Create a Google Cloud service account with the Chronicle API Writer role and download a JSON key, or use Workload Identity Federation for keyless auth.
Obtain an OAuth2 access token scoped to https://www.googleapis.com/auth/chronicle-backstory using the service account credentials.
Format each event as a UDM JSON object adhering to the Google SecOps Unified Data Model schema (metadata.event_timestamp, metadata.event_type, principal, target, network, etc.).
Use the recommended current-generation API: POST to https://{region}-chronicle.googleapis.com/v1alpha/projects/{project}/locations/{location}/instances/{instance}/events:import with a JSON body containing a udmEvents array.
Monitor ingestion health in the Google SecOps ingestion status dashboard and check for schema validation errors returned in the API response.
Known gotchas
Google renamed Chronicle to Google SecOps; the legacy Ingestion API endpoint (malachiteingestion-pa.googleapis.com) still works but Google recommends migrating to the newer Chronicle API (projects.locations.instances.events.import) for expanded functionality.
UDM event_type must be a valid enum value from the UDM schema; sending an unrecognised event_type causes the entire batch to be rejected rather than partial ingestion.
Regional endpoints vary by where your tenant is provisioned; using the wrong region returns an HTTP 403 or 404, not a helpful region-mismatch error.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp