Tool: list_rule_errors
Lists execution errors for a specific Chronicle SIEM rule.
Helps in troubleshooting rules that might not be generating detections as expected or are failing during execution.
Agent Responsibilities:- Parse the JSON response to extract the list from the ruleExecutionErrors
key. - Handle the nextPageToken
for pagination if more results exist.
Workflow Integration:- Rule Troubleshooting:If a rule is not producing expected detections or alerts, check for execution errors. - Rule Development:After deploying a new or modified rule, check for errors to ensure it's syntactically correct and running properly. - SIEM Health Monitoring:Periodically check for rules with high error counts to maintain SIEM operational health.
Use Cases:- Investigate why a specific rule (e.g., "ru_...") has not generated any detections. - Check for errors after modifying and saving a YARA-L rule. - Get details of compilation or runtime errors for a given rule version.
Args: rule_id (str): Unique ID of the rule to list errors for. Examples: "ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" (latest version), "ru _xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@v_12345_67890 " (specific version), "ru _xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@- " (all versions). project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). page_size (Optional[int]): The maximum number of errors to return. Defaults to 1000. page_token (Optional[str]): A page token received from a previous call.
Returns: str: Raw JSON response from the API, containing a list of 'ruleExecutionErrors' and potentially a 'nextPageToken'. The agent must parse this response.
Example Usage: # List errors for the latest version of a rule list_rule_errors( rule_id="ru_12345678-1234-1234-1234-1234567890ab", project_id="my-project", customer_id="my-customer", region="us" )
# List errors for a specific rule revision
list_rule_errors(
rule_id="ru_12345678-1234-1234-1234-1234567890ab@v_abcdef_123456",
project_id="my-project",
customer_id="my-customer",
region="us",
page_size=10
)
# List errors for all revisions of a rule
list_rule_errors(
rule_id="ru_12345678-1234-1234-1234-1234567890ab@-",
project_id="my-project",
customer_id="my-customer",
region="us"
)
Next Steps (using MCP-enabled tools): - Review Rule Code:If errors are found, retrieve the rule definition using get_rule
with the specific rule_id and revision. - Validate Rule Syntax:Use validate_rule
to check for syntax issues in the rule text. - Modify Rule:Correct the rule based on error messages and update it using create_rule
(as there's no update function). - Re-test:Use test_rule
to verify the fix.
The following sample demonstrate how to use curl
to invoke the list_rule_errors
MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "list_rule_errors", "arguments": { // provide these details according to the tool' s MCP specification } } , "jsonrpc" : "2.0" , "id" : 1 } ' |
Input Schema
Request message for ListRuleExecutionErrors.
ListRuleExecutionErrorsRequest
| JSON representation |
|---|
{ "projectId" : string , "customerId" : string , "region" : string , "ruleId" : string , "pageSize" : integer , "pageToken" : string } |
| Fields | |
|---|---|
projectId
|
Project ID of the customer. |
customerId
|
Customer ID of the customer. |
region
|
Region of the customer. |
ruleId
|
Rule ID of the rule execution errors to list. |
pageSize
|
The maximum number of rule execution errors to return. The service may return fewer than this value. If unspecified, at most 1000 rule execution errors will be returned. The maximum value is 10000; values above 10000 will be coerced to 10000. |
pageToken
|
A page token, received from a previous When paginating, all other parameters provided to |
Output Schema
Response message for ListRuleExecutionErrors.
ListRuleExecutionErrorsResponse
| JSON representation |
|---|
{
"ruleExecutionErrors"
:
[
{
object (
|
| Fields | |
|---|---|
ruleExecutionErrors[]
|
List of rule execution errors. |
nextPageToken
|
A token, which can be sent as |
RuleExecutionError
| JSON representation |
|---|
{ "name" : string , "error" : { object ( |
name
string
Output only. The resource name of the rule execution error. Format: projects/{project}/locations/{location}/instances/{instance}/ruleExecutionErrors/{rule_execution_error}
error
object (
Status
)
Output only. The error status corresponding with the rule execution error.
timeRange
object (
Interval
)
Output only. The event time range that the rule execution error corresponds with.
source
. The resource name of the source that generated the rule execution error. source
can be only one of the following:rule
string
Output only. The resource name of the rule that generated the rule execution error.
curatedRule
string
Output only. The resource name of the curated rule that generated the rule execution error.
Status
| JSON representation |
|---|
{ "code" : integer , "message" : string , "details" : [ { "@type" : string , field1 : ... , ... } ] } |
| Fields | |
|---|---|
code
|
The status code, which should be an enum value of |
message
|
A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the |
details[]
|
A list of messages that carry the error details. There is a common set of message types for APIs to use. An object containing fields of an arbitrary type. An additional field |
Any
| JSON representation |
|---|
{ "typeUrl" : string , "value" : string } |
typeUrl
string
A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one "/" character. The last segment of the URL's path must represent the fully qualified name of the type (as in path/google.protobuf.Duration
). The name should be in a canonical form (e.g., leading "." is not accepted).
In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http
, https
, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows:
- If no scheme is provided,
httpsis assumed. - An HTTP GET on the URL must yield a
google.protobuf.Typevalue in binary format, or produce an error. - Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.)
Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one.
Schemes other than http
, https
(or the empty scheme) might be used with implementation specific semantics.
value
string ( bytes
format)
Must be a valid serialized protocol buffer of the above specified type.
A base64-encoded string.
Interval
| JSON representation |
|---|
{ "startTime" : string , "endTime" : string } |
| Fields | |
|---|---|
startTime
|
Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
endTime
|
Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Timestamp
| JSON representation |
|---|
{ "seconds" : string , "nanos" : integer } |
| Fields | |
|---|---|
seconds
|
Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). |
nanos
|
Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌
