MCP Tools Reference: chronicle.googleapis.com

Tool: list_integrations

Lists all SOAR Integrations for a given Chronicle instance. The name field in the response contains the resource name of the integration, ending with the integration ID (e.g., projects/.../integrations/{integration_id}). This integration ID is required to use the list_integration_actions and list_integration_instances tools.

Retrieves a paginated list of all configured integrations, which connect Chronicle SOAR to third-party tools and services. This is useful for discovering what capabilities are available for automation, enrichment, and response actions within playbooks.

Workflow Integration: - Used to populate a UI with a list of available integrations for an analyst to review and manage. - Enables automated systems to discover and verify that required integrations are present before executing a playbook that depends on them. - Essential for auditing and managing the inventory of all third-party connections in the SOAR platform.

Use Cases: - A security analyst lists available integrations to understand what tools can be used for an investigation (e.g., endpoint protection, threat intelligence feeds). - A SOAR engineer reviews the list of all integrations to identify any that need to be updated, configured, or retired. - An automated script queries for a specific integration by name to ensure it is installed before running a playbook that uses its actions.

Filtering and Ordering: - The 'order_by' parameter controls the sorting of the returned integrations by fields like 'DisplayName', 'Version', or 'Custom'.

Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). page_size (int, optional): The maximum number of integrations to return in a single response. If unspecified, the server will use a default page size. page_token (str, optional): A token for fetching a specific page of results, obtained from a previous call. filter (str, optional): A filter string to apply to the list of integrations. Supported filter fields are Id, Identifier, Custom, Certified, ProductionIdentifier, and Type. order_by (str, optional): A comma-separated list of fields to sort the results by. Example: "display_name, version desc"

Returns: ListIntegrationsResponse: A response object containing a list of Integration objects and a next_page_token if more results are available. Each Integration object contains the following key fields: - Name (str): The full resource name of the integration, ending with the integration ID. - Identifier (str): The unique script identifier for the integration (e.g., "SiemplifyUtilities"). - DisplayName (str): The user-friendly name of the integration. - Version (str): The version of the integration. - Description (str): A summary of the integration's purpose. - Type (str): The type of integration (e.g., "SDK", "SCRIPT"). - Custom (bool): Whether the integration is custom. - Certified (bool): Whether the integration is certified. - UpdateAvailable (bool): Indicates if a newer version of the integration is available. - LatestVersion (str): The latest available version string. Returns an error message if the parent instance is not found or the request is invalid.

Example Usage: # List all integrations for a specific instance list_integrations(project_id='123', region='us', customer_id='abc')

# List integrations matching a specific identifier
        list_integrations(project_id='123', region='us', customer_id='abc', filter='Identifier="SiemplifyUtilities"')

Next Steps (using MCP-enabled tools): - Use the integration ID from an integration's name with list_integration_instances to list its configured instances and find the IntegrationInstance GUID needed for execute_manual_action. - Use 'list_integration_actions' to discover the specific actions (e.g., 'block_ip', 'get_user_details') available for a particular integration.

The following sample demonstrate how to use curl to invoke the list_integrations MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "list_integrations",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for ListIntegrations.

ListIntegrationsRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "pageSize": integer,
  "pageToken": string,
  "filter": string,
  "orderBy": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
pageSize

integer

The maximum number of integrations to return.
pageToken

string

A token for fetching the next page of results.
filter

string

A filter to apply to the list of integrations.
orderBy

string

The field to order the results by.

Output Schema

ListIntegrationsResponse contains the list of Integrations.

ListIntegrationsResponse

JSON representation 
{
  "integrations": [
    {
      object (Integration)
    }
  ],
  "nextPageToken": string
}
Fields
integrations[]

object (Integration)

The list of Integrations, ordered by display_name.
nextPageToken

string

Optional. A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

Integration

JSON representation 
{
  "name": string,
  "version": string,
  "displayName": string,
  "description": string,
  "imageBase64": string,
  "svgIcon": string,
  "pythonVersion": enum (PythonVersion),
  "parameters": [
    {
      object (IntegrationParameter)
    }
  ],
  "categories": [
    string
  ],
  "productionIdentifier": string,
  "identifier": string,
  "type": enum (IntegrationType),
  "updateAvailable": boolean,
  "latestVersion": string,

  // Union field _custom can be only one of the following:
  "custom": boolean
  // End of list of possible types for union field _custom.

  // Union field _certified can be only one of the following:
  "certified": boolean
  // End of list of possible types for union field _certified.

  // Union field _staging can be only one of the following:
  "staging": boolean
  // End of list of possible types for union field _staging.
}
Fields
name

string

Identifier. The unique name of the integration. Format: projects/{project}/locations/{location}/instances/{instance}/integrations/{integration}
version

string

Output only. The version of the integration.
displayName

string

Required. The display name of the integration, limited to 150 characters.
description

string

Optional. The integration's description (maximum 1,500 characters).
imageBase64

string (bytes format)

Optional. The integration's image, encoded as a base64 string (maximum size: 5 MB).

A base64-encoded string.
svgIcon

string

Optional. The integration's SVG icon (maximum size: 1 MB).
pythonVersion

enum (PythonVersion)

Optional. The integration's Python version.
parameters[]

object (IntegrationParameter)

Optional. Integration's parameters, limited to 50 parameters per integration.
categories[]

string

Optional. Integration's categories, limited to 50 categories per integration.
productionIdentifier

string

Output only. Integration's production identifier for staging integrations. For production integrations, this field will be null.
identifier

string

Output only. The integration's identifier.
type

enum (IntegrationType)

Optional. The integration's type (response/extension).
updateAvailable

boolean

Output only. True if the integration has an update available.
latestVersion

string

Output only. The latest version of the integration.

Union field _custom.

_custom can be only one of the following:
custom

boolean

Output only. Determines if the integration is a custom integration or commercial integration.

Union field _certified.

_certified can be only one of the following:
certified

boolean

Output only. Determines if the integration is Chronicle certified or not. Custom integrations are not certified. Community integrations can be certified even when not commercial.

Union field _staging.

_staging can be only one of the following:
staging

boolean

Required. True if the integration is in staging mode.

IntegrationParameter

JSON representation 
{
  "id": integer,
  "defaultValue": string,
  "displayName": string,
  "propertyName": string,
  "type": enum (ParamType),
  "description": string,

  // Union field _mandatory can be only one of the following:
  "mandatory": boolean
  // End of list of possible types for union field _mandatory.
}
Fields
id

integer

Identifier. The parameter's ID.
defaultValue

string

Optional. The default value of the parameter.
displayName

string

Required. The parameter display name, limited to 150 characters.
propertyName

string

Required. The integration instance parameter property name, limited to 150 characters.
type

enum (ParamType)

Required. The parameter's type.
description

string

Optional. The parameter's description, limited to 400 characters.

Union field _mandatory.

_mandatory can be only one of the following:
mandatory

boolean

Required. Indicates if the parameter is required when configuring the integration instance.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌