Tool: translate_udm_query
Translates a natural language question or statement into a Chronicle UDM search query.
Use this tool to convert a human-readable search description into the UDM query syntax required by the udm_search
tool. This tool calls the Chronicle API AiService.TranslateUDMQuery.
Agent Responsibilities:
- Provide the natural language text to be translated in the 'text' argument.
- Parse the raw JSON response.
- Extract the UDM query string from the 'query' field.
- Extract any suggested time range from the 'time_range' field (which contains 'startTime' and 'endTime').
- Check the 'message' field for any warnings or errors from the translation service.
Example Usage:
-
translate_udm_query(text="Show me all network traffic from IP 192.0.2.10 last Tuesday", projectId="my-project", customerId="my-customer", region="us") -
translate_udm_query(text="Find events for user 'testuser'", projectId="my-project", customerId="my-customer", region="us")
Next Steps (using MCP-enabled tools):
- Use the output 'query' and 'time_range' as inputs to the
udm_searchtool to execute the search. - If the 'query' is null or the 'message' indicates issues, refine the natural language 'text' and try again.
The following sample demonstrate how to use curl
to invoke the translate_udm_query
MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "translate_udm_query", "arguments": { // provide these details according to the tool' s MCP specification } } , "jsonrpc" : "2.0" , "id" : 1 } ' |
Input Schema
Request message for TranslateUDMQuery.
TranslateUDMQueryRequest
| JSON representation |
|---|
{ "projectId" : string , "customerId" : string , "region" : string , "text" : string } |
| Fields | |
|---|---|
projectId
|
Google Cloud project ID. Defaults to environment configuration. |
customerId
|
Chronicle customer ID. Defaults to environment configuration. |
region
|
Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. |
text
|
Natural language description of the events you want to find. |
Output Schema
Response message for TranslateUDMQuery.
TranslateUDMQueryResponse
| JSON representation |
|---|
{
"query"
:
string
,
"timeRange"
:
{
object (
|
| Fields | |
|---|---|
query
|
Translated UDM Search query (if successful). |
timeRange
|
Optional. Translated timerange (if the user specified a time range). |
message
|
Optional. Message to be shown to the user, e.g. if the translation was unsuccessful or if confidence is low. |
Interval
| JSON representation |
|---|
{ "startTime" : string , "endTime" : string } |
| Fields | |
|---|---|
startTime
|
Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
endTime
|
Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Timestamp
| JSON representation |
|---|
{ "seconds" : string , "nanos" : integer } |
| Fields | |
|---|---|
seconds
|
Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). |
nanos
|
Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌
