MCP Tools Reference: chronicle.googleapis.com

Tool: list_log_types

List all log types available for a customer.

Retrieves a list of all available log types for a specific customer, which is useful for discovering what log sources are configured.

Agent Responsibilities:

  • The response is a JSON object. The agent should access the log_types key to get a list of log type objects.
  • Each object in the list contains details about a log type, such as name and display_name.
  • The name field contains the full resource name, from which the log type identifier can be extracted.
  • If the response contains a next_page_token, it indicates that more results are available. The agent should use this token in a subsequent call to retrieve the next page.
  • The agent should not present the raw JSON. Instead, it should format the output as a human-readable list, for example, using a table or a bulleted list.

Workflow Integration:

  • Use to discover the available log types for a customer before creating a new parser or feed.
  • Helpful for validating that a log_type string is correct before using it in other tools.

Example Usage:

  • list_log_types(projectId="my-project", customerId="my-customer", region="us")
  • list_log_types(projectId="my-project", customerId="my-customer", region="us", filter="display_name:OKTA")

The following sample demonstrate how to use curl to invoke the list_log_types MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "list_log_types",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for ListLogTypes.

ListLogTypesRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "pageSize": integer,
  "pageToken": string,
  "filter": string
}
Fields
projectId

string

Required. Google Cloud project ID.
customerId

string

Required. Chronicle customer ID.
region

string

Required. Chronicle region (e.g., "us", "europe").
pageSize

integer

The maximum number of log types to return. The service may return fewer than this value.
pageToken

string

A page token, received from a previous list_log_types call. Provide this to retrieve the subsequent page.
filter

string

A filter to be applied to the list of log types.

Output Schema

Response message for listing log types.

ListLogTypesResponse

JSON representation 
{
  "logTypes": [
    {
      object (LogType)
    }
  ],
  "nextPageToken": string
}
Fields
logTypes[]

object (LogType)

The log types from the specified chronicle instance.
nextPageToken

string

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

LogType

JSON representation 
{
  "name": string,
  "customLogTypeLabel": string,
  "displayName": string,
  "golden": boolean,
  "productSource": string,
  "isCustom": boolean,
  "hasCustomParser": boolean,
  "lastIngestedTime": string,
  "feedCount": integer,
  "parserType": enum (ParserType),
  "collectionTime": string
}
Fields
name

string

Output only. The resource name of this log type. Format: projects/{project}/locations/{location}/instances/{instance}/logTypes/{log_type}
customLogTypeLabel

string

Output only. the custom log type label
displayName

string

Required. The display name of this log type. This is the tag used in YARA-l rules and search queries.
golden

boolean

Output only. Whether a LogType is a 'Golden' log type or not. LogTypes that support rapid customer onboarding are considered 'Golden' log types.
productSource

string

Required. This is what users see in the UI to identify the logtype while creating feed.
isCustom

boolean

Required. Whether the log type is custom or globally available.
hasCustomParser

boolean

Required. The log type could be custom logtype but still be using prebuilt parser. If this is set to true that means that there is a custom parser for this log type. ( deprecated )
lastIngestedTime

string (Timestamp format)

Required. The last time the log type was ingested.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
feedCount

integer

Output only. The number of feeds that are ingested for this log type. This field is populated from FeedManagementService and will be -1 if the feed count cannot be determined due to an error.
parserType

enum (ParserType)

Required. The type of parser used for this log type. (custom/prebuilt/-)
collectionTime

string (Timestamp format)

Output only. The time of the most recent log collection for this log type. If there has been no log collection yet, this field will not be set.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Timestamp

JSON representation 
{
  "seconds": string,
  "nanos": integer
}
Fields
seconds

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
nanos

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ✅ | Open World Hint: ❌