Tool: get_involved_entity
Retrieves a specific involved entity associated with a case alert in Chronicle SIEM.
Provides detailed information about a single involved entity.
Workflow Integration:- Used to drill down into a specific entity from a list of entities within a case alert. - Enables other systems to get the current state of an entity before taking action.
Use Cases:- An analyst clicks on an entity in the SOAR UI to view its full details. - An automated playbook fetches an entity to extract specific indicators of compromise (IoCs).
Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). case_id (str): The numeric ID of the parent case (e.g., "1"). case_alert_id (str): The numeric ID of the specific alert within the case (e.g., "789"). This is not the descriptive alert identifier string. You can find this numeric ID as the last part of the 'Name' field when you list alerts using 'list_case_alerts'. involved_entity_id (str): The ID of the involved entity to retrieve (required).
Returns: InvolvedEntity: The full InvolvedEntity object with all its details. Returns an error message if the involved entity is not found.
Example Usage: # Get details for a specific involved entity get_involved_entity(project_id='123', region='us', customer_id='abc', case_id='456', case_alert_id='789', involved_entity_id='101112')
Next Steps (using MCP-enabled tools): - Use 'list_involved_entities' to see other entities in the same case alert.
The following sample demonstrate how to use curl
to invoke the get_involved_entity
MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "get_involved_entity", "arguments": { // provide these details according to the tool' s MCP specification } } , "jsonrpc" : "2.0" , "id" : 1 } ' |
Input Schema
Request message for GetInvolvedEntity.
GetInvolvedEntityRequest
| JSON representation |
|---|
{ "projectId" : string , "customerId" : string , "region" : string , "caseId" : string , "caseAlertId" : string , "involvedEntityId" : string } |
| Fields | |
|---|---|
projectId
|
Project ID of the customer. |
customerId
|
Customer ID of the customer. |
region
|
Region of the customer. |
caseId
|
Case ID of the case alert. |
caseAlertId
|
Case alert ID of the case alert. |
involvedEntityId
|
Involved entity ID of the involved entity. |
Output Schema
This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. This resource represents entities that are associated with both cases and caseAlerts, or with all caseAlerts related to a specific case. These entities are uniquely identified by their entityIdentifier and type. Additionally, we have another entity resource in our system that is not connected to cases and caseAlerts - 'Unique Entity' and represents every unique entity in the system. Unique entities is a separate collection of all distinct entities in the system, not in the context of case/alert. Unique entities get updated (if needed) during ingestion when new entities arrive.
InvolvedEntity
| JSON representation |
|---|
{ "name" : string , "id" : string , "type" : string , "threatSource" : string , "operatingSystem" : string , "networkTitle" : string , "environment" : string , "additionalProperties" : string , "sourceSystemUri" : string , "entityUri" : string , "fields" : [ { object ( |
name
string
Identifier. The unique name(ID) of the InvolvedEntity. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseAlerts/{case_alert}/involvedEntities/{involved_entity}
id
string ( int64
format)
Required. Immutable. The id of the entity.
type
string
Required. Immutable. The type of the entity. Could be: HOSTNAME, USB, PROCESS, ADDRESS, …
threatSource
string
Optional. Threat source of the entity.
operatingSystem
string
Optional. Operating system related to the entity.
networkTitle
string
Optional. Network name related to the entity.
environment
string
Output only. Immutable. The environment the entity belongs to. Derived from the case and alert.
additionalProperties
string
Optional. Stores additional properties, as a JSON format.
sourceSystemUri
string
Optional. Output only. Immutable. Link to the source system.
entityUri
string
Optional. Output only. The full url of the entity, calculated using the source_system_uri and the entity data. Optional if the source_system_uri is not defined.
fields[]
object (
ContextGroup
)
Output only. A list of context group items, which are calculated based on the entity's properties.
alertIdentifier
string
Output only. The alert identifier of the alert that the involved entity is associated with.
caseId
integer
Output only. The id of the case that the involved entity is associated with.
identifier
string
Output only. The identifier name of the involved entity.
Union field _suspicious
.
_suspicious
can be only one of the following:
suspicious
boolean
Required. Describes if the entity is suspicious or not.
Union field _internal
.
_internal
can be only one of the following:
internal
boolean
Required. Indicates whether this entity is internal. This setting is configured in the application's settings, and any entity type can be designated as internal.
Union field _network_priority
.
_network_priority
can be only one of the following:
networkPriority
integer
Optional. Network priority of a related network.
Union field _attacker
.
_attacker
can be only one of the following:
attacker
boolean
Optional. Describes if the entity represents an attacker or not.
Union field _pivot
.
_pivot
can be only one of the following:
pivot
boolean
Optional. Describes if the entity is a pivot or not. A pivot entity is an entity which is common to two or more cases. In the case graph, it is connected to other entities by a dotted line.
Union field _manually_created
.
_manually_created
can be only one of the following:
manuallyCreated
boolean
Output only. Immutable. Describes if the entity was created by the system (as part of the ingestion flow), or manually by the user.
Union field _enriched
.
_enriched
can be only one of the following:
enriched
boolean
Output only. Indicates whether the entity has been enriched. An entity is enriched when an action adds information from an external system.
Union field _artifact
.
_artifact
can be only one of the following:
artifact
boolean
Output only. Describes if the entity is an artifact or not.
Union field _vulnerable
.
_vulnerable
can be only one of the following:
vulnerable
boolean
Output only. Describes if the entity is vulnerable or not.
ContextGroup
| JSON representation |
|---|
{ "displayName" : string , "items" : [ { object ( |
displayName
string
Output only. The name of the context group. Default context group is called "Default".
items[]
object (
ContextGroupItem
)
Output only. A list of items in the group.
Union field _highlighted
.
_highlighted
can be only one of the following:
highlighted
boolean
Output only. Is the context group highlighted.
Union field _hidden
.
_hidden
can be only one of the following:
hidden
boolean
Output only. Is the context group hidden.
ContextGroupItem
| JSON representation |
|---|
{ "name" : string , "originalName" : string , "value" : string } |
| Fields | |
|---|---|
name
|
Output only. The name of the property |
originalName
|
Output only. The original name of the property. |
value
|
Output only. The property's value. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌
