Google Chronicle Backstory API (Legacy) MCP server
Google Chronicle Backstory is a legacy cloud-native SIEM platform providing security analytics, threat detection, and investigation capabilities with a simplified API structure. With this MCP server, AI agents can create detection rules, search security data, manage threat intelligence, and automate security investigations through natural language commands.
Setting up an MCP server
This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.
Before you begin
You'll need:
- Access to AI Gateway with permission to create MCP servers
- API credentials for the application you're connecting (see the relevant application page for what to collect)
Create an MCP server
Find the API in the catalog
- Sign in to AI Gateway and select MCP Servers from the left navigation.
- Select New MCP Server.
- Search for the application you want to connect, then select it from the catalog.
Configure the server
- Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
- Enter a Description so your team knows what the server is for.
- Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
- Toggle Production mode on if this server will be used in a live workflow.
- Select Next.
Configure authentication
Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.
Configure security
- Set any Rate limits appropriate for your use case and the API's own limits.
- Enable Logging if you want AI Gateway to record requests and responses for auditing.
- Select Next.
Deploy
Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.
Connect to an AI client
Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:
Tips
- You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
- If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
- You can edit a server's name, description, timeout, and security settings after deployment without redeploying.
Note: This is a legacy API. For new integrations, use the modern Google Chronicle API (v1) instead.
Authentication
Google Chronicle Backstory uses OAuth 2.0 with service account authentication. Create a service account in Google Cloud with Chronicle access.
- Service Account: Create in Google Cloud console
- OAuth Scope:
https://www.googleapis.com/auth/cloud-platform - API Base:
https://backstory.googleapis.com - Legacy Endpoint: Unified endpoint without regional variants
Available tools
The Google Chronicle Backstory MCP server exposes threat detection, UDM search, threat intelligence, and security data export APIs.
| Tool | Purpose |
|---|---|
| Detection Rules | Create and manage YARA-L detection rules; version rules; enable/disable rules; manage rule metadata |
| UDM Search | Query security data using Unified Data Model; search events; filter by time range and attributes |
| IOC Lists | Manage threat intelligence indicators (SHA256, SHA1, MD5, IPs, domains, URLs); bulk operations |
| Security Investigation | Search security events; correlate data; build timeline of events; export investigation results |
| Data Export | Export security data to Cloud Storage or BigQuery; configure export settings and schedules |
| RBAC Management | Create roles; assign permissions; manage user access; audit access changes |
Tips
Start with simple rules and add complexity incrementally.
Test rules against known threats.
Document detection logic and maintain clarity for future updates.
Maintain version history for rule changes.
Use time windows to limit dataset scope.
Filter by specific attributes to reduce search volume and improve query performance.
Keep threat intelligence current and remove expired indicators.
Categorize indicators by threat type to improve organization and usability.
Document investigation steps and findings.
Correlate events across time periods and build timeline views for clarity.
Implement principle of least privilege for security team access.
Audit access logs regularly and review permissions quarterly.
Cequence AI Gateway