MCP Tools Reference: chronicle.googleapis.com

Tool: list_playbooks

Lists all available playbooks for a given Chronicle instance.

Retrieves a list of all configured playbooks (automated workflows), allowing users to see the available automated response and investigation capabilities. This is useful for discovering what playbooks can be run on cases or alerts.

Workflow Integration: - Used to populate a UI with a list of available playbooks for manual execution on a case or alert. - Enables automated systems to discover and select appropriate playbooks to run based on incident criteria. - Essential for auditing and managing the inventory of automated workflows in the SOAR platform.

Use Cases: - A security analyst lists available playbooks to decide which one to run on a newly created case. - A SOAR engineer reviews the list of all playbooks to identify any that need to be updated or retired. - An automated script queries for playbooks of a specific type (e.g., 'REGULAR') to perform bulk operations.

Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). playbook_types (list of str, required, must not be empty list): A list of playbook types to filter the results. Supported values are 'REGULAR' and 'NESTED'. Must contain at least one value.

Returns: A response object containing a list of playbooks. Each playbook includes details such as its name, identifier, creator, type ('REGULAR' or 'NESTED'), and whether it is enabled. Returns an error message if the parent instance is not found or the request is invalid.

Example Usage: # List all playbooks for a specific instance list_playbooks(project_id='123', region='us', customer_id='abc', playbook_types=['REGULAR', 'NESTED'])

# List only regular playbooks
        list_playbooks(project_id='123', region='us', customer_id='abc', playbook_types=['REGULAR'])

Next Steps (using MCP-enabled tools): - Use 'playbook_instances' to see instances of a specific playbook that have been run. - Use other playbook tools to get more details or execute a playbook.

The following sample demonstrate how to use curl to invoke the list_playbooks MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "list_playbooks",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for ListPlaybooks.

ListPlaybooksRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "playbookTypes": [
    enum (PlaybookType)
  ]
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
playbookTypes[]

enum (PlaybookType)

Playbook types to filter.

Output Schema

LegacyPlaybookGetWorkflowMenuCardsWithEnvFilterResponse is a response for getting the workflows that contains action.

LegacyPlaybookGetWorkflowMenuCardsWithEnvFilterResponse

JSON representation 
{
  "payload": [
    {
      object (ApiWorkflowMenuCardDefinitionDataModel)
    }
  ]
}
Fields
payload[]

object (ApiWorkflowMenuCardDefinitionDataModel)

Optional. The workflow menu cards.

ApiWorkflowMenuCardDefinitionDataModel

JSON representation 
{
  "id": string,
  "identifier": string,
  "originalWorkflowIdentifier": string,
  "name": string,
  "creator": string,
  "creatorFullName": string,
  "priority": integer,
  "categoryId": integer,
  "categoryName": string,
  "environments": [
    string
  ],
  "creationTime": string,
  "creationTimeUnixTimeInMs": string,
  "modificationTimeUnixTimeInMs": string,
  "playbookType": enum (PlaybookType),

  // Union field _is_enabled can be only one of the following:
  "isEnabled": boolean
  // End of list of possible types for union field _is_enabled.

  // Union field _is_debug_mode can be only one of the following:
  "isDebugMode": boolean
  // End of list of possible types for union field _is_debug_mode.

  // Union field _has_restricted_environments can be only one of the following:
  "hasRestrictedEnvironments": boolean
  // End of list of possible types for union field _has_restricted_environments.
}
Fields
id

string (int64 format)

Required. Id is the unique identifier.
identifier

string

Required. The identifier of the workflow menu card.
originalWorkflowIdentifier

string

Required. OriginalWorkflowIdentifier is the identifier of the original workflow.
name

string

Required. Name is the name of the workflow.
creator

string

Required. Creator is the creator of the workflow.
creatorFullName

string

Required. The full name of the creator of the workflow.
priority

integer

Required. Priority is the priority of the workflow.
categoryId

integer

Optional. CategoryId is the identifier of the category.
categoryName

string

Optional. CategoryName is the name of the category.
environments[]

string

Optional. Environments is a list of environments the workflow is enabled on.
creationTime

string (Timestamp format)

Optional. CreationTime is the original workflow creation time. Represents DateTime CreationTime as unix time

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
creationTimeUnixTimeInMs

string (int64 format)

Required. CreationTimeUnixTimeInMs is the current workflow record creation time. Represents DateTime CreationTimeUnixTimeInMs as unix time
modificationTimeUnixTimeInMs

string (int64 format)

Required. ModificationTimeUnixTimeInMs is the modification time of the workflow. Represents DateTime ModificationTimeUnixTimeInMs as unix time
playbookType

enum (PlaybookType)

Required. PlaybookType is the type of playbook.

Union field _is_enabled.

_is_enabled can be only one of the following:
isEnabled

boolean

Optional. IsEnabled indicates if the workflow is enabled.

Union field _is_debug_mode.

_is_debug_mode can be only one of the following:
isDebugMode

boolean

Optional. IsDebugMode indicates if debug mode is enabled for the workflow.

Union field _has_restricted_environments.

_has_restricted_environments can be only one of the following:
hasRestrictedEnvironments

boolean

Optional. HasRestrictedEnvironments indicates if the workflow has restricted environments.

Timestamp

JSON representation 
{
  "seconds": string,
  "nanos": integer
}
Fields
seconds

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
nanos

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌