Console
    Start free

    MCP Tools Reference: chronicle.googleapis.com

    Tool: validate_rule

    Validate YARA-L 2.0 rule text syntax and compilation in Chronicle SIEM.

    Verifies the syntax and compilation of a YARA-L 2.0 detection rule without creating or deploying it. This tool checks for syntax errors, compilation issues, and other problems that would prevent the rule from functioning correctly when deployed.

    Workflow Integration:- Essential validation step during rule development before creating or updating rules. - Use to catch syntax errors and compilation issues early in the development process. - Helps ensure rule quality and reduces deployment failures in production environments. - Can be integrated into CI/CD pipelines for automated rule validation.

    Use Cases:- Validate new YARA-L rule syntax before attempting to create the rule in Chronicle. - Check existing rule modifications for syntax errors before deployment. - Troubleshoot rule compilation issues during development or debugging. - Verify rule syntax as part of automated testing or quality assurance processes. - Validate rule text copied from external sources or documentation.

    Agent Responsibilities:- Provide the complete YARA-L rule text to be validated. - Parse the JSON response to check the 'success' field and examine any messages in 'compilationDiagnostics'.

    Args: rule_text (str): Complete YARA-L 2.0 rule definition to validate. This should include rule metadata, events, and conditions sections. project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required).

    Returns: str: Raw JSON response from the API. This will typically include: - success (bool): Whether the rule text was successfully validated. - compilationDiagnostics (list): List of objects containing 'message', 'severity', and 'position' for any errors or warnings.

    Example Usage: # Validate a simple detection rule rule_text = ''' rule test_process_launch { meta: description = "Test rule for process launches" author = "Security Team" severity = "Low" yara_version = "YL2.0" events: $e.metadata.event_type = "PROCESS_LAUNCH" $e.principal.hostname != "" condition: $e } ''' validate_rule( rule_text=rule_text, project_id="my-project", customer_id="my-customer", region="us" )

    Next Steps (using MCP-enabled tools): - If validation succeeds, use 'test_rule' to test the rule against historical data. - If validation fails, review the messages in 'compilationDiagnostics' and fix syntax errors in the rule_text. - Once validated and tested, use 'create_rule' to deploy the rule to Chronicle. - Use 'list_rule_errors' after deployment to monitor for runtime issues.

    The following sample demonstrate how to use curl to invoke the validate_rule MCP tool.

    Curl Request 
      
curl  
--location  
 'https://chronicle.googleapis.com/mcp' 
  
 \ 
--header  
 'content-type: application/json' 
  
 \ 
--header  
 'accept: application/json, text/event-stream' 
  
 \ 
--data  
 '{ 
 "method": "tools/call", 
 "params": { 
 "name": "validate_rule", 
 "arguments": { 
 // provide these details according to the tool' 
s  
MCP  
specification  
 } 
  
 } 
,  
 "jsonrpc" 
:  
 "2.0" 
,  
 "id" 
:  
 1 
 } 
 '

    Input Schema

    Request message for VerifyRuleText.

    VerifyRuleTextRequest

    JSON representation 
     { 
 "projectId" 
 : 
 string 
 , 
 "customerId" 
 : 
 string 
 , 
 "region" 
 : 
 string 
 , 
 "rule" 
 : 
 string 
 }
    Fields
    projectId

    string

    Project ID of the customer.
    customerId

    string

    Customer ID of the customer.
    region

    string

    Region of the customer.
    rule

    string

    The rule text to verify.

    Output Schema

    Response message for VerifyRuleText method.

    VerifyRuleTextResponse

    JSON representation 
     { 
 "success" 
 : 
 boolean 
 , 
 "compilationDiagnostics" 
 : 
 [ 
 { 
 object (  CompilationDiagnostic 
 
) 
 } 
 ] 
 }
    Fields
    success

    boolean

    Whether or not the rule text was successfully verified.
    compilationDiagnostics[]

    object ( CompilationDiagnostic )

    A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings.

    CompilationDiagnostic

    JSON representation 
     { 
 "message" 
 : 
 string 
 , 
 "position" 
 : 
 { 
 object (  CompilationPosition 
 
) 
 } 
 , 
 "severity" 
 : 
 enum ( Severity 
) 
 , 
 "uri" 
 : 
 string 
 }
    Fields
    message

    string

    Output only. The diagnostic message.
    position

    object ( CompilationPosition )

    Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty.
    severity

    enum ( Severity )

    Output only. The severity of a rule's compilation diagnostic.
    uri

    string

    Output only. Link to documentation that describes a diagnostic in more detail.

    CompilationPosition

    JSON representation 
     { 
 "startLine" 
 : 
 integer 
 , 
 "startColumn" 
 : 
 integer 
 , 
 "endLine" 
 : 
 integer 
 , 
 "endColumn" 
 : 
 integer 
 }
    Fields
    startLine

    integer

    Output only. Start line number, beginning at 1.
    startColumn

    integer

    Output only. Start column number, beginning at 1.
    endLine

    integer

    Output only. End line number, beginning at 1.
    endColumn

    integer

    Output only. End column number, beginning at 1.

    Tool Annotations

    Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: