Console
    Start free

    MCP Tools Reference: chronicle.googleapis.com

    Tool: list_rules

    List security detection rules configured in Chronicle SIEM, with support for pagination and filtering.

    Retrieves the definitions of detection rules currently active or configured within the Chronicle SIEM instance.

    Workflow Integration:- Useful for understanding the detection capabilities currently deployed in the SIEM. - Can help identify the specific rule that generated a SIEM alert (obtained via SIEM alert tools or from case management/SOAR system details). - Provides context for rule tuning, development, or understanding alert logic.

    Use Cases:- Review the logic or scope of a specific detection rule identified from an alert. - Audit the set of active detection rules within the SIEM. - Understand which rules might be relevant to a particular threat scenario or TTP. - Filter rules based on reference lists, data tables, or display name.

    Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). page_size (int): Maximum number of rules to return. Defaults to 100. Max is 1000. page_token (str | None): Page token for pagination. filter (str | None): An optional filter string to apply to the list of rules. Supported filters (using the "has" operator, e.g., 'display_name:"foo"'): - 'reference_lists:"{full_resource_name}"' - 'data_tables:"{full_resource_name}"' - 'display_name:"{display_name}"' Note: For 'reference_lists' and 'data_tables', you must provide the full resource name, e.g., 'projects/my-project/locations/us/instances/my-customer/dataTables/my_table'.

    Returns: Dict[str, Any]: Raw response from the Chronicle API, typically containing a list of rule objects with their definitions and metadata. Returns an error structure if the API call fails.

    Example Usage: # List rules with a display name containing "suspicious" list_rules( project_id="my-project", customer_id="my-customer", region="us", filter='display_name:"suspicious"' )

     # List rules using a specific data table by its full resource name
        list_rules(
            project_id="my-project",
            customer_id="my-customer",
            region="us",
            filter='data_tables:"projects/my-project/locations/us/instances/my-customer/dataTables/my_table"'
        )

    Next Steps (using MCP-enabled tools): - Analyze the rule definition (e.g., the YARA-L code) to understand its trigger conditions. - Correlate rule details with specific alerts retrieved from the SIEM or case management system. - Use insights for rule optimization, false positive analysis, or developing related detections. - Document relevant rule information in associated cases using a case management tool. - Use 'get_rule' to fetch the full details of a specific rule.

    The following sample demonstrate how to use curl to invoke the list_rules MCP tool.

    Curl Request 
      
curl  
--location  
 'https://chronicle.googleapis.com/mcp' 
  
 \ 
--header  
 'content-type: application/json' 
  
 \ 
--header  
 'accept: application/json, text/event-stream' 
  
 \ 
--data  
 '{ 
 "method": "tools/call", 
 "params": { 
 "name": "list_rules", 
 "arguments": { 
 // provide these details according to the tool' 
s  
MCP  
specification  
 } 
  
 } 
,  
 "jsonrpc" 
:  
 "2.0" 
,  
 "id" 
:  
 1 
 } 
 '

    Input Schema

    Request message for ListRules.

    ListRulesRequest

    JSON representation 
     { 
 "projectId" 
 : 
 string 
 , 
 "customerId" 
 : 
 string 
 , 
 "region" 
 : 
 string 
 , 
 "pageSize" 
 : 
 integer 
 , 
 "pageToken" 
 : 
 string 
 , 
 "filter" 
 : 
 string 
 }
    Fields
    projectId

    string

    Project ID of the customer.
    customerId

    string

    Customer ID of the customer.
    region

    string

    Region of the customer.
    pageSize

    integer

    The maximum number of rules to return.
    pageToken

    string

    A page token, received from a previous ListRules call.
    filter

    string

    A filter string to apply to the list of rules.

    Output Schema

    Response message for ListRules method.

    ListRulesResponse

    JSON representation 
     { 
 "rules" 
 : 
 [ 
 { 
 object (  Rule 
 
) 
 } 
 ] 
 , 
 "nextPageToken" 
 : 
 string 
 }
    Fields
    rules[]

    object ( Rule )

    The rules from the specified instance.
    nextPageToken

    string

    A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

    Rule

    JSON representation 
     { 
 "name" 
 : 
 string 
 , 
 "revisionId" 
 : 
 string 
 , 
 "displayName" 
 : 
 string 
 , 
 "text" 
 : 
 string 
 , 
 "author" 
 : 
 string 
 , 
 "severity" 
 : 
 { 
 object (  Severity 
 
) 
 } 
 , 
 "metadata" 
 : 
 { 
 string 
 : 
 string 
 , 
 ... 
 } 
 , 
 "createTime" 
 : 
 string 
 , 
 "revisionCreateTime" 
 : 
 string 
 , 
 "compilationState" 
 : 
 enum ( CompilationState 
) 
 , 
 "type" 
 : 
 enum ( RuleType 
) 
 , 
 "referenceLists" 
 : 
 [ 
 string 
 ] 
 , 
 "allowedRunFrequencies" 
 : 
 [ 
 enum ( RunFrequency 
) 
 ] 
 , 
 "etag" 
 : 
 string 
 , 
 "scope" 
 : 
 string 
 , 
 "compilationDiagnostics" 
 : 
 [ 
 { 
 object (  CompilationDiagnostic 
 
) 
 } 
 ] 
 , 
 "nearRealTimeLiveRuleEligible" 
 : 
 boolean 
 , 
 "dataTables" 
 : 
 [ 
 string 
 ] 
 , 
 "inputsUsed" 
 : 
 { 
 object (  InputsUsed 
 
) 
 } 
 , 
 "ruleOwner" 
 : 
 enum ( RuleOwner 
) 
 , 
 "tags" 
 : 
 [ 
 string 
 ] 
 , 
 "alertingEnabled" 
 : 
 boolean 
 , 
 "liveModeEnabled" 
 : 
 boolean 
 , 
 "archived" 
 : 
 boolean 
 , 
 "runFrequency" 
 : 
 enum ( RunFrequency 
) 
 , 
 "currentDayDetectionCount" 
 : 
 integer 
 , 
 "executionState" 
 : 
 enum ( ExecutionState 
) 
 }
    Fields
    name

    string

    Identifier. Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}

    revisionId

    string

    Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.
    displayName

    string

    Output only. Display name of the rule. Populated in BASIC view and FULL view.
    text

    string

    The YARA-L content of the rule. Populated in FULL view.
    author

    string

    Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.
    severity

    object ( Severity )

    Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view.
    metadata

    map (key: string, value: string)

    Output only. Additional metadata specified in the meta section of text. Populated in FULL view.

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" } .
    createTime

    string ( Timestamp format)

    Output only. The timestamp of when the rule was created. Populated in FULL view.

    Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z" , "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30" .
    revisionCreateTime

    string ( Timestamp format)

    Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.

    Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z" , "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30" .
    compilationState

    enum ( CompilationState )

    Output only. The current compilation state of the rule. Populated in FULL view.
    type

    enum ( RuleType )

    Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view.
    referenceLists[]

    string

    Output only. Resource names of the reference lists used in this rule. Populated in FULL view.
    allowedRunFrequencies[]

    enum ( RunFrequency )

    Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.
    etag

    string

    The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.
    scope

    string

    Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope} .
    compilationDiagnostics[]

    object ( CompilationDiagnostic )

    Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view.
    nearRealTimeLiveRuleEligible

    boolean

    Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.
    dataTables[]

    string

    Output only. Resource names of the data tables used in this rule.
    inputsUsed

    object ( InputsUsed )

    Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true.
    ruleOwner

    enum ( RuleOwner )

    Output only. The rule owner (i.e., whether the rule is customer or Google-authored).
    tags[]

    string

    Output only. Resource names of the tags used in this rule. Example: [ "projects/{project}/locations/{location}/instances/{instance}/ tags/google.mitre.TA000", "projects/{project}/locations/{location}/instances/{instance}/ "tags/google.CloudThreats", ]
    alertingEnabled

    boolean

    Output only. Alerting status for the rule.
    liveModeEnabled

    boolean

    Output only. Live Status for the rule.
    archived

    boolean

    Output only. The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated.
    runFrequency

    enum ( RunFrequency )

    Output only. The chosen run frequencies for the rule.
    currentDayDetectionCount

    integer

    Output only. The number of matched events for the current day in UTC time.
    executionState

    enum ( ExecutionState )

    Output only. The execution state of the rule.

    Severity

    JSON representation 
     { 
 "displayName" 
 : 
 string 
 }
    Fields
    displayName

    string

    The display name of the severity level. Extracted from the meta section of the rule text.

    MetadataEntry

    JSON representation 
     { 
 "key" 
 : 
 string 
 , 
 "value" 
 : 
 string 
 }
    Fields
    key

    string

    value

    string

    Timestamp

    JSON representation 
     { 
 "seconds" 
 : 
 string 
 , 
 "nanos" 
 : 
 integer 
 }
    Fields
    seconds

    string ( int64 format)

    Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
    nanos

    integer

    Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

    CompilationDiagnostic

    JSON representation 
     { 
 "message" 
 : 
 string 
 , 
 "position" 
 : 
 { 
 object (  CompilationPosition 
 
) 
 } 
 , 
 "severity" 
 : 
 enum ( Severity 
) 
 , 
 "uri" 
 : 
 string 
 }
    Fields
    message

    string

    Output only. The diagnostic message.
    position

    object ( CompilationPosition )

    Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty.
    severity

    enum ( Severity )

    Output only. The severity of a rule's compilation diagnostic.
    uri

    string

    Output only. Link to documentation that describes a diagnostic in more detail.

    CompilationPosition

    JSON representation 
     { 
 "startLine" 
 : 
 integer 
 , 
 "startColumn" 
 : 
 integer 
 , 
 "endLine" 
 : 
 integer 
 , 
 "endColumn" 
 : 
 integer 
 }
    Fields
    startLine

    integer

    Output only. Start line number, beginning at 1.
    startColumn

    integer

    Output only. Start column number, beginning at 1.
    endLine

    integer

    Output only. End line number, beginning at 1.
    endColumn

    integer

    Output only. End column number, beginning at 1.

    InputsUsed

    JSON representation 
     { 
 "usesUdm" 
 : 
 boolean 
 , 
 "usesEntity" 
 : 
 boolean 
 , 
 "usesDetection" 
 : 
 boolean 
 }
    Fields
    usesUdm

    boolean

    Optional. Whether the rule queries UDM events.
    usesEntity

    boolean

    Optional. Whether the rule queries entity events.
    usesDetection

    boolean

    Optional. Whether the rule queries detections.

    Tool Annotations

    Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: