Characters limit: 2100
product
string
Output only. The product associated with the alert. E.g. DLP, WinEventLog:Security
displayName
string
Output only. The display name of the alert. E.g. "DATA EXFILTRATION"
vendor
string
Output only. The vendor of the alert. E.g. "Microsoft". Characters limit: 2100
environment
string
Output only. The environment of the alert.
ticketId
string
Output only. Third party ticket id, can be originated from SIEM or other tools. E.g. "3a0c90f9-a87e-4e94-8727-7884f686ecda"
sourceSystemName
string
Output only. Which alerting system raises the alert. E.g. "QRadar", "Arcsight", "Microsoft CASB". The Integration Name in soar.
closureDetails
object (
AlertClosureDetails
)
Optional. Defines the close reason of an alert if any.
sla
object (
Sla
)
Optional. SLA (Service Level Agreement) for the specific alert, used also to calculate aggregate case sla.
manual
boolean
Output only. Whether the alert was created manually.
priority
enum (
LegacyCasePriority
)
Optional. Default value is HIGH.
sourceIdentifier
string
Output only. Stores the identifier of the source of the alert, could be a connector identifier etc.
additionalProperties
string
Output only. Stores additional data on specific alerts, currently used by connectors, in JSON format.
status
enum (
AlertStatus
)
Optional. Alert status. Default value is OPEN.
startTime
string ( int64
format)
Output only. When the alert was created on the third party product (SIEM, IPS, etc).
endTime
string ( int64
format)
Output only. When the alert was closed on the third party product (SIEM, IPS, etc).
involvedRelations[]
object (
InvolvedRelation
)
Output only. All involved relations for the alert. Directional connection between entities in a given alert.
siemAlertId
string
Output only. The identifier of the alert int SIEM.
sourceUrl
string
Output only. The source URL of the alert.
sourceRuleUrl
string
Output only. The source rule URL of the alert.
sourceSystemUrl
string
Output only. The source system URL.
sourceRuleIdentifier
string
Output only. The source rule identifier.
playbookStatus
enum (
WorkflowStatus
)
Output only. Alert playbook status.
attachedPlaybookName
string
Output only. The attached playbook name.
nestingDepth
integer
Output only. The nesting depth of the alert.
alertGroupIdentifier
string
Output only. The alert group identifier.
eventCount
integer
Output only. The number of events that triggered the alert.
Union field _playbook_run_count
.
_playbook_run_count
can be only one of the following:
playbookRunCount
integer
Output only. The number of times the first playbook was run on the alert.
AlertClosureDetails
| JSON representation |
|---|
{
"reason"
:
enum (
|
| Fields | |
|---|---|
reason
|
Output only. Alert closure reason. |
comment
|
Output only. Alert closure comment. |
rootCause
|
Output only. Alert closure root cause. |
closingTimeMs
|
Output only. Alert closure time in unix format as milliseconds. |
Sla
| JSON representation |
|---|
{
"expirationTime"
:
string
,
"criticalExpirationTime"
:
string
,
"expirationStatus"
:
enum (
|
| Fields | |
|---|---|
expirationTime
|
Required. SLA expiration time in unix format as milliseconds. Old prop: SlaExpiration. |
criticalExpirationTime
|
Required. SLA critical expiration time in unix format as milliseconds, old prop: SlaCriticalExpiration. |
expirationStatus
|
Output only. SLA expiration status. |
remainingTimeSinceLastPause
|
Output only. Remaining time since last pause. |
InvolvedRelation
| JSON representation |
|---|
{ "identifier" : string , "alertIdentifier" : string , "caseId" : integer , "relationType" : string , "from" : { object ( |
| Fields | |
|---|---|
identifier
|
Required. The identifier of the relation. |
alertIdentifier
|
Output only. The identifier of the alert the relation belongs to. |
caseId
|
Output only. The id of the case the relation belongs to. |
relationType
|
Output only. The type of the relation. |
from
|
Output only. The source of the relation. |
to
|
Output only. The destination of the relation. |
deviceProduct
|
Output only. The product. |
deviceVendor
|
Output only. The vendor. |
categoryOutcome
|
Output only. The category outcome. Blocked/Allowed/null. |
destinationPort
|
Output only. The destination port, if relevant |
eventClassId
|
Output only. Event display name. For example: Email Check, Data Exfiltration, IRC etc. |
startTime
|
Output only. Start time of the involved relation. |
endTime
|
Output only. End time of the involved relation. |
additionalProperties
|
Output only. Additional data, stored in JSON format. |
EntityKey
| JSON representation |
|---|
{ "identifier" : string , "type" : string } |
| Fields | |
|---|---|
identifier
|
Output only. The identifier of the entity. |
type
|
Output only. The type of the entity. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌
