MCP Tools Reference: chronicle.googleapis.com

Tool: create_reference_list

Create a new reference list in Chronicle SIEM.

Creates a reference list containing a collection of values that can be referenced in detection rules. Reference lists are useful for maintaining lists of known entities like IP addresses, domains, usernames, or other indicators that enhance detection logic.

Workflow Integration: - Use to create curated lists of security-relevant entities for detection enhancement. - Essential for maintaining allowlists, blocklists, or other categorized entity collections. - Enables dynamic detection rule behavior without hardcoding values in rule logic. - Supports threat intelligence integration by storing IOC lists in a searchable format.

Use Cases: - Create lists of trusted domains or IP ranges to reduce false positives. - Maintain lists of privileged user accounts for monitoring access patterns. - Store lists of malicious file hashes for detection and blocking. - Build collections of known bad domains from threat intelligence feeds. - Create regex patterns for detecting specific attack signatures or behaviors.

Syntax Types: - STRING: Exact string matching (default) - CIDR: IP address ranges and CIDR blocks - REGEX: Regular expression patterns for flexible matching

Args: name (str): Unique name for the reference list (used to reference in detection rules). This will be the ID. description (str): Description of the reference list's purpose and contents. entries (List[str]): List of values to include in the reference list. project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). syntax_type (str): Type of matching to use. Valid values: "STRING", "CIDR", "REGEX". Defaults to "STRING".

Returns: str: Success message with the created reference list details. Returns error message if list creation fails.

Example Usage: # Create a list of administrative accounts create_reference_list( name="admin_accounts", description="Administrative user accounts for privilege monitoring", entries=["admin", "administrator", "root", "system", "service"], project_id="my-project", customer_id="my-customer", region="us", syntax_type="STRING" )

# Create a list of trusted networks
        create_reference_list(
            name="trusted_networks",
            description="Internal network ranges that are considered trusted",
            entries=["10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12"],
            project_id="my-project",
            customer_id="my-customer",
            region="us",
            syntax_type="CIDR"
        )

Next Steps (using MCP-enabled tools): - Reference the list in detection rules using the list name (e.g., reference_list.admin_accounts). - Update the list using update_reference_list as your data changes. - Retrieve the list contents using get_reference_list to verify entries. - Create detection rules that leverage the list for enhanced threat detection. - Set up automated processes to maintain the list with current threat intelligence.

The following sample demonstrate how to use curl to invoke the create_reference_list MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "create_reference_list",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for CreateReferenceList.

CreateReferenceListRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "name": string,
  "description": string,
  "entries": [
    string
  ],
  "syntaxType": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
name

string

Name of the reference list to create.
description

string

Description of the reference list.
entries[]

string

Entries of the reference list.
syntaxType

string

Syntax type of the reference list.

Output Schema

A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules.

ReferenceList

JSON representation 
{
  "name": string,
  "displayName": string,
  "revisionCreateTime": string,
  "description": string,
  "entries": [
    {
      object (ReferenceListEntry)
    }
  ],
  "rules": [
    string
  ],
  "syntaxType": enum (ReferenceListSyntaxType),
  "ruleAssociationsCount": integer,
  "scopeInfo": {
    object (ScopeInfo)
  }
}
Fields
name

string

Identifier. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list}
displayName

string

Output only. The unique display name of the reference list.
revisionCreateTime

string (Timestamp format)

Output only. The timestamp when the reference list was last updated.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
description

string

Required. A user-provided description of the reference list.
entries[]

object (ReferenceListEntry)

Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL.
rules[]

string

Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL.
syntaxType

enum (ReferenceListSyntaxType)

Required. The syntax type indicating how list entries should be validated.
ruleAssociationsCount

integer

Output only. The count of self-authored rules using the reference list.
scopeInfo

object (ScopeInfo)

The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set.

Timestamp

JSON representation 
{
  "seconds": string,
  "nanos": integer
}
Fields
seconds

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
nanos

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

ReferenceListEntry

JSON representation 
{
  "value": string
}
Fields
value

string

Required. The value of the entry. Maximum length is 512 characters.

ScopeInfo

JSON representation 
{
  "referenceListScope": {
    object (ReferenceListScope)
  }
}
Fields
referenceListScope

object (ReferenceListScope)

Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped.

ReferenceListScope

JSON representation 
{
  "scopeNames": [
    string
  ]
}
Fields
scopeNames[]

string

Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌