From a764b3b2f5cc0b79d3eceac9787e3ba4ca81df14 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 29 Jan 2026 10:33:24 +0000 Subject: [PATCH] Remove type hints from MCP tool docstrings Removed type hints from the `Args` section of docstrings in all MCP tool functions located in `server/secops/secops_mcp/tools/`. This aligns the docstring format with the preferred style (e.g., `arg: Description` instead of `arg (Type): Description`). The function signatures retain their type hints. Also corrected indentation inconsistencies in `security_alerts.py`. Co-authored-by: dandye <121151+dandye@users.noreply.github.com> --- .../secops_mcp/tools/data_table_management.py | 44 +++++----- .../secops/secops_mcp/tools/entity_lookup.py | 10 +-- .../secops_mcp/tools/feed_management.py | 68 +++++++-------- server/secops/secops_mcp/tools/ioc_matches.py | 10 +-- .../secops/secops_mcp/tools/log_ingestion.py | 34 ++++---- .../secops_mcp/tools/parser_management.py | 58 ++++++------- .../tools/reference_list_management.py | 36 ++++---- server/secops/secops_mcp/tools/search.py | 16 ++-- .../secops_mcp/tools/security_alerts.py | 82 +++++++++---------- .../secops_mcp/tools/security_events.py | 16 ++-- .../secops/secops_mcp/tools/security_rules.py | 76 ++++++++--------- .../secops/secops_mcp/tools/threat_intel.py | 8 +- server/secops/secops_mcp/tools/udm_search.py | 28 +++---- 13 files changed, 243 insertions(+), 243 deletions(-) diff --git a/server/secops/secops_mcp/tools/data_table_management.py b/server/secops/secops_mcp/tools/data_table_management.py index a1b14939..243a1b2c 100644 --- a/server/secops/secops_mcp/tools/data_table_management.py +++ b/server/secops/secops_mcp/tools/data_table_management.py @@ -60,14 +60,14 @@ async def create_data_table( - BOOL: Boolean values (true/false) Args: - name (str): Unique name for the data table (used to reference in detection rules). - description (str): Description of the data table's purpose and contents. - header (Dict[str, str]): Column definitions mapping column names to their data types. + name: Unique name for the data table (used to reference in detection rules). + description: Description of the data table's purpose and contents. + header: Column definitions mapping column names to their data types. Valid types: "STRING", "CIDR", "INT64", "BOOL". - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). - rows (Optional[List[List[str]]]): Initial rows to populate the table. Each row should match the header columns. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). + rows: Initial rows to populate the table. Each row should match the header columns. Returns: str: Success message with the created data table details. @@ -196,11 +196,11 @@ async def add_rows_to_data_table( - Consider deduplication to avoid redundant entries in the table. Args: - table_name (str): Name of the existing data table to add rows to. - rows (List[List[str]]): List of rows to add. Each row should match the table's column schema. - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). + table_name: Name of the existing data table to add rows to. + rows: List of rows to add. Each row should match the table's column schema. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). Returns: str: Success message with details about the added rows. @@ -300,11 +300,11 @@ async def list_data_table_rows( - Generate reports on security context data for compliance or operational reviews. Args: - table_name (str): Name of the data table to list rows from. - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). - max_rows (int): Maximum number of rows to return. Defaults to 50. + table_name: Name of the data table to list rows from. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). + max_rows: Maximum number of rows to return. Defaults to 50. Returns: str: Formatted list of table rows with their data values. @@ -409,11 +409,11 @@ async def delete_data_table_rows( - Maintain backups or logs of deleted data for audit purposes. Args: - table_name (str): Name of the data table to delete rows from. - row_ids (List[str]): List of row IDs to delete. Use `list_data_table_rows` to get row IDs. - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). + table_name: Name of the data table to delete rows from. + row_ids: List of row IDs to delete. Use `list_data_table_rows` to get row IDs. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). Returns: str: Success message confirming the deletion of specified rows. diff --git a/server/secops/secops_mcp/tools/entity_lookup.py b/server/secops/secops_mcp/tools/entity_lookup.py index b8238db4..af44e3c3 100644 --- a/server/secops/secops_mcp/tools/entity_lookup.py +++ b/server/secops/secops_mcp/tools/entity_lookup.py @@ -60,11 +60,11 @@ async def lookup_entity( - Prevalence information (if available). Args: - entity_value (str): Value to look up (e.g., IP address, domain name, file hash, username). - project_id (Optional[str]): Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to environment configuration. - hours_back (int): How many hours of historical data to consider for the summary. Defaults to 24. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. + entity_value: Value to look up (e.g., IP address, domain name, file hash, username). + project_id: Google Cloud project ID. Defaults to environment configuration. + customer_id: Chronicle customer ID. Defaults to environment configuration. + hours_back: How many hours of historical data to consider for the summary. Defaults to 24. + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: str: A formatted string summarizing the entity information found in Chronicle within the specified time window, diff --git a/server/secops/secops_mcp/tools/feed_management.py b/server/secops/secops_mcp/tools/feed_management.py index 22dcc644..28a970a3 100644 --- a/server/secops/secops_mcp/tools/feed_management.py +++ b/server/secops/secops_mcp/tools/feed_management.py @@ -50,11 +50,11 @@ async def list_feeds( - Audit feed configurations as part of security reviews Args: - project_id (Optional[str]): Google Cloud project ID. Defaults to + project_id: Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to + customer_id: Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: @@ -129,12 +129,12 @@ async def get_feed( - Review feed metadata and labels Args: - feed_id (str): The ingestion feed identifier to retrieve details for. - project_id (Optional[str]): Google Cloud project ID. Defaults to + feed_id: The ingestion feed identifier to retrieve details for. + project_id: Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to + customer_id: Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: @@ -191,17 +191,17 @@ async def create_feed( - Set up GCP Security Command Center integration Args: - display_name (str): User-friendly name for the feed. - feed_details (Dict[str, Any]): Dictionary containing feed configuration + display_name: User-friendly name for the feed. + feed_details: Dictionary containing feed configuration details. Must include: - logType (str): The Chronicle log type (e.g., "WINEVTLOG") - feedSourceType (str): Type of feed ("HTTP", "S3", "GCS", etc.) - Source-specific settings (httpSettings, s3Settings, etc.) - project_id (Optional[str]): Google Cloud project ID. Defaults to + project_id: Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to + customer_id: Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: @@ -268,16 +268,16 @@ async def update_feed( - Update feed configuration parameters Args: - feed_id (str): The ID of the feed to update. - display_name (Optional[str]): New display name for the feed. + feed_id: The ID of the feed to update. + display_name: New display name for the feed. If None, the existing name is retained. - feed_details (Optional[Dict[str, Any]]): Dictionary containing updated + feed_details: Dictionary containing updated feed configuration details. Only specified fields will be updated. - project_id (Optional[str]): Google Cloud project ID. Defaults to + project_id: Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to + customer_id: Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: @@ -341,12 +341,12 @@ async def enable_feed( - Enable feeds after troubleshooting connectivity issues Args: - feed_id (str): The feed identifier which is to be enabled. - project_id (Optional[str]): Google Cloud project ID. Defaults to + feed_id: The feed identifier which is to be enabled. + project_id: Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to + customer_id: Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: @@ -406,12 +406,12 @@ async def disable_feed( - Stop unused feeds to optimize resource usage Args: - feed_id (str): The ID of the feed to disable. - project_id (Optional[str]): Google Cloud project ID. Defaults to + feed_id: The ID of the feed to disable. + project_id: Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to + customer_id: Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: @@ -471,12 +471,12 @@ async def delete_feed( - Part of environment cleanup during migrations Args: - feed_id (str): The ID of the feed to delete. - project_id (Optional[str]): Google Cloud project ID. Defaults to + feed_id: The ID of the feed to delete. + project_id: Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to + customer_id: Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: @@ -532,12 +532,12 @@ async def generate_feed_secret( - Update credentials during security review processes Args: - feed_id (str): The ID of the feed to generate a secret for. - project_id (Optional[str]): Google Cloud project ID. Defaults to + feed_id: The ID of the feed to generate a secret for. + project_id: Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to + customer_id: Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: diff --git a/server/secops/secops_mcp/tools/ioc_matches.py b/server/secops/secops_mcp/tools/ioc_matches.py index bfd99d15..529df9e1 100644 --- a/server/secops/secops_mcp/tools/ioc_matches.py +++ b/server/secops/secops_mcp/tools/ioc_matches.py @@ -51,11 +51,11 @@ async def get_ioc_matches( - Supplement investigations by checking if involved entities match known IoCs curated by threat intelligence sources. Args: - project_id (Optional[str]): Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to environment configuration. - hours_back (int): How many hours back to look for IoC matches. Defaults to 24. - max_matches (int): Maximum number of IoC matches to return. Defaults to 20. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. + project_id: Google Cloud project ID. Defaults to environment configuration. + customer_id: Chronicle customer ID. Defaults to environment configuration. + hours_back: How many hours back to look for IoC matches. Defaults to 24. + max_matches: Maximum number of IoC matches to return. Defaults to 20. + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: str: A formatted string summarizing the IoC matches found, including the IoC type, diff --git a/server/secops/secops_mcp/tools/log_ingestion.py b/server/secops/secops_mcp/tools/log_ingestion.py index 6fbc27ef..8ae8482c 100644 --- a/server/secops/secops_mcp/tools/log_ingestion.py +++ b/server/secops/secops_mcp/tools/log_ingestion.py @@ -58,17 +58,17 @@ async def ingest_raw_log( - Ingest Windows Event logs in XML format for endpoint monitoring. Args: - log_type (str): Chronicle log type identifier (e.g., "OKTA", "WINEVTLOG_XML", "AWS_CLOUDTRAIL"). + log_type: Chronicle log type identifier (e.g., "OKTA", "WINEVTLOG_XML", "AWS_CLOUDTRAIL"). Use get_available_log_types to see supported types. - log_message (Union[str, List[str]]): Log content as string or list of strings for batch ingestion. + log_message: Log content as string or list of strings for batch ingestion. For JSON logs, provide as JSON string. For XML/other formats, provide raw content. - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). - forwarder_id (Optional[str]): Custom forwarder ID for log routing. If not provided, uses default forwarder. - labels (Optional[Dict[str, str]]): Custom labels to attach to ingested logs for categorization. - log_entry_time (Optional[str]): ISO 8601 timestamp when the log was originally generated. - collection_time (Optional[str]): ISO 8601 timestamp when the log was collected. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). + forwarder_id: Custom forwarder ID for log routing. If not provided, uses default forwarder. + labels: Custom labels to attach to ingested logs for categorization. + log_entry_time: ISO 8601 timestamp when the log was originally generated. + collection_time: ISO 8601 timestamp when the log was collected. Returns: str: Success message with operation details, including any operation IDs for tracking. @@ -176,11 +176,11 @@ async def ingest_udm_events( - event-specific fields: Varies by event type (principal, target, network, etc.) Args: - udm_events (Union[Dict[str, Any], List[Dict[str, Any]]]): Single UDM event or list of UDM events. + udm_events: Single UDM event or list of UDM events. Each event must be a properly formatted UDM structure. - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). Returns: str: Success message with details about the ingested events, including any generated event IDs. @@ -317,10 +317,10 @@ async def get_available_log_types( - Validate log type names before attempting ingestion. Args: - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). - search_term (Optional[str]): Filter log types by name or description containing this term. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). + search_term: Filter log types by name or description containing this term. Returns: str: Formatted list of available log types with their IDs and descriptions. diff --git a/server/secops/secops_mcp/tools/parser_management.py b/server/secops/secops_mcp/tools/parser_management.py index af161732..5f94bb1b 100644 --- a/server/secops/secops_mcp/tools/parser_management.py +++ b/server/secops/secops_mcp/tools/parser_management.py @@ -55,12 +55,12 @@ async def create_parser( - Parse structured data from APIs or databases into security events. Args: - log_type (str): Chronicle log type identifier for this parser (e.g., "CUSTOM_APP", "WINDOWS_AD"). - parser_code (str): Parser configuration code using Chronicle's parser DSL (typically using filters like mutate, grok, etc.). - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). - validated_on_empty_logs (bool): Whether to validate the parser even on empty log samples. Defaults to True. + log_type: Chronicle log type identifier for this parser (e.g., "CUSTOM_APP", "WINDOWS_AD"). + parser_code: Parser configuration code using Chronicle's parser DSL (typically using filters like mutate, grok, etc.). + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). + validated_on_empty_logs: Whether to validate the parser even on empty log samples. Defaults to True. Returns: str: Success message with the created parser ID and details. @@ -172,11 +172,11 @@ async def get_parser( - Understand the parsing logic for specific log types during investigations. Args: - log_type (str): Chronicle log type identifier for the parser. - parser_id (str): Unique identifier of the parser to retrieve. - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). + log_type: Chronicle log type identifier for the parser. + parser_id: Unique identifier of the parser to retrieve. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). Returns: str: Formatted parser details including ID, state, and configuration code. @@ -267,11 +267,11 @@ async def activate_parser( - Deploy parser changes as part of log ingestion pipeline updates. Args: - log_type (str): Chronicle log type identifier for the parser. - parser_id (str): Unique identifier of the parser to activate. - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). + log_type: Chronicle log type identifier for the parser. + parser_id: Unique identifier of the parser to activate. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). Returns: str: Success message confirming parser activation. @@ -347,11 +347,11 @@ async def deactivate_parser( not be searchable or usable for detection until a parser is reactivated. Args: - log_type (str): Chronicle log type identifier for the parser. - parser_id (str): Unique identifier of the parser to deactivate. - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). + log_type: Chronicle log type identifier for the parser. + parser_id: Unique identifier of the parser to deactivate. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). Returns: str: Success message confirming parser deactivation. @@ -431,14 +431,14 @@ async def run_parser_against_sample_logs( - Test with logs that might cause parsing failures to ensure robust error handling. Args: - log_type (str): Chronicle log type identifier for the parser. - parser_code (str): Parser configuration code to test. - sample_logs (List[str]): List of sample log entries to test against (max 1000 logs, 10MB per log, 50MB total). - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). - parser_extension_code (Optional[str]): Additional parser extension code if needed. - statedump_allowed (bool): Whether to allow statedump filters in the parser. Defaults to False. + log_type: Chronicle log type identifier for the parser. + parser_code: Parser configuration code to test. + sample_logs: List of sample log entries to test against (max 1000 logs, 10MB per log, 50MB total). + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). + parser_extension_code: Additional parser extension code if needed. + statedump_allowed: Whether to allow statedump filters in the parser. Defaults to False. Returns: str: Formatted results showing parsing outcomes for each sample log, including any UDM events diff --git a/server/secops/secops_mcp/tools/reference_list_management.py b/server/secops/secops_mcp/tools/reference_list_management.py index 20de0630..9031ec44 100644 --- a/server/secops/secops_mcp/tools/reference_list_management.py +++ b/server/secops/secops_mcp/tools/reference_list_management.py @@ -57,13 +57,13 @@ async def create_reference_list( - REGEX: Regular expression patterns for flexible matching Args: - name (str): Unique name for the reference list (used to reference in detection rules). - description (str): Description of the reference list's purpose and contents. - entries (List[str]): List of values to include in the reference list. - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). - syntax_type (str): Type of matching to use. Valid values: "STRING", "CIDR", "REGEX". Defaults to "STRING". + name: Unique name for the reference list (used to reference in detection rules). + description: Description of the reference list's purpose and contents. + entries: List of values to include in the reference list. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). + syntax_type: Type of matching to use. Valid values: "STRING", "CIDR", "REGEX". Defaults to "STRING". Returns: str: Success message with the created reference list details. @@ -184,11 +184,11 @@ async def get_reference_list( - Generate reports on security reference data for operational documentation. Args: - name (str): Name of the reference list to retrieve. - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). - include_entries (bool): Whether to include the full list of entries. Defaults to True. + name: Name of the reference list to retrieve. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). + include_entries: Whether to include the full list of entries. Defaults to True. Returns: str: Formatted reference list details including metadata and entries. @@ -326,12 +326,12 @@ async def update_reference_list( - At least one of entries or description must be provided. Args: - name (str): Name of the existing reference list to update. - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). - entries (Optional[List[str]]): New list of entries to replace existing ones. If provided, completely replaces current entries. - description (Optional[str]): New description for the reference list. + name: Name of the existing reference list to update. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). + entries: New list of entries to replace existing ones. If provided, completely replaces current entries. + description: New description for the reference list. Returns: str: Success message with details about the updated reference list. diff --git a/server/secops/secops_mcp/tools/search.py b/server/secops/secops_mcp/tools/search.py index a7c52c32..5b04a2e5 100644 --- a/server/secops/secops_mcp/tools/search.py +++ b/server/secops/secops_mcp/tools/search.py @@ -38,14 +38,14 @@ async def search_udm( """Search UDM events using UDM query in Chronicle. Args: - query (str): UDM query to search for events. - hours_back (int): How many hours back from the current time to search. Used if start_time is not provided. - start_time (Optional[str]): Start time in ISO 8601 format (e.g. "2023-01-01T00:00:00Z"). Overrides hours_back. - end_time (Optional[str]): End time in ISO 8601 format. Defaults to current time if not provided. - max_events (Optional[int]): Maximum number of events to return. - project_id (Optional[str]): Google Cloud project ID. - customer_id (Optional[str]): Chronicle customer ID. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). + query: UDM query to search for events. + hours_back: How many hours back from the current time to search. Used if start_time is not provided. + start_time: Start time in ISO 8601 format (e.g. "2023-01-01T00:00:00Z"). Overrides hours_back. + end_time: End time in ISO 8601 format. Defaults to current time if not provided. + max_events: Maximum number of events to return. + project_id: Google Cloud project ID. + customer_id: Chronicle customer ID. + region: Chronicle region (e.g., "us", "europe"). Returns: Dict containing the search results with events. diff --git a/server/secops/secops_mcp/tools/security_alerts.py b/server/secops/secops_mcp/tools/security_alerts.py index ab90dcf1..ed0660db 100644 --- a/server/secops/secops_mcp/tools/security_alerts.py +++ b/server/secops/secops_mcp/tools/security_alerts.py @@ -52,13 +52,13 @@ async def get_security_alerts( - Check for SIEM alerts that might not have corresponding cases yet in other systems. Args: - project_id (Optional[str]): Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to environment configuration. - hours_back (int): How many hours to look back for alerts. Defaults to 24. - max_alerts (int): Maximum number of alerts to return. Defaults to 10. - status_filter (str): Query string to filter alerts by status (e.g., 'feedback_summary.status != "CLOSED"'). + project_id: Google Cloud project ID. Defaults to environment configuration. + customer_id: Chronicle customer ID. Defaults to environment configuration. + hours_back: How many hours to look back for alerts. Defaults to 24. + max_alerts: Maximum number of alerts to return. Defaults to 10. + status_filter: Query string to filter alerts by status (e.g., 'feedback_summary.status != "CLOSED"'). Defaults to excluding closed alerts. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: str: A formatted string summarizing the retrieved security alerts, including rule name, @@ -176,11 +176,11 @@ async def get_security_alert_by_id( - May need to get this so you know which Alert to update Args: - project_id (Optional[str]): Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. - alert_id (Optional[str]): The unique identifier of the alert to retrieve. - include_detections (bool): Whether to include detection details in the response. Defaults to True. + project_id: Google Cloud project ID. Defaults to environment configuration. + customer_id: Chronicle customer ID. Defaults to environment configuration. + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. + alert_id: The unique identifier of the alert to retrieve. + include_detections: Whether to include detection details in the response. Defaults to True. Returns: str: A formatted string summarizing the retrieved security alerts, including rule name, @@ -240,36 +240,36 @@ async def do_update_security_alert( - Update an alert's confidence score or risk score based on corroborating evidence or lack thereof. Args: - alert_id (str): The unique ID of the Chronicle security alert to update. This is a required identifier. - project_id (Optional[str]): Google Cloud project ID associated with the Chronicle instance. Defaults to environment configuration if not provided. - customer_id (Optional[str]): The Chronicle customer ID. Defaults to environment configuration if not provided. - region (Optional[str]): The Google Cloud region where the Chronicle instance is hosted (e.g., "us", "europe"). Defaults to environment configuration if not provided. - reason: Reason for closing an alert. Valid values: - - "REASON_UNSPECIFIED" - - "REASON_NOT_MALICIOUS" - - "REASON_MALICIOUS" - - "REASON_MAINTENANCE" - priority: Alert priority. Valid values: - - "PRIORITY_UNSPECIFIED" - - "PRIORITY_INFO" - - "PRIORITY_LOW" - - "PRIORITY_MEDIUM" - - "PRIORITY_HIGH" - - "PRIORITY_CRITICAL" - status: Alert status. Valid values: - - "STATUS_UNSPECIFIED" - - "NEW" - - "REVIEWED" - - "CLOSED" - - "OPEN" - verdict: Verdict on the alert. Valid values: - - "VERDICT_UNSPECIFIED" - - "TRUE_POSITIVE" - - "FALSE_POSITIVE" - risk_score: Risk score [0-100] of the alert - severity: Severity score [0-100] of the alert - comment: Analyst comment (empty string is valid to clear) - root_cause: Alert root cause (empty string is valid to clear) + alert_id: The unique ID of the Chronicle security alert to update. This is a required identifier. + project_id: Google Cloud project ID associated with the Chronicle instance. Defaults to environment configuration if not provided. + customer_id: The Chronicle customer ID. Defaults to environment configuration if not provided. + region: The Google Cloud region where the Chronicle instance is hosted (e.g., "us", "europe"). Defaults to environment configuration if not provided. + reason: Reason for closing an alert. Valid values: + - "REASON_UNSPECIFIED" + - "REASON_NOT_MALICIOUS" + - "REASON_MALICIOUS" + - "REASON_MAINTENANCE" + priority: Alert priority. Valid values: + - "PRIORITY_UNSPECIFIED" + - "PRIORITY_INFO" + - "PRIORITY_LOW" + - "PRIORITY_MEDIUM" + - "PRIORITY_HIGH" + - "PRIORITY_CRITICAL" + status: Alert status. Valid values: + - "STATUS_UNSPECIFIED" + - "NEW" + - "REVIEWED" + - "CLOSED" + - "OPEN" + verdict: Verdict on the alert. Valid values: + - "VERDICT_UNSPECIFIED" + - "TRUE_POSITIVE" + - "FALSE_POSITIVE" + risk_score: Risk score [0-100] of the alert + severity: Severity score [0-100] of the alert + comment: Analyst comment (empty string is valid to clear) + root_cause: Alert root cause (empty string is valid to clear) Returns: str: A confirmation message indicating whether the alert was updated successfully, potentially including a summary of the changes or the updated alert ID. Returns an error message if the update fails. diff --git a/server/secops/secops_mcp/tools/security_events.py b/server/secops/secops_mcp/tools/security_events.py index b436c1e7..ad79079f 100644 --- a/server/secops/secops_mcp/tools/security_events.py +++ b/server/secops/secops_mcp/tools/security_events.py @@ -63,14 +63,14 @@ async def search_security_events( Note: When searching for email addresses, use only lowercase letters. Args: - text (str): Natural language description of the events you want to find. - project_id (Optional[str]): Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to environment configuration. - hours_back (int): How many hours back from the current time to search. Used if start_time is not provided. - start_time (Optional[str]): Start time in ISO 8601 format (e.g. "2023-01-01T00:00:00Z"). Overrides hours_back. - end_time (Optional[str]): End time in ISO 8601 format. Defaults to current time if not provided. - max_events (int): Maximum number of event records to return. Defaults to 100. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. + text: Natural language description of the events you want to find. + project_id: Google Cloud project ID. Defaults to environment configuration. + customer_id: Chronicle customer ID. Defaults to environment configuration. + hours_back: How many hours back from the current time to search. Used if start_time is not provided. + start_time: Start time in ISO 8601 format (e.g. "2023-01-01T00:00:00Z"). Overrides hours_back. + end_time: End time in ISO 8601 format. Defaults to current time if not provided. + max_events: Maximum number of event records to return. Defaults to 100. + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: Dict[str, Any]: A dictionary containing: diff --git a/server/secops/secops_mcp/tools/security_rules.py b/server/secops/secops_mcp/tools/security_rules.py index 9897d4b4..ac484349 100644 --- a/server/secops/secops_mcp/tools/security_rules.py +++ b/server/secops/secops_mcp/tools/security_rules.py @@ -50,11 +50,11 @@ async def list_security_rules( - Understand which rules might be relevant to a particular threat scenario or TTP. Args: - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). - page_size (int): Maximum number of rules to return. Defaults to 100. Max is 1000. - page_token (str | None): Page token for pagination. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). + page_size: Maximum number of rules to return. Defaults to 100. Max is 1000. + page_token: Page token for pagination. Returns: Dict[str, Any]: Raw response from the Chronicle API, typically containing a list @@ -111,10 +111,10 @@ async def search_security_rules( - Searching for rules that reference a specific log_type like "WORKSPACE" Args: - query (str): Regex string to use for searching SecOps rules. - project_id (Optional[str]): Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. + query: Regex string to use for searching SecOps rules. + project_id: Google Cloud project ID. Defaults to environment configuration. + customer_id: Chronicle customer ID. Defaults to environment configuration. + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: Dict[str, Any]: Raw response from the Chronicle API, typically containing a list @@ -171,13 +171,13 @@ async def get_detection_rule( - Associated rule ID, display name, and revision tracking Args: - rule_id (str): Unique ID of the detection rule to retrieve. + rule_id: Unique ID of the detection rule to retrieve. Examples: "ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" (latest version), "ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@v_12345_67890" (specific version). If no version suffix is provided, the latest version is returned. - project_id (Optional[str]): Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. + project_id: Google Cloud project ID. Defaults to environment configuration. + customer_id: Chronicle customer ID. Defaults to environment configuration. + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: Dict[str, Any]: Complete rule information including: @@ -255,17 +255,17 @@ async def get_rule_detections( - Assess the Alert to determine liklihood of maliciousness Args: - rule_id (str): Unique ID of the rule to list detections for. + rule_id: Unique ID of the rule to list detections for. Examples: "ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" (latest version), "ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@v_12345_67890" (specific version), "ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@-" (all versions). - alert_state (Optional[str]): If provided, filter by alert state. + alert_state: If provided, filter by alert state. Valid values: "UNSPECIFIED", "NOT_ALERTING", "ALERTING". - page_size (Optional[int]): If provided, the maximum number of detections to return in a single response. - page_token (Optional[str]): If provided, a token to retrieve the next page of results for pagination. - project_id (Optional[str]): Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. + page_size: If provided, the maximum number of detections to return in a single response. + page_token: If provided, a token to retrieve the next page of results for pagination. + project_id: Google Cloud project ID. Defaults to environment configuration. + customer_id: Chronicle customer ID. Defaults to environment configuration. + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: Dict[str, Any]: A dictionary containing the list of detections (under a 'detections' key, typically) @@ -354,13 +354,13 @@ async def list_rule_errors( - Get details of compilation or runtime errors for a given rule version. Args: - rule_id (str): Unique ID of the rule to list errors for. + rule_id: Unique ID of the rule to list errors for. Examples: "ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" (latest version), "ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@v_12345_67890" (specific version), "ru_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@-" (all versions). - project_id (Optional[str]): Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. + project_id: Google Cloud project ID. Defaults to environment configuration. + customer_id: Chronicle customer ID. Defaults to environment configuration. + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: Dict[str, Any]: A dictionary containing rule execution errors. The structure depends on the API. @@ -437,10 +437,10 @@ async def create_rule( - Consider the rule's performance impact on Chronicle's processing capabilities. Args: - rule_text (str): Complete YARA-L 2.0 rule definition including rule metadata, events, and conditions. - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). + rule_text: Complete YARA-L 2.0 rule definition including rule metadata, events, and conditions. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). Returns: str: Success message with the created rule ID and status information. @@ -552,12 +552,12 @@ async def test_rule( - Test with different time windows to understand detection patterns and false positive rates. Args: - rule_text (str): Complete YARA-L 2.0 rule definition to test. - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). - hours_back (int): How many hours of historical data to test against. Defaults to 168 (7 days). - max_results (int): Maximum number of detection results to return. Defaults to 100. + rule_text: Complete YARA-L 2.0 rule definition to test. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). + hours_back: How many hours of historical data to test against. Defaults to 168 (7 days). + max_results: Maximum number of detection results to return. Defaults to 100. Returns: str: Formatted test results showing detection count, sample detections, and analysis summary. @@ -740,10 +740,10 @@ async def validate_rule( - Metadata section validation Args: - rule_text (str): Complete YARA-L 2.0 rule definition to validate. - project_id (str): Google Cloud project ID (required). - customer_id (str): Chronicle customer ID (required). - region (str): Chronicle region (e.g., "us", "europe") (required). + rule_text: Complete YARA-L 2.0 rule definition to validate. + project_id: Google Cloud project ID (required). + customer_id: Chronicle customer ID (required). + region: Chronicle region (e.g., "us", "europe") (required). Returns: str: Validation results indicating success or specific syntax errors with location information. diff --git a/server/secops/secops_mcp/tools/threat_intel.py b/server/secops/secops_mcp/tools/threat_intel.py index 8a47fe4a..2972bcc6 100644 --- a/server/secops/secops_mcp/tools/threat_intel.py +++ b/server/secops/secops_mcp/tools/threat_intel.py @@ -53,10 +53,10 @@ async def get_threat_intel( - "Tell me about the LockBit ransomware." Args: - query (str): The security or threat intelligence question to ask Gemini. - project_id (Optional[str]): Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. + query: The security or threat intelligence question to ask Gemini. + project_id: Google Cloud project ID. Defaults to environment configuration. + customer_id: Chronicle customer ID. Defaults to environment configuration. + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: str: A formatted answer generated by the Gemini model based on the query. diff --git a/server/secops/secops_mcp/tools/udm_search.py b/server/secops/secops_mcp/tools/udm_search.py index 3ceeb737..b3902fd5 100644 --- a/server/secops/secops_mcp/tools/udm_search.py +++ b/server/secops/secops_mcp/tools/udm_search.py @@ -68,20 +68,20 @@ async def export_udm_search_csv( - metadata.product_name: Source product generating the event Args: - query (str): UDM query to search for events. Use Chronicle query syntax. + query: UDM query to search for events. Use Chronicle query syntax. Examples: - 'metadata.event_type = "USER_LOGIN"' - 'principal.ip = "192.168.1.100"' - 'target.hostname = "server1" AND metadata.event_type = "FILE_MODIFICATION"' - fields (List[str]): List of UDM fields to include in the CSV export. + fields: List of UDM fields to include in the CSV export. Each field will become a column in the output. - hours_back (int): How many hours back from the current time to search. Used if start_time is not provided. - start_time (Optional[str]): Start time in ISO 8601 format (e.g. "2023-01-01T00:00:00Z"). Overrides hours_back. - end_time (Optional[str]): End time in ISO 8601 format. Defaults to current time if not provided. - case_insensitive (bool): Whether to perform case-insensitive search. Defaults to True. - project_id (Optional[str]): Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. + hours_back: How many hours back from the current time to search. Used if start_time is not provided. + start_time: Start time in ISO 8601 format (e.g. "2023-01-01T00:00:00Z"). Overrides hours_back. + end_time: End time in ISO 8601 format. Defaults to current time if not provided. + case_insensitive: Whether to perform case-insensitive search. Defaults to True. + project_id: Google Cloud project ID. Defaults to environment configuration. + customer_id: Chronicle customer ID. Defaults to environment configuration. + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: str: CSV formatted string with header row and data rows. Empty result returns header row only. @@ -235,13 +235,13 @@ async def find_udm_field_values( - Event type discovery: "USER_" to find all user-related event types Args: - query (str): The partial UDM field value to search for. Supports prefix, suffix, + query: The partial UDM field value to search for. Supports prefix, suffix, or substring matching depending on Chronicle's implementation. - page_size (Optional[int]): Maximum number of matching values to return. + page_size: Maximum number of matching values to return. If not specified, uses Chronicle's default limit. - project_id (Optional[str]): Google Cloud project ID. Defaults to environment configuration. - customer_id (Optional[str]): Chronicle customer ID. Defaults to environment configuration. - region (Optional[str]): Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. + project_id: Google Cloud project ID. Defaults to environment configuration. + customer_id: Chronicle customer ID. Defaults to environment configuration. + region: Chronicle region (e.g., "us", "europe"). Defaults to environment configuration. Returns: Dict[str, Any]: A dictionary containing: