MCP Tools Reference: chronicle.googleapis.com

Tool: `get_connector_event`

Retrieves a specific connector event associated with a case alert in Chronicle SIEM.

Provides detailed information about a single connector event, including its raw data.

Workflow Integration:

Used to drill down into a specific connector event from a list of events within a case alert.
Enables other systems to get the current state of a connector event before taking action.

Use Cases:

An analyst clicks on a connector event in the SOAR UI to view its full details.
An automated playbook fetches a connector event to extract specific indicators of compromise (IoCs).

Important Note:

The connector_event_id , case_id , and case_alert_id arguments should be the integer IDs of the respective entities.
If you have a non-integer identifier (e.g., a GUID or event identifier), use list_connector_events to get the integer IDs first.
Then use get_connector_event with the integer IDs.

Example Usage:

get_connector_event(projectId='123', region='us', customerId='abc', caseId='456', case_alert_id='789', connectorEventId='101112')
get_connector_event(projectId='123', region='us', customerId='abc', caseId='456', case_alert_id='789', connectorEventId='101112', expandEventJsonData=true)

Next Steps (using MCP-enabled tools):

Use 'list_connector_events' to see other connector events in the same case alert.
Suggest enabling 'expandEventJsonData' to get the full event details.

The following sample demonstrate how to use curl to invoke the get_connector_event MCP tool.

Curl Request
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "get_connector_event", "arguments": { // provide these details according to the tool' s MCP specification } } , "jsonrpc" : "2.0" , "id" : 1 } '

Curl Request

  
curl  
--location  
 'https://chronicle.googleapis.com/mcp' 
  
 \ 
--header  
 'content-type: application/json' 
  
 \ 
--header  
 'accept: application/json, text/event-stream' 
  
 \ 
--data  
 '{ 
 "method": "tools/call", 
 "params": { 
 "name": "get_connector_event", 
 "arguments": { 
 // provide these details according to the tool' 
s  
MCP  
specification  
 } 
  
 } 
,  
 "jsonrpc" 
:  
 "2.0" 
,  
 "id" 
:  
 1 
 } 
 '

Input Schema

Request message for GetConnectorEvent.

GetConnectorEventRequest

JSON representation
{ "projectId" : string , "customerId" : string , "region" : string , "caseId" : string , "caseAlertId" : string , "connectorEventId" : string , "expandEventJsonData" : boolean }

Fields
`projectId`	`string` Required. Google Cloud project ID.
`customerId`	`string` Required. Chronicle customer ID.
`region`	`string` Required. Chronicle region (e.g., "us", "europe").
`caseId`	`string` The integer Case ID of the connector event to retrieve.
`caseAlertId`	`string` The integer Case Alert ID of the connector event to retrieve.
`connectorEventId`	`string` The integer ID of the connector event to retrieve.
`expandEventJsonData`	`boolean` Whether to expand the eventJsonData field. Defaults to `false` .

Output Schema

This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. ConnectorEvent - Chronicle Connector Event. Types of ConnectorEvents: general, case-spesific

ConnectorEvent

JSON representation

JSON representation
{ "name" : string , "createTime" : string , "updateTime" : string , "alertIdentifier" : string , "environment" : string , "eventIdentifier" : string , "alertGroupIdentifier" : string , "mappedEventJson" : string , "eventJsonData" : { object ( `RawEventData` ) } , "caseId" : string , "id" : string }

 { 
 "name" 
 : 
 string 
 , 
 "createTime" 
 : 
 string 
 , 
 "updateTime" 
 : 
 string 
 , 
 "alertIdentifier" 
 : 
 string 
 , 
 "environment" 
 : 
 string 
 , 
 "eventIdentifier" 
 : 
 string 
 , 
 "alertGroupIdentifier" 
 : 
 string 
 , 
 "mappedEventJson" 
 : 
 string 
 , 
 "eventJsonData" 
 : 
 { 
 object (  RawEventData 
 
) 
 } 
 , 
 "caseId" 
 : 
 string 
 , 
 "id" 
 : 
 string 
 }

Fields
`name`	`string` Identifier. The resource name of the ConnectorEvent. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseAlerts/{case_alert}/connectorEvents/{connector_event}
`createTime`	`string ( int64 format)` Output only. The create_time of the ConnectorEvent.
`updateTime`	`string ( int64 format)` Output only. The update_time of the ConnectorEvent.
`alertIdentifier`	`string` Output only. The alert_identifier of the ConnectorEvent.
`environment`	`string` Output only. The environment of the ConnectorEvent.
`eventIdentifier`	`string` Output only. The event_identifier of the ConnectorEvent.
`alertGroupIdentifier`	`string` Output only. The alert_group_identifier of the ConnectorEvent.
`mappedEventJson`	`string` Output only. The mapped_event_json of the ConnectorEvent.
`eventJsonData`	`object ( RawEventData )` Output only. The raw_event of the ConnectorEvent.
`caseId`	`string ( int64 format)` Output only. The case_id of the ConnectorEvent.
`id`	`string ( int64 format)` Output only. The id of the ConnectorEvent.

RawEventData

JSON representation
{ "rawEvent" : string }

Fields

Fields
`rawEvent`	`string` Output only. The raw event of the ConnectorEvent.

rawEvent

string

Output only. The raw event of the ConnectorEvent.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌

MCP Tools Reference: chronicle.googleapis.com Stay organized with collections Save and categorize content based on your preferences.

Tool: get_connector_event