MCP Tools Reference: chronicle.googleapis.com

Tool: update_reference_list

Update an existing reference list in Chronicle SIEM.

Updates the contents or description of an existing reference list. This is useful for maintaining current threat intelligence, updating allowlists/blocklists, or modifying reference data as your security requirements evolve.

Workflow Integration: - Use to keep reference lists current with the latest threat intelligence or policy changes. - Essential for maintaining accurate security reference data used in detection rules. - Enables automated reference list updates as part of threat intelligence feeds. - Supports operational workflows that modify security policies or allowlists.

Use Cases: - Update threat intelligence lists with newly discovered IOCs. - Modify allowlists to include new trusted domains or IP ranges. - Remove outdated or invalid entries from reference lists. - Update user lists as organizational structure changes. - Refresh regex patterns to improve detection accuracy.

Update Behavior: - If entries are provided, they completely replace the existing entries. - If description is provided, it updates the reference list description. - At least one of entries or description must be provided. - An update_mask is automatically generated based on the arguments supplied.

Args: name (str): The ID of the existing reference list to update. project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). entries (Optional[List[str]]): New list of strings to replace existing entries. description (Optional[str]): New description for the reference list.

Returns: str: Success message with details about the updated reference list. Returns error message if update fails.

Example Usage: # Update entries in an admin accounts list update_reference_list( name="admin_accounts", entries=["admin", "administrator", "root", "system", "service", "superuser"], project_id="my-project", customer_id="my-customer", region="us" )

# Update description only
        update_reference_list(
            name="admin_accounts",
            description="Updated administrative user accounts for enhanced privilege monitoring",
            project_id="my-project",
            customer_id="my-customer",
            region="us"
        )

        # Update both entries and description
        update_reference_list(
            name="trusted_networks",
            entries=["10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12", "203.0.113.0/24"],
            description="Updated trusted network ranges including new office location",
            project_id="my-project",
            customer_id="my-customer",
            region="us"
        )

Next Steps (using MCP-enabled tools): - Verify the updates using get_reference_list to confirm changes were applied correctly. - Test detection rules that reference the updated list to ensure they work as expected. - Monitor detection rule performance to assess the impact of the changes. - Document the reason for updates for audit and operational tracking. - Communicate significant changes to teams that rely on the reference list.

The following sample demonstrate how to use curl to invoke the update_reference_list MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "update_reference_list",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for UpdateReferenceList.

UpdateReferenceListRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "name": string,
  "description": string,
  "entries": [
    string
  ]
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
name

string

Name of the reference list to update.
description

string

Description of the reference list.
entries[]

string

Entries of the reference list.

Output Schema

A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules.

ReferenceList

JSON representation 
{
  "name": string,
  "displayName": string,
  "revisionCreateTime": string,
  "description": string,
  "entries": [
    {
      object (ReferenceListEntry)
    }
  ],
  "rules": [
    string
  ],
  "syntaxType": enum (ReferenceListSyntaxType),
  "ruleAssociationsCount": integer,
  "scopeInfo": {
    object (ScopeInfo)
  }
}
Fields
name

string

Identifier. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list}
displayName

string

Output only. The unique display name of the reference list.
revisionCreateTime

string (Timestamp format)

Output only. The timestamp when the reference list was last updated.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
description

string

Required. A user-provided description of the reference list.
entries[]

object (ReferenceListEntry)

Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL.
rules[]

string

Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL.
syntaxType

enum (ReferenceListSyntaxType)

Required. The syntax type indicating how list entries should be validated.
ruleAssociationsCount

integer

Output only. The count of self-authored rules using the reference list.
scopeInfo

object (ScopeInfo)

The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set.

Timestamp

JSON representation 
{
  "seconds": string,
  "nanos": integer
}
Fields
seconds

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
nanos

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

ReferenceListEntry

JSON representation 
{
  "value": string
}
Fields
value

string

Required. The value of the entry. Maximum length is 512 characters.

ScopeInfo

JSON representation 
{
  "referenceListScope": {
    object (ReferenceListScope)
  }
}
Fields
referenceListScope

object (ReferenceListScope)

Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped.

ReferenceListScope

JSON representation 
{
  "scopeNames": [
    string
  ]
}
Fields
scopeNames[]

string

Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌