Google Chronicle API MCP server

Google Chronicle is a cloud-native security information and event management (SIEM) platform providing comprehensive security analytics, threat detection, and investigation capabilities. With this MCP server, AI agents can create detection rules, run retrohunts, manage watchlists, create reference lists, and automate security operations through natural language commands.

Setting up an MCP server

This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.

Before you begin

You'll need:

• Access to AI Gateway with permission to create MCP servers
• API credentials for the application you're connecting (see the relevant application page for what to collect)

Create an MCP server

Find the API in the catalog

1. Sign in to AI Gateway and select MCP Servers from the left navigation.
2. Select New MCP Server.
3. Search for the application you want to connect, then select it from the catalog.

Configure the server

1. Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
2. Enter a Description so your team knows what the server is for.
3. Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
4. Toggle Production mode on if this server will be used in a live workflow.
5. Select Next.

Configure authentication

Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.

Configure security

1. Set any Rate limits appropriate for your use case and the API's own limits.
2. Enable Logging if you want AI Gateway to record requests and responses for auditing.
3. Select Next.

Deploy

Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.

---

Connect to an AI client

Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:

• Claude Desktop
• Claude Code
• Cursor
• VS Code
• Windsurf

Tips

• You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
• If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
• You can edit a server's name, description, timeout, and security settings after deployment without redeploying.

Authentication

Google Chronicle uses OAuth 2.0 with service account authentication. Create a service account in Google Cloud and grant Chronicle API access.

• Service Account: Create in Google Cloud console
• OAuth Scope: https://www.googleapis.com/auth/cloud-platform
• Regional Endpoint: Choose appropriate region for your deployment (19 regions available)
• API Base: https://{region}-chronicle.googleapis.com

Available tools

The Google Chronicle MCP server exposes threat detection, rule management, retrohunts, watchlists, reference lists, and security operations APIs.

Tool	Purpose
Detection Rules	Create and manage YARA-L detection rules; version rules; manage rule metadata and descriptions
Rule Deployments	Deploy rules to production; manage rule activation; track deployment status and history
Retrohunts	Search historical data for threat patterns; create retrohunt jobs; monitor job progress; export results
Watchlists	Monitor high-risk entities; add/remove watched users, hosts, IPs; track watchlist activity
Reference Lists	Manage threat intelligence indicators (SHA256, SHA1, MD5, IPs, domains, URLs, emails)
Data Access Control	Create and manage data access labels; define access scopes; control visibility of security data
Long-Running Operations	Monitor background operations; check operation status; retrieve operation results

Tips

Write YARA-L rules incrementally and test in staging.

Use meaningful rule names and descriptions to make rules maintainable.

Document rule logic and detection rationale for future reference.

Version rules systematically as threats evolve.

Run retrohunts during off-peak hours for large datasets.

Scope retrohunt searches by time range and data source to manage resources efficiently.

Prioritize high-risk entities for monitoring.

Regularly review watchlist effectiveness and add context and threat scores to watchlisted items.

Keep threat intelligence indicators current and remove expired IOCs.

Organize indicators by category (malware, phishing, C2) to improve usability.

Use data access labels to enforce need-to-know security.

Define scopes that align with team responsibilities and regularly audit access permissions.

---