Console
    Start free

    MCP Tools Reference: chronicle.googleapis.com

    Tool: list_case_comments

    Lists all case comments for a given case in Google SecOps.

    Retrieves a paginated list of all comments associated with a specific SOAR case, allowing for a comprehensive overview of the investigation history. This tool is essential for understanding the timeline of a case, reviewing actions taken, and gathering context from analyst notes.

    Workflow Integration:

    • Used to build a complete timeline of an investigation in a SOAR UI or report.
    • Essential for generating audit trails or summaries of case activity for compliance or review.
    • Enables analysts to programmatically search and filter through all comments to find relevant information, such as notes from a specific user or comments made during a certain time frame.
    • Provides the necessary context for automated playbooks to make decisions based on the history of a case.

    Use Cases:

    • Generate a complete audit trail of all actions and notes for a specific case to understand the investigation process.
    • Find a specific comment by filtering based on the user who wrote it, its content, or other metadata.
    • Display a chronological history of comments on a case detail page in a custom security dashboard.
    • Automate the process of reviewing cases by searching for keywords in comments.

    Filtering and Ordering:

    • The 'filter' parameter allows for precise searching within comments. You can filter on fields like 'user', 'comment' content, 'create_time', and more.
    • The 'order_by' parameter controls the sorting of the returned comments. You can sort by fields like 'create_time' or 'update_time' in ascending or descending order.

    Example Usage:

    • list_case_comments(projectId='123', region='us', customerId='abc', caseId='456')
    • list_case_comments(projectId='123', region='us', customerId='abc', caseId='456', filter="user='user@example.com'", orderBy="update_time desc")

    Next Steps (using MCP-enabled tools):

    • Iterate through the list of comments to extract key information or indicators.
    • Use 'create_case_comment' to add a new comment to the case based on your findings.
    • Use 'get_case_comment' with a comment's resource name to fetch its full details if needed.

    The following sample demonstrate how to use curl to invoke the list_case_comments MCP tool.

    Curl Request 
      
curl  
--location  
 'https://chronicle.googleapis.com/mcp' 
  
 \ 
--header  
 'content-type: application/json' 
  
 \ 
--header  
 'accept: application/json, text/event-stream' 
  
 \ 
--data  
 '{ 
 "method": "tools/call", 
 "params": { 
 "name": "list_case_comments", 
 "arguments": { 
 // provide these details according to the tool' 
s  
MCP  
specification  
 } 
  
 } 
,  
 "jsonrpc" 
:  
 "2.0" 
,  
 "id" 
:  
 1 
 } 
 '

    Input Schema

    Request message for ListCaseComments. Next ID: 9

    ListCaseCommentsRequest

    JSON representation 
     { 
 "projectId" 
 : 
 string 
 , 
 "customerId" 
 : 
 string 
 , 
 "region" 
 : 
 string 
 , 
 "caseId" 
 : 
 string 
 , 
 "pageSize" 
 : 
 integer 
 , 
 "pageToken" 
 : 
 string 
 , 
 "filter" 
 : 
 string 
 , 
 "orderBy" 
 : 
 string 
 }
    Fields
    projectId

    string

    Required. Google Cloud project ID.
    customerId

    string

    Required. Chronicle customer ID.
    region

    string

    Required. Chronicle region (e.g., "us", "europe").
    caseId

    string

    Required. The numeric Case ID to list comments for (e.g., 12345 ).
    pageSize

    integer

    The maximum number of comments to return in a single response. If unspecified, the server will use a default page size. The maximum value is 1000.
    pageToken

    string

    A token for fetching a specific page of results. This is obtained from a previous call to list_case_comments.
    filter

    string

    A filter string to apply to the list of comments. Supported fields include 'CreateTime', 'UpdateTime', 'User', 'Comment', 'DeletedByUser', 'IsFavorite', 'AlertIdentifier', and 'IsDeleted'. Example: filter="User='GUID' AND Comment='suspicious'"
    orderBy

    string

    A comma-separated list of fields to sort the results by. Add 'desc' for descending order. Supported fields are the same as for filtering. Example: "CreateTime desc"

    Output Schema

    Response message for ListCaseComments.

    ListCaseCommentsResponse

    JSON representation 
     { 
 "caseComments" 
 : 
 [ 
 { 
 object (  CaseComment 
 
) 
 } 
 ] 
 , 
 "nextPageToken" 
 : 
 string 
 , 
 "totalSize" 
 : 
 integer 
 }
    Fields
    caseComments[]

    object ( CaseComment )

    The list of CaseComments.
    nextPageToken

    string

    A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.
    totalSize

    integer

    The total number of CaseComments.

    CaseComment

    JSON representation 
     { 
 "name" 
 : 
 string 
 , 
 "createTime" 
 : 
 string 
 , 
 "updateTime" 
 : 
 string 
 , 
 "user" 
 : 
 string 
 , 
 "comment" 
 : 
 string 
 , 
 "deletionInvoker" 
 : 
 string 
 , 
 "alertIdentifier" 
 : 
 string 
 , 
 "caseAttachment" 
 : 
 { 
 object (  CaseAttachment 
 
) 
 } 
 , 
 "userOwnerFullName" 
 : 
 string 
 , 
 "lastEditorFullName" 
 : 
 string 
 , 
 "deletedByUser" 
 : 
 string 
 , 
 "case" 
 : 
 string 
 , 
 // Union field _is_favorite 
can be only one of the following: 
 "isFavorite" 
 : 
 boolean 
 // End of list of possible types for union field _is_favorite 
. 
 // Union field _is_deleted 
can be only one of the following: 
 "isDeleted" 
 : 
 boolean 
 // End of list of possible types for union field _is_deleted 
. 
 }
    Fields
    name

    string

    Output only. Identifier. The unique name(ID) of the CaseComment. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseComments/{case_comment}

    createTime

    string ( int64 format)

    Output only. The timestamp when the comment was created.

    updateTime

    string ( int64 format)

    Output only. The timestamp when the comment was last updated.

    user

    string

    Output only. User owner of the comment.

    comment

    string

    Required. The content of the comment.

    deletionInvoker

    string

    Output only. The user who deleted the comment.

    alertIdentifier

    string

    Optional. The alert associated with the comment.

    caseAttachment

    object ( CaseAttachment )

    Optional. The attachment associated with the comment.

    userOwnerFullName

    string

    Output only. The user who created the comment.

    lastEditorFullName

    string

    Output only. The user who last edited the comment.

    deletedByUser

    string

    Output only. The user who deleted the comment.

    case

    string ( int64 format)

    Optional. The case associated with the comment.

    Union field _is_favorite .

    _is_favorite can be only one of the following:

    isFavorite

    boolean

    Optional. Whether the comment is marked as a favorite.

    Union field _is_deleted .

    _is_deleted can be only one of the following:

    isDeleted

    boolean

    Output only. Indicates if the comment has been softly deleted.

    CaseAttachment

    JSON representation 
     { 
 "attachmentBase64" 
 : 
 string 
 , 
 "fileType" 
 : 
 string 
 , 
 "fileName" 
 : 
 string 
 , 
 "fileId" 
 : 
 string 
 }
    Fields
    attachmentBase64

    string

    Required. Base64 encoded attachment associated with the comment (if exists).
    fileType

    string

    Required. The file type of the attachment (if exists).
    fileName

    string

    Required. The file name of the attachment (if it exists).
    fileId

    string ( int64 format)

    Output only. The file id of the attachment.

    Tool Annotations

    Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: