Search for security events in Chronicle using natural language. This function allows you to search for events using everyday language instead of requiring UDM query syntax. The natural language query will be automatically translated into a Chronicle UDM query for execution. Examples of natural language queries: - "Show me network connections from yesterday for the domain google.com" - "Display connections to IP address 192.168.1.100" Args: text: Natural language description of the events you want to find project_id: Google Cloud project ID (defaults to config) customer_id: Chronicle customer ID (defaults to config) hours_back: How many hours to look back (default: 24) max_events: Maximum number of events to return (default: 100) region: Chronicle region (defaults to config) Returns: Dictionary containing the UDM query and search results, including events and metadata.

Get security alerts from Chronicle. Args: project_id: Google Cloud project ID (defaults to config) customer_id: Chronicle customer ID (defaults to config) hours_back: How many hours to look back (default: 24) max_alerts: Maximum number of alerts to return (default: 10) status_filter: Query string to filter alerts by status (default: exclude closed) region: Chronicle region (defaults to config) Returns: Formatted string with security alerts

Look up an entity (IP, domain, hash, etc.) in Chronicle. Args: entity_value: Value to look up (IP, domain, hash, etc.) project_id: Google Cloud project ID (defaults to config) customer_id: Chronicle customer ID (defaults to config) hours_back: How many hours to look back (default: 24) region: Chronicle region (defaults to config) Returns: Entity summary information

List security detection rules from Chronicle. Args: project_id: Google Cloud project ID (defaults to config) customer_id: Chronicle customer ID (defaults to config) region: Chronicle region (defaults to config) Returns: Raw response from the Chronicle API containing security detection rules