Console
    Start free

    MCP Tools Reference: chronicle.googleapis.com

    Tool: generate_rules

    Generates one or more YARA-L (YL2) rules based on the provided Threat Detection Opportunity (TDO).

    Creates draft detection rules and initial metadata (name, description, MITRE ATT&CK mapping) from a structured threat description. This tool is essential for closing coverage gaps when an emerging threat is identified but not adequately detected by existing rules.

    Workflow Integration:

    • This tool is typically called AFTER generate_threat_detection_opportunity and if a subsequent coverage analysis identifies a gap.
    • The resulting rules can be validated against synthetic UDM events if provided in the request.
    • Generated rules are intended to be reviewed by a detection engineer before deployment.

    Use Cases:

    • Generate a new YARA-L rule for a provided Threat Detection Opportunity (TDO).
    • Create detection logic for a specific TTP (Tactics, Techniques, and Procedures) identified in threat intelligence.

    Example: Rule: rule suspicious_powershell_execution { meta: description = "Detects suspicious powershell execution with encoded command line arguments" mitre_attack_tactic = "Execution" mitre_attack_technique = "Command and Scripting Interpreter: PowerShell" events: $e.metadata.event_type = "PROCESS_LAUNCH" $e.target.process.command_line = /powershell.*(-e|-enc|-encodedcommand).*/i condition: $e }

    Example Usage:

    • generate_rules(projectId='my-project', customerId='my-customer', region='us', threatDetectionOpportunity=my_tdo)

    The following sample demonstrate how to use curl to invoke the generate_rules MCP tool.

    Curl Request 
      
curl  
--location  
 'https://chronicle.googleapis.com/mcp' 
  
 \ 
--header  
 'content-type: application/json' 
  
 \ 
--header  
 'accept: application/json, text/event-stream' 
  
 \ 
--data  
 '{ 
 "method": "tools/call", 
 "params": { 
 "name": "generate_rules", 
 "arguments": { 
 // provide these details according to the tool' 
s  
MCP  
specification  
 } 
  
 } 
,  
 "jsonrpc" 
:  
 "2.0" 
,  
 "id" 
:  
 1 
 } 
 '

    Input Schema

    Request message for GenerateRulesRequest.

    GenerateRulesRequest

    JSON representation 
     { 
 "projectId" 
 : 
 string 
 , 
 "customerId" 
 : 
 string 
 , 
 "region" 
 : 
 string 
 , 
 // Union field rule_gen_source 
can be only one of the following: 
 "threatDetectionOpportunity" 
 : 
 { 
 object (  ThreatDetectionOpportunity 
 
) 
 } 
 // End of list of possible types for union field rule_gen_source 
. 
 }
    Fields
    projectId

    string

    Required. Google Cloud project ID.

    customerId

    string

    Required. Chronicle customer ID.

    region

    string

    Required. Chronicle region (e.g., "us", "europe").

    Union field rule_gen_source . The originating artifacts that should be used to generate a rule. rule_gen_source can be only one of the following:
    threatDetectionOpportunity

    object ( ThreatDetectionOpportunity )

    The structured threat description (TDO) used as the basis for rule generation.

    ThreatDetectionOpportunity

    JSON representation 
     { 
 "summary" 
 : 
 string 
 , 
 "mitreInfo" 
 : 
 { 
 object (  MitreInfo 
 
) 
 } 
 , 
 "supportingEvidence" 
 : 
 [ 
 string 
 ] 
 , 
 "observables" 
 : 
 { 
 object (  ObservableCollection 
 
) 
 } 
 , 
 "logTypes" 
 : 
 [ 
 string 
 ] 
 }
    Fields
    summary

    string

    Concise, one sentence summary.
    mitreInfo

    object ( MitreInfo )

    MITRE ATT&CK details for the Threat Detection Opportunity.
    supportingEvidence[]

    string

    Free-form text of supporting evidence for the Threat Detection Opportunity extracted from the threat.
    observables

    object ( ObservableCollection )

    Detection opportunity observables - hostnames, IP's, etc.
    logTypes[]

    string

    Resource names of log types associated with the Threat Detection Opportunity.

    MitreInfo

    JSON representation 
     { 
 "tactics" 
 : 
 [ 
 string 
 ] 
 , 
 "techniques" 
 : 
 [ 
 string 
 ] 
 , 
 "platform" 
 : 
 string 
 , 
 "procedure" 
 : 
 string 
 , 
 "detectionStrategy" 
 : 
 string 
 }
    Fields
    tactics[]

    string

    Optional. MITRE ATT&CK tactics.
    techniques[]

    string

    Optional. MITRE ATT&CK techniques.
    platform

    string

    Platform the technique is associated with.
    procedure

    string

    MITRE ATT&CK procedure.
    detectionStrategy

    string

    Detection strategy for the Threat Detection Opportunity.

    ObservableCollection

    JSON representation 
     { 
 "atomics" 
 : 
 { 
 object (  AtomicIndicatorCollection 
 
) 
 } 
 , 
 "procedures" 
 : 
 { 
 object (  ProcedureCollection 
 
) 
 } 
 }
    Fields
    atomics

    object ( AtomicIndicatorCollection )

    Context-free IOCs.
    procedures

    object ( ProcedureCollection )

    Context-dependent tactics, techniques, and procedures.

    AtomicIndicatorCollection

    JSON representation 
     { 
 "hashes" 
 : 
 [ 
 string 
 ] 
 , 
 "domains" 
 : 
 [ 
 string 
 ] 
 , 
 "urls" 
 : 
 [ 
 string 
 ] 
 , 
 "ipAddresses" 
 : 
 [ 
 string 
 ] 
 , 
 "emails" 
 : 
 [ 
 string 
 ] 
 , 
 "ports" 
 : 
 [ 
 integer 
 ] 
 }
    Fields
    hashes[]

    string

    File hashes associated with the threat.
    domains[]

    string

    Domains associated with the threat.
    urls[]

    string

    URLs associated with the threat.
    ipAddresses[]

    string

    IP addresses associated with the threat.
    emails[]

    string

    Email addresses associated with the threat.
    ports[]

    integer

    Ports associated with the threat.

    ProcedureCollection

    JSON representation 
     { 
 "files" 
 : 
 [ 
 string 
 ] 
 , 
 "registryKeys" 
 : 
 [ 
 string 
 ] 
 , 
 "processes" 
 : 
 [ 
 string 
 ] 
 , 
 "parentProcesses" 
 : 
 [ 
 string 
 ] 
 , 
 "userAccounts" 
 : 
 [ 
 string 
 ] 
 }
    Fields
    files[]

    string

    Files associated with the threat.
    registryKeys[]

    string

    Registry keys associated with the threat.
    processes[]

    string

    Processes associated with the threat.
    parentProcesses[]

    string

    Parent process names associated with the threat.
    userAccounts[]

    string

    User accounts associated with the threat.

    Output Schema

    Response message for GenerateRulesRequest.

    GenerateRulesResponse

    JSON representation 
     { 
 "generatedRules" 
 : 
 [ 
 { 
 object (  GeneratedRule 
 
) 
 } 
 ] 
 }
    Fields
    generatedRules[]

    object ( GeneratedRule )

    The generated Rules.

    GeneratedRule

    JSON representation 
     { 
 "ruleText" 
 : 
 string 
 , 
 "feedbackId" 
 : 
 string 
 }
    Fields
    ruleText

    string

    The core rule text for the generated Rule.
    feedbackId

    string

    The UUID of the feedback report.

    Tool Annotations

    Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ✅ | Open World Hint: ❌
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: