Tool: get_ioc_match
Get Indicators of Compromise (IoCs) matches from Chronicle SIEM.
Retrieves IoCs (e.g., malicious IPs, domains, hashes) from configured threat intelligence feeds that have been observed matching events in Chronicle logs within the specified time window.
Agent Responsibilities:1. Time Range Calculation:The agent MUST provide the start_time
and end_time
arguments as ISO 8601 formatted strings (e.g., YYYY-MM-DDTHH:MM:SSZ) to define the search window. 2. Response Parsing:The agent must parse the raw JSON response to extract details from the 'matches' list. Each item in the list represents an IoCDiscoveryInfo object. 3. Data Extraction:From each match, extract relevant fields like 'artifactIndicator', 'sources', 'firstSeenTimestamp', 'lastSeenTimestamp'. 4. Output Formatting:Format the extracted details into a human-readable summary.
Workflow Integration:- Use this to proactively identify potential threats based on IoC matches within SIEM data, potentially before specific detection rules trigger or cases are created in other systems. - Can provide early warning signs or context during investigations initiated from alerts or intelligence originating from any connected security tool (SIEM, EDR, TI platforms, etc.). - Complements rule-based alerts by showing matches against known bad indicators from threat intelligence feeds integrated with the SIEM.
Use Cases:- Monitor for recent sightings of known malicious indicators within SIEM logs. - Identify assets that may have interacted with known bad infrastructure or files, based on log evidence. - Supplement investigations by checking if involved entities match known IoCs curated by threat intelligence sources.
Args: project_id (Optional[str]): Google Cloud project ID. customer_id (Optional[str]): Chronicle customer ID. start_time (str): The start of the time range in ISO 8601 format (e.g., YYYY-MM-DDTHH:MM:SSZ). end_time (str): The end of the time range in ISO 8601 format (e.g., YYYY-MM-DDTHH:MM:SSZ). max_matches (int): Maximum number of IoC matches to return. Defaults to 20. region (Optional[str]): Chronicle region (e.g., "us", "europe").
Returns: str: The raw JSON response from the API (LegacySearchEnterpriseWideIoCsResponse). The agent is responsible for parsing this and generating the user-facing summary. Returns an error message if retrieval fails.
Next Steps (using MCP-enabled tools): - Investigate the assets or events associated with the matched IoCs using udm_search
. - Use entity lookup tools to get broader context on the matched IoC value (IP, domain, hash). - Use SIEM event search tools to find the specific events in logs that triggered the IoC match. - Check if related cases exist in your case management/SOAR system or create one if the match indicates a significant threat. - Correlate IoC match details with findings from other security tools (EDR, Network, Cloud) via their MCP tools.
The following sample demonstrate how to use curl
to invoke the get_ioc_match
MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "get_ioc_match", "arguments": { // provide these details according to the tool' s MCP specification } } , "jsonrpc" : "2.0" , "id" : 1 } ' |
Input Schema
Request message for GetIocMatch.
GetIocMatchRequest
| JSON representation |
|---|
{ "projectId" : string , "customerId" : string , "region" : string , "startTime" : string , "endTime" : string , "maxMatches" : integer } |
| Fields | |
|---|---|
projectId
|
Project ID of the customer. |
customerId
|
Customer ID of the customer. |
region
|
Region of the customer. |
startTime
|
Start time of the time range to search for IoC matches. |
endTime
|
End time of the time range to search for IoC matches. |
maxMatches
|
Maximum number of matches to return. If not set, the default value is 20. |
Output Schema
Response containing matched IoCs NEXT TAG: 3
LegacySearchEnterpriseWideIoCsResponse
| JSON representation |
|---|
{
"matches"
:
[
{
object (
|
| Fields | |
|---|---|
matches[]
|
IoC Matches returned for the query. |
moreDataAvailable
|
Indicates that more data was available but not sent due to more hits than max_matches_to_return. |
IoCDiscoveryInfo
| JSON representation |
|---|
{ "artifactIndicator" : { object ( |
| Fields | |
|---|---|
artifactIndicator
|
Artifact that was found in the customer environment. |
id
|
Entity ID as a string for pivoting |
fieldAndValue
|
Field path or type with value to identify entity. |
sources[]
|
IoC feed sources. |
categories[]
|
IoC threat categories. |
confidenceScore
|
IoC confidence score. It is not a repeated field because it is used for V2 feeds, where sources and categories are restricted to a cardnality of 1 as well. |
confidenceBucket
|
IoC confidence score, bucketed into e.g. low/medium/high. |
assetIndicators[]
|
We will limit the number of assets to the first N (e.g., N=20) found. |
emptyAssetListReasonCode
|
When asset_indicators is empty, this field should be set. |
iocIngestTimestamp
|
Timestamp when the IoC was first received from ANY feed. This is the earliest timestamp of receipt by Malachite, given that the artifact might have been sent in multiple feeds at different times. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
firstSeenTimestamp
|
Timestamp when the IoC was first seen in the enterprise. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastSeenTimestamp
|
Timestamp when the IoC was last seen in the enterprise. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
filterProperties
|
Properties of this match, used for filtering in the client. |
rawSeverity
|
The indicator's raw severity. |
iocState
|
The current state of IoC. default state is MATCHED. |
priority
|
The priority of the ioc match. |
associationIdentifier[]
|
Associated actors and malware. |
campaigns[]
|
List of campaigns this IoC was observed. |
globalSourceId
|
Global source ID this IoC is part of. This would only be populated if the indicator is coming from a global source. |
logType
|
The log type of the IoC source. |
globalCustomerId
|
Global source ID this IoC is part of. This would only be populated if the indicator is coming from a global source. A base64-encoded string. |
confidenceScoreBucket
|
Confidence score bucket |
ipAndPorts
|
IP address indicator. |
categorization
|
The category/type of this indicator. Ex: "Spyware", "Bitcoin_Related", etc. |
domainAndPorts
|
Domain indicator. |
activeTimerange
|
The time range in which this indicator has been "active". The start or end time (or both) may be empty, indicating an open-ended time interval. |
link
|
optional. This will usually be a link to the Feed's definition. |
feedName
|
Original feed this indicator originated from. |
description
|
Raw description of the IoC. |
threatCollectionItems[]
|
Reference to the threat collection items linked to this IOC match. |
ArtifactIndicator
| JSON representation |
|---|
{ // Union field |
artifact
. An artifact. artifact
can be only one of the following:domain
string
A domain name.
destinationIpAddress
string
A destination ip address.
hashMd5
string
A MD5 file hash.
hashSha1
string
A SHA1 file hash.
hashSha256
string
A SHA256 file hash.
FieldAndValue
| JSON representation |
|---|
{ "value" : string , "entityNamespace" : string , // Union field |
value
string
Required. Indicator value that is used to identify or find the entity.
entityNamespace
string
Optional. Entity namespace. Namespace is only applicable to asset entities.
Union field type
.
type
can be only one of the following:
fieldPath
string
A UDM field path which identifies the type of the indicator to be used to find the entity. This path is not used exclusively to "search" for the entity, but rather to identify the type of indicator, which can be inferred from the path.
valueType
enum (
ValueType
)
An explicit type of the indicator to be used to find the entity.
AssetIndicator
| JSON representation |
|---|
{ "namespace" : string , "isAnyNamespace" : boolean , "filterNamespace" : boolean , // Union field |
namespace
string
The namespace of this asset indicator belongs to. If 'is_any_namespace' is set to true, this field will be ignored.
isAnyNamespace
boolean
False when 'namespace' refers to a valid namespace name related to the asset (both empty and non empty strings are valid namespace name values). True when the asset refers to one or more assets with the given 'indicator' across all namespaces.
filterNamespace
boolean
This field provides clients the option to enable namespace search or not. By default, this field is false and namespace will be ignored.
indicator
. An identifier representing an asset. indicator
can be only one of the following:hostname
string
Hostname of a device or machine.
assetIpAddress
string
IP address of a device or machine.
mac
string
Mac address of a device or machine.
productId
string
The 'product_id' field includes a a product ID type and product ID value, e.g. "CS:1234-5678".
Timestamp
| JSON representation |
|---|
{ "seconds" : string , "nanos" : integer } |
| Fields | |
|---|---|
seconds
|
Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). |
nanos
|
Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive. |
FilterProperties
| JSON representation |
|---|
{
"stringProperties"
:
{
string
:
{
object (
|
| Fields | |
|---|---|
stringProperties
|
An object containing a list of |
hidden
|
|
StringPropertiesEntry
| JSON representation |
|---|
{
"key"
:
string
,
"value"
:
{
object (
|
| Fields | |
|---|---|
key
|
|
value
|
|
StringValues
| JSON representation |
|---|
{
"values"
:
[
{
object (
|
| Fields | |
|---|---|
values[]
|
|
StringValue
| JSON representation |
|---|
{ "rawValue" : string , "displayValue" : string } |
| Fields | |
|---|---|
rawValue
|
|
displayValue
|
|
AssociationIdentity
| JSON representation |
|---|
{ "name" : string , "regionCode" : { object ( |
| Fields | |
|---|---|
name
|
|
regionCode
|
|
associationType
|
|
associationId
|
|
Location
| JSON representation |
|---|
{
"city"
:
string
,
"state"
:
string
,
"countryOrRegion"
:
string
,
"name"
:
string
,
"deskName"
:
string
,
"floorName"
:
string
,
"regionLatitude"
:
number
,
"regionLongitude"
:
number
,
"regionCoordinates"
:
{
object (
|
| Fields | |
|---|---|
city
|
The city. |
state
|
The state. |
countryOrRegion
|
The country or region. |
name
|
Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). |
deskName
|
Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). |
floorName
|
Floor name, number or a combination of the two for a building. (e.g. "1-A"). |
regionLatitude
|
Deprecated: use region_coordinates. |
regionLongitude
|
Deprecated: use region_coordinates. |
regionCoordinates
|
Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. |
LatLng
| JSON representation |
|---|
{ "latitude" : number , "longitude" : number } |
| Fields | |
|---|---|
latitude
|
The latitude in degrees. It must be in the range [-90.0, +90.0]. |
longitude
|
The longitude in degrees. It must be in the range [-180.0, +180.0]. |
IntRange
| JSON representation |
|---|
{ "rangeStart" : integer , "rangeEnd" : integer } |
| Fields | |
|---|---|
rangeStart
|
|
rangeEnd
|
|
IpAndPorts
| JSON representation |
|---|
{ "ipAddress" : string , "ports" : [ integer ] } |
| Fields | |
|---|---|
ipAddress
|
A base64-encoded string. |
ports[]
|
|
DomainAndPorts
| JSON representation |
|---|
{ "domain" : string , "ports" : [ integer ] } |
| Fields | |
|---|---|
domain
|
|
ports[]
|
|
Interval
| JSON representation |
|---|
{ "startTime" : string , "endTime" : string } |
| Fields | |
|---|---|
startTime
|
Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
endTime
|
Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Link
| JSON representation |
|---|
{ "text" : string , "url" : string } |
| Fields | |
|---|---|
text
|
|
url
|
|
ThreatCollectionItem
| JSON representation |
|---|
{
"id"
:
string
,
"type"
:
enum (
|
| Fields | |
|---|---|
id
|
The ID of the threat collection. |
type
|
The type of threat collection (e.g., "campaign"). |
altNames[]
|
The name of the threat collection. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌
