Tool: update_case_alert
Updates an existing case alert in Google SecOps.
This function modifies the priority
, status
, or closure_details
of a specific alert within a case.
Workflow Integration:- A core function for managing the lifecycle of an alert, used in both manual and automated workflows. - Integrates with UI actions for changing an alert's priority, status (e.g., open, closed), or closing it with details. - Essential for automated playbooks that need to programmatically update an alert's state, such as escalating priority based on new findings or closing an alert after remediation. - Can be used to synchronize alert status and details with external ticketing or project management systems.
Use Cases:- A playbook automatically updates an alert's status
to 'CLOSE' and sets closure_details
with a reason of 'NOT_MALICIOUS' after automated analysis. - An analyst manually changes the priority
of an alert to 'HIGH' based on their assessment. - An analyst updates the status
to 'OPEN' to indicate they are actively investigating. - A SOC manager updates the closure_details
for a set of related alerts after a breach investigation is complete.
Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). case_id (str): The numeric ID of the parent case containing the alert (e.g., '12345'). case_alert_id (str): The numeric ID of the alert to update (e.g., '12345'). Do NOT use the alert title or identifier string. priority (google.cloud.chronicle.v1alpha.LegacyCasePriority, optional): The new priority for the alert. Possible values are: - UNCHANGED - INFORMATIVE - LOW - MEDIUM - HIGH - CRITICAL status (google.cloud.chronicle.v1alpha.AlertStatus, optional): The new status for the alert. Possible values are: - OPEN - CLOSE closure_details (google.cloud.chronicle.v1alpha.AlertClosureDetails, optional): The closure details object. Providing this typically accompanies setting the status to CLOSE. - reason (enum): The reason for closing the alert (required). One of: - MALICIOUS - NOT_MALICIOUS - MAINTENANCE - INCONCLUSIVE - UNKNOWN - root_cause (str): The root cause of the alert (required). - comment (str): A comment about the alert. Optional.
Returns: CaseAlert: The updated CaseAlert object with the new values. The CaseAlert object contains the following key fields: - Name
(str): The full resource name of the alert. - Id
(int): The unique identifier for the alert. - DisplayName
(str): The title or display name of the alert. - Priority
(str): The priority of the alert (e.g., "HIGH"). - Status
(str): The current status of the alert (e.g., "OPEN"). - CreateTime
(int): The creation timestamp of the alert in milliseconds. - UpdateTime
(int): The last update timestamp of the alert in milliseconds. - Product
(str): The product that generated the alert. - Vendor
(str): The vendor of the product that generated the alert. - RuleGenerator
(str): The rule that generated the alert. Returns an error message if the alert is not found, the user lacks permission, or the update is invalid.
Example Usage: # Close a case alert as 'NOT_MALICIOUS' with a comment update_case_alert( project_id='123', region='us', customer_id='abc', case_id='456', case_alert_id='789', status='CLOSE', closure_details={ 'reason': 'NOT_MALICIOUS', 'root_cause': 'Benign activity verified', 'comment': 'Verified benign.' } )
# Update the priority of a case alert update_case_alert( project_id='123', region='us', customer_id='abc', case_id='456', case_alert_id='789', priority='HIGH' )
# Re-open an alert update_case_alert( project_id='123', region='us', customer_id='abc', case_id='456', case_alert_id='789', status='OPEN' )
Next Steps (using MCP-enabled tools): - Use 'get_case_alert' with the alert's resource name to verify that the alert has been updated correctly. - Use 'create_case_comment' to add a note to the parent case explaining why the alert was changed. - Use 'list_case_alerts' to see the updated status of the alert in the context of other alerts in the case.
The following sample demonstrate how to use curl
to invoke the update_case_alert
MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "update_case_alert", "arguments": { // provide these details according to the tool' s MCP specification } } , "jsonrpc" : "2.0" , "id" : 1 } ' |
Input Schema
Request message for UpdateCaseAlert. Next ID: 10
UpdateCaseAlertRequest
| JSON representation |
|---|
{ "projectId" : string , "customerId" : string , "region" : string , "caseId" : string , "caseAlertId" : string , // Union field |
projectId
string
Project ID of the customer.
customerId
string
Customer ID of the customer.
region
string
Region of the customer.
caseId
string
Case ID.
caseAlertId
string
Case alert ID.
Union field _priority
.
_priority
can be only one of the following:
priority
enum (
LegacyCasePriority
)
Alert Priority.
Union field _status
.
_status
can be only one of the following:
status
enum (
AlertStatus
)
Alert status. Changed this line
Union field _closure_details
.
_closure_details
can be only one of the following:
closureDetails
object (
AlertClosureDetails
)
Alert closure details.
AlertClosureDetails
| JSON representation |
|---|
{
"reason"
:
enum (
|
| Fields | |
|---|---|
reason
|
Output only. Alert closure reason. |
comment
|
Output only. Alert closure comment. |
rootCause
|
Output only. Alert closure root cause. |
closingTimeMs
|
Output only. Alert closure time in unix format as milliseconds. |
Output Schema
This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. Alerts are tied to data identified as a threat by your security systems. Investigating alerts gives you context about the alert and related entities.
CaseAlert
| JSON representation |
|---|
{ "name" : string , "identifier" : string , "caseId" : integer , "createTime" : string , "updateTime" : string , "ruleGenerator" : string , "sourceGroupingIdentifier" : string , "product" : string , "displayName" : string , "vendor" : string , "environment" : string , "ticketId" : string , "sourceSystemName" : string , "closureDetails" : { object ( |
name
string
Identifier. The unique name(ID) of the CaseAlert. Format: projects/{project}/locations/{location}/instances/{instance}/cases/{case}/caseAlerts/{case_alert}
identifier
string
Output only. Title + Guid, e.g. ACCESS DISABLED ACCOUNTS_3A0C90F9-A87E-4E94-8727-7884F686ECDA Legacy identifier of alert used across the legacy modules in the system. Char limit: 2100
caseId
integer
Output only. Case associated with the alert. Added for convenience to be used by the UI.
createTime
string ( int64
format)
Output only. The creation time of the record in milliseconds.
updateTime
string ( int64
format)
Output only. The modification time of the record in milliseconds.
ruleGenerator
string
Output only. Which rule triggered the alert on the third party. This can be any rule defined in the third party Such SIEM, Splunk, CrowdStrike. Characters limit: 250.
sourceGroupingIdentifier
string
Output only. A key on the alert that can be used to group alerts to the same case. Characters limit: 2100
product
string
Output only. The product associated with the alert. E.g. DLP, WinEventLog:Security
displayName
string
Output only. The display name of the alert. E.g. "DATA EXFILTRATION"
vendor
string
Output only. The vendor of the alert. E.g. "Microsoft". Characters limit: 2100
environment
string
Output only. The environment of the alert.
ticketId
string
Output only. Third party ticket id, can be originated from SIEM or other tools. E.g. "3a0c90f9-a87e-4e94-8727-7884f686ecda"
sourceSystemName
string
Output only. Which alerting system raises the alert. E.g. "QRadar", "Arcsight", "Microsoft CASB". The Integration Name in soar.
closureDetails
object (
AlertClosureDetails
)
Optional. Defines the close reason of an alert if any.
sla
object (
Sla
)
Optional. SLA (Service Level Agreement) for the specific alert, used also to calculate aggregate case sla.
manual
boolean
Output only. Whether the alert was created manually.
priority
enum (
LegacyCasePriority
)
Optional. Default value is HIGH.
sourceIdentifier
string
Output only. Stores the identifier of the source of the alert, could be a connector identifier etc.
additionalProperties
string
Output only. Stores additional data on specific alerts, currently used by connectors, in JSON format.
status
enum (
AlertStatus
)
Optional. Alert status. Default value is OPEN.
startTime
string ( int64
format)
Output only. When the alert was created on the third party product (SIEM, IPS, etc).
endTime
string ( int64
format)
Output only. When the alert was closed on the third party product (SIEM, IPS, etc).
involvedRelations[]
object (
InvolvedRelation
)
Output only. All involved relations for the alert. Directional connection between entities in a given alert.
siemAlertId
string
Output only. The identifier of the alert int SIEM.
sourceUrl
string
Output only. The source URL of the alert.
sourceRuleUrl
string
Output only. The source rule URL of the alert.
sourceSystemUrl
string
Output only. The source system URL.
sourceRuleIdentifier
string
Output only. The source rule identifier.
playbookStatus
enum (
WorkflowStatus
)
Output only. Alert playbook status.
attachedPlaybookName
string
Output only. The attached playbook name.
nestingDepth
integer
Output only. The nesting depth of the alert.
alertGroupIdentifier
string
Output only. The alert group identifier.
eventCount
integer
Output only. The number of events that triggered the alert.
Union field _playbook_run_count
.
_playbook_run_count
can be only one of the following:
playbookRunCount
integer
Output only. The number of times the first playbook was run on the alert.
AlertClosureDetails
| JSON representation |
|---|
{
"reason"
:
enum (
|
| Fields | |
|---|---|
reason
|
Output only. Alert closure reason. |
comment
|
Output only. Alert closure comment. |
rootCause
|
Output only. Alert closure root cause. |
closingTimeMs
|
Output only. Alert closure time in unix format as milliseconds. |
Sla
| JSON representation |
|---|
{
"expirationTime"
:
string
,
"criticalExpirationTime"
:
string
,
"expirationStatus"
:
enum (
|
| Fields | |
|---|---|
expirationTime
|
Required. SLA expiration time in unix format as milliseconds. Old prop: SlaExpiration. |
criticalExpirationTime
|
Required. SLA critical expiration time in unix format as milliseconds, old prop: SlaCriticalExpiration. |
expirationStatus
|
Output only. SLA expiration status. |
remainingTimeSinceLastPause
|
Output only. Remaining time since last pause. |
InvolvedRelation
| JSON representation |
|---|
{ "identifier" : string , "alertIdentifier" : string , "caseId" : integer , "relationType" : string , "from" : { object ( |
| Fields | |
|---|---|
identifier
|
Required. The identifier of the relation. |
alertIdentifier
|
Output only. The identifier of the alert the relation belongs to. |
caseId
|
Output only. The id of the case the relation belongs to. |
relationType
|
Output only. The type of the relation. |
from
|
Output only. The source of the relation. |
to
|
Output only. The destination of the relation. |
deviceProduct
|
Output only. The product. |
deviceVendor
|
Output only. The vendor. |
categoryOutcome
|
Output only. The category outcome. Blocked/Allowed/null. |
destinationPort
|
Output only. The destination port, if relevant |
eventClassId
|
Output only. Event display name. For example: Email Check, Data Exfiltration, IRC etc. |
startTime
|
Output only. Start time of the involved relation. |
endTime
|
Output only. End time of the involved relation. |
additionalProperties
|
Output only. Additional data, stored in JSON format. |
EntityKey
| JSON representation |
|---|
{ "identifier" : string , "type" : string } |
| Fields | |
|---|---|
identifier
|
Output only. The identifier of the entity. |
type
|
Output only. The type of the entity. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌
