MCP Tools Reference: chronicle.googleapis.com

Tool: list_integration_actions

Lists all the actions for a given SOAR Integration. You can also list actions across all integrations by passing "-" as the integration_id.

Retrieves a paginated list of all available actions for a specific integration. Actions are the specific, executable functions that an integration provides, such as 'block_ip', 'get_user_details', or 'analyze_url'. This is useful for discovering the capabilities of a particular integration and what automated or manual steps can be taken.

Workflow Integration: - Populates a UI with a list of available actions for an analyst to choose from when building a playbook or taking manual action. - Enables automated systems to discover and validate the actions that can be executed through a specific integration before attempting to run them. - Essential for playbook development and for understanding the available automated capabilities of each integrated tool.

Use Cases: - A SOAR engineer lists the actions for a newly installed EDR integration to understand what it can do. - A security analyst, working on a case, lists the actions for the EDR integration to see if there's an action to 'isolate_host'. - An automated script queries the available actions to ensure an action like 'suspend_user' exists before attempting to use it in a playbook.

Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). integration_id (str): The ID of the integration to list actions for (required). If "-" is provided, actions for all integrations will be listed. page_size (int, optional): The maximum number of actions to return in a single response. page_token (str, optional): A token for fetching a specific page of results, obtained from a previous call. filter (str, optional): A filter string to apply to the list of actions. Supported filter fields are Id, Author, DisplayName, Custom, HasJsonResult, and Integration. Example: "DisplayName:"Block IP" AND Author:"John Doe"" order_by (str, optional): A comma-separated list of fields to sort the results by. Supported fields are DisplayName, Author, and Custom. Example: "DisplayName asc"

Returns: ListIntegrationActionsResponse: A response object containing a list of IntegrationAction objects and a next_page_token if more results are available. Each IntegrationAction object contains the following key fields: - Name (str): The full resource name of the action. - DisplayName (str): The user-friendly name of the action. - Description (str): A summary of the action's purpose. - Author (str): The author of the action. - Enabled (bool): Whether the action is enabled. - Async (bool): Whether the action runs asynchronously. - Parameters (list of dict): A list of parameters that the action accepts. Each parameter dictionary contains fields like Name, Type, Required, and DefaultValue. Returns an error message if the parent integration is not found or the request is invalid.

Example Usage: # List all actions for a specific integration list_integration_actions(project_id='123', region='us', customer_id='abc', integration_id='my-edr-integration')

# Find a specific action by name
        list_integration_actions(project_id='123', region='us', customer_id='abc', integration_id='my-edr-integration')

        # List all actions across all integrations by using integration_id="-"
        list_integration_actions(project_id='123', region='us', customer_id='abc', integration_id='-')

Next Steps (using MCP-enabled tools): - Use 'get_integration_action' with an action's resource name to fetch its full details, including the script. - Use 'execute_manual_action' to run one of the discovered actions on a case or alert. Note: manual actions can ONLY be executed on open alerts (not closed ones).

The following sample demonstrate how to use curl to invoke the list_integration_actions MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "list_integration_actions",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for ListIntegrationActions.

ListIntegrationActionsRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "integrationId": string,
  "pageSize": integer,
  "pageToken": string,
  "filter": string,
  "orderBy": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
integrationId

string

Integration ID.
pageSize

integer

The maximum number of integration actions to return.
pageToken

string

A token for fetching the next page of results.
filter

string

A filter to apply to the list of integration actions.
orderBy

string

The field to order the results by.

Output Schema

Response message for ListIntegrationActions.

ListIntegrationActionsResponse

JSON representation 
{
  "actions": [
    {
      object (IntegrationAction)
    }
  ],
  "nextPageToken": string,
  "totalSize": integer
}
Fields
actions[]

object (IntegrationAction)

The list of IntegrationActions.
nextPageToken

string

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.
totalSize

integer

Output only. Total number of IntegrationActions.

IntegrationAction

JSON representation 
{
  "name": string,
  "displayName": string,
  "script": string,
  "timeoutSeconds": integer,
  "asyncPollingIntervalSeconds": integer,
  "asyncTotalTimeoutSeconds": integer,
  "dynamicResults": [
    {
      object (DynamicResultMetadata)
    }
  ],
  "parameters": [
    {
      object (ActionParameter)
    }
  ],
  "integration": string,
  "integrationInstances": [
    {
      object (IntegrationInstance)
    }
  ],
  "id": string,

  // Union field _description can be only one of the following:
  "description": string
  // End of list of possible types for union field _description.

  // Union field _author can be only one of the following:
  "author": string
  // End of list of possible types for union field _author.

  // Union field _enabled can be only one of the following:
  "enabled": boolean
  // End of list of possible types for union field _enabled.

  // Union field _script_result_name can be only one of the following:
  "scriptResultName": string
  // End of list of possible types for union field _script_result_name.

  // Union field _async can be only one of the following:
  "async": boolean
  // End of list of possible types for union field _async.

  // Union field _default_result_value can be only one of the following:
  "defaultResultValue": string
  // End of list of possible types for union field _default_result_value.

  // Union field _widget_template_identifier can be only one of the following:
  "widgetTemplateIdentifier": string
  // End of list of possible types for union field _widget_template_identifier.

  // Union field _custom can be only one of the following:
  "custom": boolean
  // End of list of possible types for union field _custom.

  // Union field _has_json_result can be only one of the following:
  "hasJsonResult": boolean
  // End of list of possible types for union field _has_json_result.

  // Union field _dynamic_results_metadata_json can be only one of the following:
  "dynamicResultsMetadataJson": string
  // End of list of possible types for union field
  // _dynamic_results_metadata_json.

  // Union field _ai_generated can be only one of the following:
  "aiGenerated": boolean
  // End of list of possible types for union field _ai_generated.
}
Fields
name

string

Identifier. The unique name(ID) of the action. Format: projects/{project}/locations/{location}/instances/{instance}/integrations/{integration}/actions/{action}
displayName

string

Required. Action's definition name, limited to a maximum of 150 characters.
script

string

Required. Action's script, limited to a maximum size of 5MB.
timeoutSeconds

integer (uint32 format)

Required. Action timeout in seconds. The maximum allowed value is 1200 seconds.
asyncPollingIntervalSeconds

integer (uint32 format)

Optional. The async polling interval time in seconds. The maximum allowed value can not exceed total timeout secs. Relevant only for async actions
asyncTotalTimeoutSeconds

integer (uint32 format)

Optional. The total async polling interval timeout in seconds. The maximum allowed value is 14(days)x24x3600 = 1209600 secs. Relevant only for async actions
dynamicResults[]

object (DynamicResultMetadata)

Optional. List of dynamic results metadata. The max count for the items is 50.
parameters[]

object (ActionParameter)

Optional. Action's parameters. The max count for the items is 50.
integration

string

Output only. The parent integration identifier.
integrationInstances[]

object (IntegrationInstance)

Output only. The integration instances.
id

string (int64 format)

Output only. The action id.

Union field _description.

_description can be only one of the following:
description

string

Optional. Action's description, limited to a maximum or 400 characters.

Union field _author.

_author can be only one of the following:
author

string

Output only. User that created the action in the system.

Union field _enabled.

_enabled can be only one of the following:
enabled

boolean

Required. Determines whether the action is enabled or disabled.

Union field _script_result_name.

_script_result_name can be only one of the following:
scriptResultName

string

Required. The script result name. Describes the field name that holds the script result. Has a maximum character limit of 100 characters.

Union field _async.

_async can be only one of the following:
async

boolean

Required. Determines whether the action is async or not.

Union field _default_result_value.

_default_result_value can be only one of the following:
defaultResultValue

string

Optional. Action's default result value. Has a maximum character limit of 1000 characters.

Union field _widget_template_identifier.

_widget_template_identifier can be only one of the following:
widgetTemplateIdentifier

string

Output only. The widget template identifier. Relevant only for actions which contain a widget.

Union field _custom.

_custom can be only one of the following:
custom

boolean

Output only. Determines whether the action is custom or not.

Union field _has_json_result.

_has_json_result can be only one of the following:
hasJsonResult

boolean

Output only. Describes whether the action has a json result.

Union field _dynamic_results_metadata_json.

_dynamic_results_metadata_json can be only one of the following:
dynamicResultsMetadataJson

string

Output only. The dynamic results metadata json.

Union field _ai_generated.

_ai_generated can be only one of the following:
aiGenerated

boolean

Optional. Determines whether the action was generated by AI or not.

DynamicResultMetadata

JSON representation 
{

  // Union field _result_name can be only one of the following:
  "resultName": string
  // End of list of possible types for union field _result_name.

  // Union field _result_example can be only one of the following:
  "resultExample": string
  // End of list of possible types for union field _result_example.

  // Union field _display_result can be only one of the following:
  "displayResult": boolean
  // End of list of possible types for union field _display_result.
}
Fields

Union field _result_name.

_result_name can be only one of the following:
resultName

string

Output only. The result name.

Union field _result_example.

_result_example can be only one of the following:
resultExample

string

Optional. The result example. Has a maximum character limit of 100000 characters.

Union field _display_result.

_display_result can be only one of the following:
displayResult

boolean

Required. Determines whether to display the result.

ActionParameter

JSON representation 
{
  "id": integer,
  "actionId": integer,
  "optionalValues": [
    string
  ],

  // Union field _mandatory can be only one of the following:
  "mandatory": boolean
  // End of list of possible types for union field _mandatory.

  // Union field _default_value can be only one of the following:
  "defaultValue": string
  // End of list of possible types for union field _default_value.

  // Union field _display_name can be only one of the following:
  "displayName": string
  // End of list of possible types for union field _display_name.

  // Union field _type can be only one of the following:
  "type": enum (ActionParamType)
  // End of list of possible types for union field _type.

  // Union field _description can be only one of the following:
  "description": string
  // End of list of possible types for union field _description.
}
Fields
id

integer

Output only. The parameter's id.
actionId

integer

Output only. The action's id.
optionalValues[]

string

Optional. Parameter's optional values. The max count for the items is 50.

Union field _mandatory.

_mandatory can be only one of the following:
mandatory

boolean

Required. Describes whether the parameter is mandatory.

Union field _default_value.

_default_value can be only one of the following:
defaultValue

string

Optional. The default value of the parameter. Has a maximum character limit of 150 characters.

Union field _display_name.

_display_name can be only one of the following:
displayName

string

Required. The parameter's display name. Has a maximum character limit of 150 characters.

Union field _type.

_type can be only one of the following:
type

enum (ActionParamType)

Required. The parameter's type.

Union field _description.

_description can be only one of the following:
description

string

Required. The parameter's description. Has a maximum character limit of 150 characters.

IntegrationInstance

JSON representation 
{
  "name": string,
  "environment": string,
  "displayName": string,
  "parameters": [
    {
      object (IntegrationInstanceParameter)
    }
  ],
  "integrationIdentifier": string,
  "identifier": string,

  // Union field _description can be only one of the following:
  "description": string
  // End of list of possible types for union field _description.

  // Union field _configured can be only one of the following:
  "configured": boolean
  // End of list of possible types for union field _configured.

  // Union field _remote can be only one of the following:
  "remote": boolean
  // End of list of possible types for union field _remote.

  // Union field _agent can be only one of the following:
  "agent": string
  // End of list of possible types for union field _agent.

  // Union field _system_default can be only one of the following:
  "systemDefault": boolean
  // End of list of possible types for union field _system_default.
}
Fields
name

string

Identifier. The unique name of the integration instance. Format: projects/{project}/locations/{location}/instances/{instance}/integrations/{integration}/integrationInstances/{instance}
environment

string

Required. The integration instance environment.
displayName

string

Optional. The display name of the integration instance. Automatically generated if not assigned. Limited to 110 characters.
parameters[]

object (IntegrationInstanceParameter)

Optional. Integration's parameters.
integrationIdentifier

string

Output only. The integration identifier.
identifier

string

Output only. The integration instance identifier.

Union field _description.

_description can be only one of the following:
description

string

Optional. The integration instance description. Limited to 1500 characters.

Union field _configured.

_configured can be only one of the following:
configured

boolean

Output only. Determines whether the integration instance is configured.

Union field _remote.

_remote can be only one of the following:
remote

boolean

Output only. True if the integration instance is a remote instance. Instance is created with remote = false by default.

Union field _agent.

_agent can be only one of the following:
agent

string

Optional. The agent identifier for a remote integration instance

Union field _system_default.

_system_default can be only one of the following:
systemDefault

boolean

Output only. Indicates whether the integration instance is the system default.

IntegrationInstanceParameter

JSON representation 
{
  "id": string,
  "displayName": string,
  "type": enum (IntegrationParameterType),

  // Union field _description can be only one of the following:
  "description": string
  // End of list of possible types for union field _description.

  // Union field _property_name can be only one of the following:
  "propertyName": string
  // End of list of possible types for union field _property_name.

  // Union field _mandatory can be only one of the following:
  "mandatory": boolean
  // End of list of possible types for union field _mandatory.

  // Union field _value can be only one of the following:
  "value": string
  // End of list of possible types for union field _value.
}
Fields
id

string (int64 format)

Output only. The unique id of the integration instance parameter.
displayName

string

Output only. The integration instance parameter display name.
type

enum (IntegrationParameterType)

Output only. The integration instance parameter type.

Union field _description.

_description can be only one of the following:
description

string

Output only. The integration instance parameter description.

Union field _property_name.

_property_name can be only one of the following:
propertyName

string

Output only. The integration instance parameter property name.

Union field _mandatory.

_mandatory can be only one of the following:
mandatory

boolean

Output only. Indicates if the parameter is required when configuring the integration instance.

Union field _value.

_value can be only one of the following:
value

string

Optional. The parameter's value.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌