# Chronicle SecOps MCP Server
This is an MCP (Model Context Protocol) server for interacting with Google's
Chronicle Security Operations suite.
[MCP Info](https://modelcontextprotocol.io/introduction)
## Features
### Security Tools
- **`search_security_events(text, project_id=None, customer_id=None, hours_back=24, max_events=100, region=None)`**
- Searches for security events in Chronicle using natural language. Translates the natural language query (`text`) into a UDM query and executes it.
- **`get_security_alerts(project_id=None, customer_id=None, hours_back=24, max_alerts=10, status_filter='feedback_summary.status != "CLOSED"', region=None)`**
- Retrieves security alerts from Chronicle, filtered by time range and status.
- **`lookup_entity(entity_value, project_id=None, customer_id=None, hours_back=24, region=None)`**
- Looks up an entity (IP, domain, hash, etc.) in Chronicle.
- **`list_security_rules(project_id=None, customer_id=None, region=None)`**
- Lists security detection rules from Chronicle.
- **`search_security_rules(query, project_id=None, customer_id=None, region=None)`**
- Searches security detection rules from Chronicle using regex.
- **`get_ioc_matches(project_id=None, customer_id=None, hours_back=24, max_matches=20, region=None)`**
- Retrieves Indicators of Compromise (IoCs) matches from Chronicle within a specified time range.
- **`get_threat_intel(query, project_id=None, customer_id=None, region=None)`**
- Get answers to general security domain questions and specific threat intelligence information using Chronicle's AI capabilities.
### Log Ingestion Tools
- **`ingest_raw_log(log_type, log_message, project_id=None, customer_id=None, region=None, forwarder_id=None, labels=None, log_entry_time=None, collection_time=None)`**
- Ingest raw logs directly into Chronicle SIEM. Supports various formats (JSON, XML, CEF, etc.) and batch ingestion.
- **`ingest_udm_events(udm_events, project_id=None, customer_id=None, region=None)`**
- Ingest events already formatted in Chronicle's Unified Data Model (UDM) format, bypassing the parsing stage.
- **`get_available_log_types(project_id=None, customer_id=None, region=None, search_term=None)`**
- Get available log types supported by Chronicle for ingestion, optionally filtered by search term.
### Parser Management Tools
- **`create_parser(log_type, parser_code, project_id=None, customer_id=None, region=None, validated_on_empty_logs=True)`**
- Create a custom parser for a specific log type to transform raw logs into Chronicle's UDM format.
- **`get_parser(log_type, parser_id, project_id=None, customer_id=None, region=None)`**
- Get details of a specific parser including its configuration and metadata.
- **`activate_parser(log_type, parser_id, project_id=None, customer_id=None, region=None)`**
- Activate a parser, making it the active parser for the specified log type.
- **`deactivate_parser(log_type, parser_id, project_id=None, customer_id=None, region=None)`**
- Deactivate a parser, stopping it from processing incoming logs of the specified type.
- **`run_parser_against_sample_logs(log_type, parser_code, sample_logs, project_id=None, customer_id=None, region=None, parser_extension_code=None, statedump_allowed=False)`**
- Test parser configuration against sample log entries to validate parsing logic before deployment.
### Data Table Management Tools
- **`create_data_table(name, description, header, project_id=None, customer_id=None, region=None, rows=None)`**
- Create a structured data table that can be referenced in detection rules. Supports multiple column types (STRING, CIDR, INT64, BOOL).
- **`add_rows_to_data_table(table_name, rows, project_id=None, customer_id=None, region=None)`**
- Add new rows to an existing data table, expanding the dataset available for detection rules.
- **`list_data_table_rows(table_name, project_id=None, customer_id=None, region=None, max_rows=50)`**
- List rows in a data table to review contents and verify data integrity.
- **`delete_data_table_rows(table_name, row_ids, project_id=None, customer_id=None, region=None)`**
- Delete specific rows from a data table based on their row IDs.
### Reference List Management Tools
- **`create_reference_list(name, description, entries, project_id=None, customer_id=None, region=None, syntax_type="STRING")`**
- Create a reference list containing values that can be referenced in detection rules. Supports STRING, CIDR, and REGEX syntax types.
- **`get_reference_list(name, project_id=None, customer_id=None, region=None, include_entries=True)`**
- Get details and contents of a reference list including metadata and entries.
- **`update_reference_list(name, project_id=None, customer_id=None, region=None, entries=None, description=None)`**
- Update the contents or description of an existing reference list.
### API Capabilities
The MCP server provides the following capabilities:
1. **Search Security Events**: Search for security events in Chronicle
2. **Get Security Alerts**: Retrieve security alerts
3. **Lookup Entity**: Look up entity information (IP, domain, hash, etc.)
4. **List Security Rules**: List detection rules
5. **Search Security Rules**: Searches detection rules using regex
6. **Get IoC Matches**: Get Indicators of Compromise matches
7. **Get Threat Intel**: Get AI-powered threat intelligence answers
8. **Log Ingestion**: Ingest raw logs and UDM events
9. **Parser Management**: Create, manage, and test log parsers
10. **Data Table Management**: Create and manage structured data tables for detection rules
11. **Reference List Management**: Create and manage reference lists for detection rules
### Example
See `example.py` for a complete example of using the MCP server.
## Tool Categories and Use Cases
### Security Operations Tools
These tools focus on core security operations tasks:
- **Event Search & Investigation**: Use `search_security_events` to find security events using natural language queries
- **Alert Management**: Use `get_security_alerts` to retrieve and monitor security alerts
- **Entity Analysis**: Use `lookup_entity` to investigate IPs, domains, hashes, and other indicators
- **Rule Management**: Use `list_security_rules` and `search_security_rules` to manage detection rules
- **Threat Intelligence**: Use `get_ioc_matches` and `get_threat_intel` for IOC analysis and AI-powered insights
### Data Ingestion & Parsing Tools
These tools help you get data into Chronicle:
- **Raw Log Ingestion**: Use `ingest_raw_log` for logs in their original format (JSON, XML, CEF, etc.)
- **UDM Event Ingestion**: Use `ingest_udm_events` for pre-formatted security events
- **Parser Development**: Use the parser management tools to create custom parsers for unique log formats
- **Testing**: Use `run_parser_against_sample_logs` to validate parser logic before deployment
### Context Data Management Tools
These tools help you maintain reference data for enhanced detections:
- **Data Tables**: Use for structured data with multiple columns (e.g., asset inventories with criticality ratings)
- **Reference Lists**: Use for simple lists of values (e.g., IP addresses, domains, usernames)
- **Detection Enhancement**: Both data tables and reference lists can be referenced in detection rules to make them more dynamic and maintainable
## Configuration
### MCP Server Configuration
Add the following configuration to your MCP client's settings file:
**NOTE:** For OSX users, if you used [this one-liner](https://docs.astral.sh/uv/getting-started/installation/#standalone-installer) to install uv, use the full path to the uv binary for the "command" value below, as uv will not be placed in the system path for Claude to use! For example: `/Users/yourusername/.local/bin/uv` instead of just `uv`.
#### Using uv (Recommended)
```json
{
"mcpServers": {
"secops": {
"command": "uv",
"args": [
"--env-file=/path/to/your/env",
"--directory",
"/path/to/the/repo/server/secops/secops_mcp",
"run",
"server.py"
],
"env": {
"CHRONICLE_PROJECT_ID": "${CHRONICLE_PROJECT_ID}",
"CHRONICLE_CUSTOMER_ID": "${CHRONICLE_CUSTOMER_ID}",
"CHRONICLE_REGION": "${CHRONICLE_REGION}"
},
"disabled": false,
"autoApprove": []
}
}
}
```
#### Using pip
You can also use pip instead of uv to install and run the MCP server:
```json
{
"mcpServers": {
"secops": {
"command": "/bin/bash",
"args": [
"-c",
"cd /path/to/the/repo/server/secops && pip install -e . && secops_mcp"
],
"env": {
"CHRONICLE_PROJECT_ID": "${CHRONICLE_PROJECT_ID}",
"CHRONICLE_CUSTOMER_ID": "${CHRONICLE_CUSTOMER_ID}",
"CHRONICLE_REGION": "${CHRONICLE_REGION}"
},
"disabled": false,
"autoApprove": [
"get_ioc_matches",
"search_security_events",
"get_security_alerts"
],
"alwaysAllow": [
"get_ioc_matches"
]
}
}
}
```
#### When to use uv vs pip
- **uv**: Recommended for most users as it provides faster package installation, better dependency resolution, and supports loading environment variables from a file with the `--env-file` option.
- **pip**: Use when you prefer the standard Python package manager or when you need specific environment setup requirements.
### Environment Variable Setup
Set up these environment variables in your system:
**For macOS/Linux:**
```bash
export CHRONICLE_PROJECT_ID="your-google-cloud-project-id"
export CHRONICLE_CUSTOMER_ID="your-chronicle-customer-id"
export CHRONICLE_REGION="us"
```
**For Windows PowerShell:**
```powershell
$Env:CHRONICLE_PROJECT_ID = "your-google-cloud-project-id"
$Env:CHRONICLE_CUSTOMER_ID = "your-chronicle-customer-id"
$Env:CHRONICLE_REGION = "us"
```
The `CHRONICLE_REGION` can be one of:
- `us` - United States (default)
- `eu` - Europe
- `asia` - Asia-Pacific
## License
Apache 2.0
## Development
The project is structured as follows:
- `server.py`: Main MCP server implementation
- `example.py`: Example usage of the MCP server
Raw data
{
"_id": null,
"home_page": null,
"name": "google-secops-mcp",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.11",
"maintainer_email": null,
"keywords": "google, security, chronicle, secops, mcp",
"author": null,
"author_email": "Google SecOps Team <chronicle@google.com>",
"download_url": "https://files.pythonhosted.org/packages/77/fd/cabd46ae6e9780422c3baae12c9ed9761b6bc41dac323d5aa42fabe73c74/google_secops_mcp-0.2.0.tar.gz",
"platform": null,
"description": "# Chronicle SecOps MCP Server\n\nThis is an MCP (Model Context Protocol) server for interacting with Google's\nChronicle Security Operations suite.\n[MCP Info](https://modelcontextprotocol.io/introduction)\n\n## Features\n\n### Security Tools\n\n- **`search_security_events(text, project_id=None, customer_id=None, hours_back=24, max_events=100, region=None)`**\n - Searches for security events in Chronicle using natural language. Translates the natural language query (`text`) into a UDM query and executes it.\n\n- **`get_security_alerts(project_id=None, customer_id=None, hours_back=24, max_alerts=10, status_filter='feedback_summary.status != \"CLOSED\"', region=None)`**\n - Retrieves security alerts from Chronicle, filtered by time range and status.\n\n- **`lookup_entity(entity_value, project_id=None, customer_id=None, hours_back=24, region=None)`**\n - Looks up an entity (IP, domain, hash, etc.) in Chronicle.\n\n- **`list_security_rules(project_id=None, customer_id=None, region=None)`**\n - Lists security detection rules from Chronicle.\n\n- **`search_security_rules(query, project_id=None, customer_id=None, region=None)`**\n - Searches security detection rules from Chronicle using regex.\n\n- **`get_ioc_matches(project_id=None, customer_id=None, hours_back=24, max_matches=20, region=None)`**\n - Retrieves Indicators of Compromise (IoCs) matches from Chronicle within a specified time range.\n\n- **`get_threat_intel(query, project_id=None, customer_id=None, region=None)`**\n - Get answers to general security domain questions and specific threat intelligence information using Chronicle's AI capabilities.\n\n### Log Ingestion Tools\n\n- **`ingest_raw_log(log_type, log_message, project_id=None, customer_id=None, region=None, forwarder_id=None, labels=None, log_entry_time=None, collection_time=None)`**\n - Ingest raw logs directly into Chronicle SIEM. Supports various formats (JSON, XML, CEF, etc.) and batch ingestion.\n\n- **`ingest_udm_events(udm_events, project_id=None, customer_id=None, region=None)`**\n - Ingest events already formatted in Chronicle's Unified Data Model (UDM) format, bypassing the parsing stage.\n\n- **`get_available_log_types(project_id=None, customer_id=None, region=None, search_term=None)`**\n - Get available log types supported by Chronicle for ingestion, optionally filtered by search term.\n\n### Parser Management Tools\n\n- **`create_parser(log_type, parser_code, project_id=None, customer_id=None, region=None, validated_on_empty_logs=True)`**\n - Create a custom parser for a specific log type to transform raw logs into Chronicle's UDM format.\n\n- **`get_parser(log_type, parser_id, project_id=None, customer_id=None, region=None)`**\n - Get details of a specific parser including its configuration and metadata.\n\n- **`activate_parser(log_type, parser_id, project_id=None, customer_id=None, region=None)`**\n - Activate a parser, making it the active parser for the specified log type.\n\n- **`deactivate_parser(log_type, parser_id, project_id=None, customer_id=None, region=None)`**\n - Deactivate a parser, stopping it from processing incoming logs of the specified type.\n\n- **`run_parser_against_sample_logs(log_type, parser_code, sample_logs, project_id=None, customer_id=None, region=None, parser_extension_code=None, statedump_allowed=False)`**\n - Test parser configuration against sample log entries to validate parsing logic before deployment.\n\n### Data Table Management Tools\n\n- **`create_data_table(name, description, header, project_id=None, customer_id=None, region=None, rows=None)`**\n - Create a structured data table that can be referenced in detection rules. Supports multiple column types (STRING, CIDR, INT64, BOOL).\n\n- **`add_rows_to_data_table(table_name, rows, project_id=None, customer_id=None, region=None)`**\n - Add new rows to an existing data table, expanding the dataset available for detection rules.\n\n- **`list_data_table_rows(table_name, project_id=None, customer_id=None, region=None, max_rows=50)`**\n - List rows in a data table to review contents and verify data integrity.\n\n- **`delete_data_table_rows(table_name, row_ids, project_id=None, customer_id=None, region=None)`**\n - Delete specific rows from a data table based on their row IDs.\n\n### Reference List Management Tools\n\n- **`create_reference_list(name, description, entries, project_id=None, customer_id=None, region=None, syntax_type=\"STRING\")`**\n - Create a reference list containing values that can be referenced in detection rules. Supports STRING, CIDR, and REGEX syntax types.\n\n- **`get_reference_list(name, project_id=None, customer_id=None, region=None, include_entries=True)`**\n - Get details and contents of a reference list including metadata and entries.\n\n- **`update_reference_list(name, project_id=None, customer_id=None, region=None, entries=None, description=None)`**\n - Update the contents or description of an existing reference list.\n\n### API Capabilities\n\nThe MCP server provides the following capabilities:\n\n1. **Search Security Events**: Search for security events in Chronicle\n2. **Get Security Alerts**: Retrieve security alerts\n3. **Lookup Entity**: Look up entity information (IP, domain, hash, etc.)\n4. **List Security Rules**: List detection rules\n5. **Search Security Rules**: Searches detection rules using regex\n6. **Get IoC Matches**: Get Indicators of Compromise matches\n7. **Get Threat Intel**: Get AI-powered threat intelligence answers\n8. **Log Ingestion**: Ingest raw logs and UDM events\n9. **Parser Management**: Create, manage, and test log parsers\n10. **Data Table Management**: Create and manage structured data tables for detection rules\n11. **Reference List Management**: Create and manage reference lists for detection rules\n\n### Example\n\nSee `example.py` for a complete example of using the MCP server.\n\n## Tool Categories and Use Cases\n\n### Security Operations Tools\nThese tools focus on core security operations tasks:\n- **Event Search & Investigation**: Use `search_security_events` to find security events using natural language queries\n- **Alert Management**: Use `get_security_alerts` to retrieve and monitor security alerts\n- **Entity Analysis**: Use `lookup_entity` to investigate IPs, domains, hashes, and other indicators\n- **Rule Management**: Use `list_security_rules` and `search_security_rules` to manage detection rules\n- **Threat Intelligence**: Use `get_ioc_matches` and `get_threat_intel` for IOC analysis and AI-powered insights\n\n### Data Ingestion & Parsing Tools\nThese tools help you get data into Chronicle:\n- **Raw Log Ingestion**: Use `ingest_raw_log` for logs in their original format (JSON, XML, CEF, etc.)\n- **UDM Event Ingestion**: Use `ingest_udm_events` for pre-formatted security events\n- **Parser Development**: Use the parser management tools to create custom parsers for unique log formats\n- **Testing**: Use `run_parser_against_sample_logs` to validate parser logic before deployment\n\n### Context Data Management Tools\nThese tools help you maintain reference data for enhanced detections:\n- **Data Tables**: Use for structured data with multiple columns (e.g., asset inventories with criticality ratings)\n- **Reference Lists**: Use for simple lists of values (e.g., IP addresses, domains, usernames)\n- **Detection Enhancement**: Both data tables and reference lists can be referenced in detection rules to make them more dynamic and maintainable\n\n## Configuration\n\n### MCP Server Configuration\n\nAdd the following configuration to your MCP client's settings file:\n\n**NOTE:** For OSX users, if you used [this one-liner](https://docs.astral.sh/uv/getting-started/installation/#standalone-installer) to install uv, use the full path to the uv binary for the \"command\" value below, as uv will not be placed in the system path for Claude to use! For example: `/Users/yourusername/.local/bin/uv` instead of just `uv`.\n\n#### Using uv (Recommended)\n\n```json\n{\n \"mcpServers\": {\n \"secops\": {\n \"command\": \"uv\",\n \"args\": [\n \"--env-file=/path/to/your/env\",\n \"--directory\",\n \"/path/to/the/repo/server/secops/secops_mcp\",\n \"run\",\n \"server.py\"\n ],\n \"env\": {\n \"CHRONICLE_PROJECT_ID\": \"${CHRONICLE_PROJECT_ID}\",\n \"CHRONICLE_CUSTOMER_ID\": \"${CHRONICLE_CUSTOMER_ID}\",\n \"CHRONICLE_REGION\": \"${CHRONICLE_REGION}\"\n },\n \"disabled\": false,\n \"autoApprove\": []\n }\n }\n}\n```\n\n#### Using pip\n\nYou can also use pip instead of uv to install and run the MCP server:\n\n```json\n{\n \"mcpServers\": {\n \"secops\": {\n \"command\": \"/bin/bash\",\n \"args\": [\n \"-c\",\n \"cd /path/to/the/repo/server/secops && pip install -e . && secops_mcp\"\n ],\n \"env\": {\n \"CHRONICLE_PROJECT_ID\": \"${CHRONICLE_PROJECT_ID}\",\n \"CHRONICLE_CUSTOMER_ID\": \"${CHRONICLE_CUSTOMER_ID}\",\n \"CHRONICLE_REGION\": \"${CHRONICLE_REGION}\"\n },\n \"disabled\": false,\n \"autoApprove\": [\n \"get_ioc_matches\",\n \"search_security_events\",\n \"get_security_alerts\"\n ],\n \"alwaysAllow\": [\n \"get_ioc_matches\"\n ]\n }\n }\n}\n```\n\n#### When to use uv vs pip\n\n- **uv**: Recommended for most users as it provides faster package installation, better dependency resolution, and supports loading environment variables from a file with the `--env-file` option.\n- **pip**: Use when you prefer the standard Python package manager or when you need specific environment setup requirements.\n\n### Environment Variable Setup\n\nSet up these environment variables in your system:\n\n**For macOS/Linux:**\n```bash\nexport CHRONICLE_PROJECT_ID=\"your-google-cloud-project-id\"\nexport CHRONICLE_CUSTOMER_ID=\"your-chronicle-customer-id\"\nexport CHRONICLE_REGION=\"us\"\n```\n\n**For Windows PowerShell:**\n```powershell\n$Env:CHRONICLE_PROJECT_ID = \"your-google-cloud-project-id\"\n$Env:CHRONICLE_CUSTOMER_ID = \"your-chronicle-customer-id\"\n$Env:CHRONICLE_REGION = \"us\"\n```\n\nThe `CHRONICLE_REGION` can be one of:\n- `us` - United States (default)\n- `eu` - Europe\n- `asia` - Asia-Pacific\n\n## License\n\nApache 2.0\n\n## Development\n\nThe project is structured as follows:\n\n- `server.py`: Main MCP server implementation\n- `example.py`: Example usage of the MCP server \n",
"bugtrack_url": null,
"license": null,
"summary": "Google SecOps MCP server",
"version": "0.2.0",
"project_urls": {
"Documentation": "https://github.com/google/mcp-security/tree/main/server/secops#readme",
"Homepage": "https://github.com/google/mcp-security",
"Issues": "https://github.com/google/mcp-security/issues",
"Repository": "https://github.com/google/mcp-security/tree/main/server/secops"
},
"split_keywords": [
"google",
" security",
" chronicle",
" secops",
" mcp"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "155169e924302eba0951f66f689f45c84f5d5d0bfbe990efadff0bcdb8a62849",
"md5": "79db7be9cb3a6d9904d0789eb34ef611",
"sha256": "eac7adaf6d2aac37e1e0fdfbc98474e22e1bd607bc8ab9a5057e2f1e6551a4e1"
},
"downloads": -1,
"filename": "google_secops_mcp-0.2.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "79db7be9cb3a6d9904d0789eb34ef611",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.11",
"size": 5027,
"upload_time": "2025-09-04T13:33:40",
"upload_time_iso_8601": "2025-09-04T13:33:40.823965Z",
"url": "https://files.pythonhosted.org/packages/15/51/69e924302eba0951f66f689f45c84f5d5d0bfbe990efadff0bcdb8a62849/google_secops_mcp-0.2.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "77fdcabd46ae6e9780422c3baae12c9ed9761b6bc41dac323d5aa42fabe73c74",
"md5": "b40c2c887e85f837a64e0cec273e3ac8",
"sha256": "d3575107ae09838376cb7cefb5c75c4cf9c8b826007f6a7206d9817935c11154"
},
"downloads": -1,
"filename": "google_secops_mcp-0.2.0.tar.gz",
"has_sig": false,
"md5_digest": "b40c2c887e85f837a64e0cec273e3ac8",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.11",
"size": 8455,
"upload_time": "2025-09-04T13:33:42",
"upload_time_iso_8601": "2025-09-04T13:33:42.139539Z",
"url": "https://files.pythonhosted.org/packages/77/fd/cabd46ae6e9780422c3baae12c9ed9761b6bc41dac323d5aa42fabe73c74/google_secops_mcp-0.2.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-09-04 13:33:42",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "google",
"github_project": "mcp-security",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "google-secops-mcp"
}
JSON
