Console
    Start free

    MCP Tools Reference: chronicle.googleapis.com

    Tool: create_case_comment

    Creates a new case comment in Google SecOps.

    Adds a new, structured comment to an existing SOAR case, enabling analysts to log notes, updates, or decisions within an investigation. This is a critical function for maintaining a clear and auditable record of all activities related to a security case.

    Workflow Integration:- A fundamental part of documenting an investigation and maintaining an audit trail for compliance and review. - Integrates seamlessly with UI actions, such as an "Add Comment" button on a case details page, allowing for manual entry of findings. - Allows for automated systems and playbooks to log their actions directly into a case, providing a unified timeline of both human and machine activities. - Can be used to trigger other automated workflows; for example, adding a comment with a specific tag could initiate a new playbook.

    Use Cases:- An analyst adds a manual note about their findings after investigating an alert, such as "Confirmed phishing email from sender X." - An automated playbook adds a comment detailing an action it took, like "Successfully isolated host Y from the network." - A user attaches an artifact or file to the case with a descriptive comment, which can be done by providing attachment details within the comment. - A manager adds a comment to assign the case to a different analyst or to provide guidance on the next steps.

    Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). case_id (str): The numeric ID of the case to which the comment will be added (e.g., '12345'). This is a required field. comment (str): The content of the comment. This is a required field and can contain text, links, or other relevant information.

    Returns: CaseComment: The newly created CaseComment object, including its unique, server-assigned resource name and creation timestamp. The CaseComment object contains the following key fields: - Name (str): The full resource name of the comment. - Id (int): The unique identifier for the comment. - Comment (str): The content of the comment. - UserOwnerFullName (str): The full name of the user who created the comment. - LastEditorFullName (str): The full name of the user who last edited the comment. - CreateTime (int): The creation timestamp of the comment in milliseconds. - UpdateTime (int): The last update timestamp of the comment in milliseconds. - IsFavorite (bool): Indicates if the comment is marked as a favorite. - IsDeleted (bool): Indicates if the comment has been deleted. - AlertIdentifier (str): The identifier of the alert associated with the comment, if any. Returns an error message if the parent case is not found, if the user does not have permission, or if the comment could not be created for other reasons.

    Example Usage: # Create a new comment for a case create_case_comment( project_id='123', region='us', customer_id='abc', case_id='456', comment='Investigated suspicious login from external IP. The IP has been added to the blocklist.' )

    Next Steps (using MCP-enabled tools): - Use 'list_case_comments' to see the newly created comment in the case's timeline along with other comments. - Use 'get_case_comment' with the returned resource name to retrieve its full details at a later time. - Use 'update_case' to change the status or other properties of the case based on the new comment.

    The following sample demonstrate how to use curl to invoke the create_case_comment MCP tool.

    Curl Request 
      
curl  
--location  
 'https://chronicle.googleapis.com/mcp' 
  
 \ 
--header  
 'content-type: application/json' 
  
 \ 
--header  
 'accept: application/json, text/event-stream' 
  
 \ 
--data  
 '{ 
 "method": "tools/call", 
 "params": { 
 "name": "create_case_comment", 
 "arguments": { 
 // provide these details according to the tool' 
s  
MCP  
specification  
 } 
  
 } 
,  
 "jsonrpc" 
:  
 "2.0" 
,  
 "id" 
:  
 1 
 } 
 '

    Input Schema

    Request message for CreateCaseComment. Next ID: 7

    CreateCaseCommentRequest

    JSON representation 
     { 
 "projectId" 
 : 
 string 
 , 
 "customerId" 
 : 
 string 
 , 
 "region" 
 : 
 string 
 , 
 "caseId" 
 : 
 string 
 , 
 "comment" 
 : 
 string 
 }
    Fields
    projectId

    string

    Project ID of the customer.
    customerId

    string

    Customer ID of the customer.
    region

    string

    Region of the customer.
    caseId

    string

    Case ID.
    comment

    string

    Comment.

    Output Schema

    This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. Case Comment - Chronicle SOAR Case Comment.

    CaseComment

    JSON representation 
     { 
 "name" 
 : 
 string 
 , 
 "createTime" 
 : 
 string 
 , 
 "updateTime" 
 : 
 string 
 , 
 "user" 
 : 
 string 
 , 
 "comment" 
 : 
 string 
 , 
 "deletionInvoker" 
 : 
 string 
 , 
 "alertIdentifier" 
 : 
 string 
 , 
 "caseAttachment" 
 : 
 { 
 object (  CaseAttachment 
 
) 
 } 
 , 
 "userOwnerFullName" 
 : 
 string 
 , 
 "lastEditorFullName" 
 : 
 string 
 , 
 "deletedByUser" 
 : 
 string 
 , 
 "case" 
 : 
 string 
 , 
 // Union field _is_favorite 
can be only one of the following: 
 "isFavorite" 
 : 
 boolean 
 // End of list of possible types for union field _is_favorite 
. 
 // Union field _is_deleted 
can be only one of the following: 
 "isDeleted" 
 : 
 boolean 
 // End of list of possible types for union field _is_deleted 
. 
 }
    Fields
    name

    string

    Output only. Identifier. The unique name(ID) of the CaseComment. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseComments/{case_comment}

    createTime

    string ( int64 format)

    Output only. The timestamp when the comment was created.

    updateTime

    string ( int64 format)

    Output only. The timestamp when the comment was last updated.

    user

    string

    Output only. User owner of the comment.

    comment

    string

    Required. The content of the comment.

    deletionInvoker

    string

    Output only. The user who deleted the comment.

    alertIdentifier

    string

    Optional. The alert associated with the comment.

    caseAttachment

    object ( CaseAttachment )

    Optional. The attachment associated with the comment.

    userOwnerFullName

    string

    Output only. The user who created the comment.

    lastEditorFullName

    string

    Output only. The user who last edited the comment.

    deletedByUser

    string

    Output only. The user who deleted the comment.

    case

    string ( int64 format)

    Optional. The case associated with the comment.

    Union field _is_favorite .

    _is_favorite can be only one of the following:

    isFavorite

    boolean

    Optional. Whether the comment is marked as a favorite.

    Union field _is_deleted .

    _is_deleted can be only one of the following:

    isDeleted

    boolean

    Output only. Indicates if the comment has been softly deleted.

    CaseAttachment

    JSON representation 
     { 
 "attachmentBase64" 
 : 
 string 
 , 
 "fileType" 
 : 
 string 
 , 
 "fileName" 
 : 
 string 
 , 
 "fileId" 
 : 
 string 
 }
    Fields
    attachmentBase64

    string

    Required. Base64 encoded attachment associated with the comment (if exists).
    fileType

    string

    Required. The file type of the attachment (if exists).
    fileName

    string

    Required. The file name of the attachment (if it exists).
    fileId

    string ( int64 format)

    Output only. The file id of the attachment.

    Tool Annotations

    Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: