MCP Tools Reference: chronicle.googleapis.comStay organized with collectionsSave and categorize content based on your preferences.
Tool:list_case_comments
Lists all case comments for a given case in Google SecOps.
Retrieves a paginated list of all comments associated with a specific SOAR case, allowing for a comprehensive overview of the investigation history. This tool is essential for understanding the timeline of a case, reviewing actions taken, and gathering context from analyst notes.
Workflow Integration:- Used to build a complete timeline of an investigation in a SOAR UI or report. - Essential for generating audit trails or summaries of case activity for compliance or review. - Enables analysts to programmatically search and filter through all comments to find relevant information, such as notes from a specific user or comments made during a certain time frame. - Provides the necessary context for automated playbooks to make decisions based on the history of a case.
Use Cases:- Generate a complete audit trail of all actions and notes for a specific case to understand the investigation process. - Find a specific comment by filtering based on the user who wrote it, its content, or other metadata. - Display a chronological history of comments on a case detail page in a custom security dashboard. - Automate the process of reviewing cases by searching for keywords in comments.
Filtering and Ordering:- The 'filter' parameter allows for precise searching within comments. You can filter on fields like 'user', 'comment' content, 'create_time', and more. - The 'order_by' parameter controls the sorting of the returned comments. You can sort by fields like 'create_time' or 'update_time' in ascending or descending order.
Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). case_id (str): The numeric Case ID to list comments for (e.g., '12345'). This is a required field. page_size (int, optional): The maximum number of comments to return in a single response. If unspecified, the server will use a default page size. The maximum value is 1000. page_token (str, optional): A token for fetching a specific page of results. This is obtained from a previous call to list_case_comments. filter (str, optional): A filter string to apply to the list of comments. Supported fields include 'CreateTime', 'UpdateTime', 'User', 'Comment', 'DeletedByUser', 'IsFavorite', 'AlertIdentifier', and 'IsDeleted'. Example: filter="User='GUID' AND Comment='suspicious'" order_by (str, optional): A comma-separated list of fields to sort the results by. Add 'desc' for descending order. Supported fields are the same as for filtering. Example: "CreateTime desc"
Returns: ListCaseCommentsResponse: A response object containing a list of CaseComment objects and a next_page_token if more results are available. Each CaseComment object contains the following key fields: -Name(str): The full resource name of the comment. -Id(int): The unique identifier for the comment. -Comment(str): The content of the comment. -UserOwnerFullName(str): The full name of the user who created the comment. -LastEditorFullName(str): The full name of the user who last edited the comment. -CreateTime(int): The creation timestamp of the comment in milliseconds. -UpdateTime(int): The last update timestamp of the comment in milliseconds. -IsFavorite(bool): Indicates if the comment is marked as a favorite. -IsDeleted(bool): Indicates if the comment has been deleted. -AlertIdentifier(str): The identifier of the alert associated with the comment, if any. Returns an error message if the parent case is not found or the request is invalid.
Example Usage: # List all comments for a specific case list_case_comments(project_id='123', region='us', customer_id='abc', case_id='456')
# List comments from a specific user, sorted by update time
list_case_comments(project_id='123', region='us', customer_id='abc', case_id='456', filter="user='user@example.com'", order_by="update_time desc")
Next Steps (using MCP-enabled tools): - Iterate through the list of comments to extract key information or indicators. - Use 'create_case_comment' to add a new comment to the case based on your findings. - Use 'get_case_comment' with a comment's resource name to fetch its full details if needed.
The following sample demonstrate how to usecurlto invoke thelist_case_commentsMCP tool.
Curl Request
curl--location'https://chronicle.googleapis.com/mcp'\--header'content-type: application/json'\--header'accept: application/json, text/event-stream'\--data'{"method": "tools/call","params": {"name": "list_case_comments","arguments": {// provide these details according to the tool'sMCPspecification}},"jsonrpc":"2.0","id":1}'
A token, which can be sent aspage_tokento retrieve the next page. If this field is omitted, there are no subsequent pages.
totalSize
integer
The total number of CaseComments.
CaseComment
JSON representation
{"name":string,"createTime":string,"updateTime":string,"user":string,"comment":string,"deletionInvoker":string,"alertIdentifier":string,"caseAttachment":{object (CaseAttachment)},"userOwnerFullName":string,"lastEditorFullName":string,"deletedByUser":string,"case":string,// Union field_is_favoritecan be only one of the following:"isFavorite":boolean// End of list of possible types for union field_is_favorite.// Union field_is_deletedcan be only one of the following:"isDeleted":boolean// End of list of possible types for union field_is_deleted.}
Fields
name
string
Output only. Identifier. The unique name(ID) of the CaseComment. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseComments/{case_comment}
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2026-01-15 UTC."],[],[]]
Tool:
list_case_commentsLists all case comments for a given case in Google SecOps.
Retrieves a paginated list of all comments associated with a specific SOAR case, allowing for a comprehensive overview of the investigation history. This tool is essential for understanding the timeline of a case, reviewing actions taken, and gathering context from analyst notes.
Workflow Integration:- Used to build a complete timeline of an investigation in a SOAR UI or report. - Essential for generating audit trails or summaries of case activity for compliance or review. - Enables analysts to programmatically search and filter through all comments to find relevant information, such as notes from a specific user or comments made during a certain time frame. - Provides the necessary context for automated playbooks to make decisions based on the history of a case.
Use Cases:- Generate a complete audit trail of all actions and notes for a specific case to understand the investigation process. - Find a specific comment by filtering based on the user who wrote it, its content, or other metadata. - Display a chronological history of comments on a case detail page in a custom security dashboard. - Automate the process of reviewing cases by searching for keywords in comments.
Filtering and Ordering:- The 'filter' parameter allows for precise searching within comments. You can filter on fields like 'user', 'comment' content, 'create_time', and more. - The 'order_by' parameter controls the sorting of the returned comments. You can sort by fields like 'create_time' or 'update_time' in ascending or descending order.
Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). case_id (str): The numeric Case ID to list comments for (e.g., '12345'). This is a required field. page_size (int, optional): The maximum number of comments to return in a single response. If unspecified, the server will use a default page size. The maximum value is 1000. page_token (str, optional): A token for fetching a specific page of results. This is obtained from a previous call to list_case_comments. filter (str, optional): A filter string to apply to the list of comments. Supported fields include 'CreateTime', 'UpdateTime', 'User', 'Comment', 'DeletedByUser', 'IsFavorite', 'AlertIdentifier', and 'IsDeleted'. Example: filter="User='GUID' AND Comment='suspicious'" order_by (str, optional): A comma-separated list of fields to sort the results by. Add 'desc' for descending order. Supported fields are the same as for filtering. Example: "CreateTime desc"
Returns: ListCaseCommentsResponse: A response object containing a list of CaseComment objects and a next_page_token if more results are available. Each CaseComment object contains the following key fields: -
Name(str): The full resource name of the comment. -Id(int): The unique identifier for the comment. -Comment(str): The content of the comment. -UserOwnerFullName(str): The full name of the user who created the comment. -LastEditorFullName(str): The full name of the user who last edited the comment. -CreateTime(int): The creation timestamp of the comment in milliseconds. -UpdateTime(int): The last update timestamp of the comment in milliseconds. -IsFavorite(bool): Indicates if the comment is marked as a favorite. -IsDeleted(bool): Indicates if the comment has been deleted. -AlertIdentifier(str): The identifier of the alert associated with the comment, if any. Returns an error message if the parent case is not found or the request is invalid.Example Usage: # List all comments for a specific case list_case_comments(project_id='123', region='us', customer_id='abc', case_id='456')
Next Steps (using MCP-enabled tools): - Iterate through the list of comments to extract key information or indicators. - Use 'create_case_comment' to add a new comment to the case based on your findings. - Use 'get_case_comment' with a comment's resource name to fetch its full details if needed.
The following sample demonstrate how to use
curlto invoke thelist_case_commentsMCP tool.Input Schema
Request message for ListCaseComments. Next ID: 9
ListCaseCommentsRequest
projectIdstringProject ID of the customer.
customerIdstringCustomer ID of the customer.
regionstringRegion of the customer.
caseIdstringCase ID.
pageSizeintegerPage size.
pageTokenstringPage token.
filterstringFilter.
orderBystringOrder by.
Output Schema
Response message for ListCaseComments.
ListCaseCommentsResponse
caseComments[]object (CaseComment)The list of CaseComments.
nextPageTokenstringA token, which can be sent as
page_tokento retrieve the next page. If this field is omitted, there are no subsequent pages.totalSizeintegerThe total number of CaseComments.
CaseComment
namestringOutput only. Identifier. The unique name(ID) of the CaseComment. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseComments/{case_comment}
createTimestring ( int64 format)Output only. The timestamp when the comment was created.
updateTimestring ( int64 format)Output only. The timestamp when the comment was last updated.
userstringOutput only. User owner of the comment.
commentstringRequired. The content of the comment.
deletionInvokerstringOutput only. The user who deleted the comment.
alertIdentifierstringOptional. The alert associated with the comment.
caseAttachmentobject (CaseAttachment)Optional. The attachment associated with the comment.
userOwnerFullNamestringOutput only. The user who created the comment.
lastEditorFullNamestringOutput only. The user who last edited the comment.
deletedByUserstringOutput only. The user who deleted the comment.
casestring ( int64 format)Optional. The case associated with the comment.
Union field
_is_favorite._is_favoritecan be only one of the following:isFavoritebooleanOptional. Whether the comment is marked as a favorite.
Union field
_is_deleted._is_deletedcan be only one of the following:isDeletedbooleanOutput only. Indicates if the comment has been softly deleted.
CaseAttachment
attachmentBase64stringRequired. Base64 encoded attachment associated with the comment (if exists).
fileTypestringRequired. The file type of the attachment (if exists).
fileNamestringRequired. The file name of the attachment (if it exists).
fileIdstring ( int64 format)Output only. The file id of the attachment.
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌