Tool: list_integration_actions
Lists all the actions for a given SOAR Integration. You can also list actions across all integrations by passing "-" as the integration_id.
Retrieves a paginated list of all available actions for a specific integration. Actions are the specific, executable functions that an integration provides, such as 'block_ip', 'get_user_details', or 'analyze_url'. This is useful for discovering the capabilities of a particular integration and what automated or manual steps can be taken.
Workflow Integration:- Populates a UI with a list of available actions for an analyst to choose from when building a playbook or taking manual action. - Enables automated systems to discover and validate the actions that can be executed through a specific integration before attempting to run them. - Essential for playbook development and for understanding the available automated capabilities of each integrated tool.
Use Cases:- A SOAR engineer lists the actions for a newly installed EDR integration to understand what it can do. - A security analyst, working on a case, lists the actions for the EDR integration to see if there's an action to 'isolate_host'. - An automated script queries the available actions to ensure an action like 'suspend_user' exists before attempting to use it in a playbook.
Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). integration_id (str): The ID of the integration to list actions for (required). If "-" is provided, actions for all integrations will be listed. page_size (int, optional): The maximum number of actions to return in a single response. page_token (str, optional): A token for fetching a specific page of results, obtained from a previous call. filter (str, optional): A filter string to apply to the list of actions. Supported filter fields are Id
, Author
, DisplayName
, Custom
, HasJsonResult
, and Integration
. Example: "DisplayName:"Block IP" AND Author:"John Doe"" order_by (str, optional): A comma-separated list of fields to sort the results by. Supported fields are DisplayName
, Author
, and Custom
. Example: "DisplayName asc"
Returns: ListIntegrationActionsResponse: A response object containing a list of IntegrationAction objects and a next_page_token if more results are available. Each IntegrationAction object contains the following key fields: - Name
(str): The full resource name of the action. - DisplayName
(str): The user-friendly name of the action. - Description
(str): A summary of the action's purpose. - Author
(str): The author of the action. - Enabled
(bool): Whether the action is enabled. - Async
(bool): Whether the action runs asynchronously. - Parameters
(list of dict): A list of parameters that the action accepts. Each parameter dictionary contains fields like Name
, Type
, Required
, and DefaultValue
. Returns an error message if the parent integration is not found or the request is invalid.
Example Usage: # List all actions for a specific integration list_integration_actions(project_id='123', region='us', customer_id='abc', integration_id='my-edr-integration')
# Find a specific action by name
list_integration_actions(project_id='123', region='us', customer_id='abc', integration_id='my-edr-integration')
# List all actions across all integrations by using integration_id="-"
list_integration_actions(project_id='123', region='us', customer_id='abc', integration_id='-')
Next Steps (using MCP-enabled tools): - Use 'get_integration_action' with an action's resource name to fetch its full details, including the script. - Use 'execute_manual_action' to run one of the discovered actions on a case or alert. Note: manual actions can ONLY be executed on open alerts (not closed ones).
The following sample demonstrate how to use curl
to invoke the list_integration_actions
MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "list_integration_actions", "arguments": { // provide these details according to the tool' s MCP specification } } , "jsonrpc" : "2.0" , "id" : 1 } ' |
Input Schema
Request message for ListIntegrationActions.
ListIntegrationActionsRequest
| JSON representation |
|---|
{ "projectId" : string , "customerId" : string , "region" : string , "integrationId" : string , "pageSize" : integer , "pageToken" : string , "filter" : string , "orderBy" : string } |
| Fields | |
|---|---|
projectId
|
Project ID of the customer. |
customerId
|
Customer ID of the customer. |
region
|
Region of the customer. |
integrationId
|
Integration ID. |
pageSize
|
The maximum number of integration actions to return. |
pageToken
|
A token for fetching the next page of results. |
filter
|
A filter to apply to the list of integration actions. |
orderBy
|
The field to order the results by. |
Output Schema
Response message for ListIntegrationActions.
ListIntegrationActionsResponse
| JSON representation |
|---|
{
"actions"
:
[
{
object (
|
| Fields | |
|---|---|
actions[]
|
The list of IntegrationActions. |
nextPageToken
|
A token, which can be sent as |
totalSize
|
Output only. Total number of IntegrationActions. |
IntegrationAction
| JSON representation |
|---|
{ "name" : string , "displayName" : string , "script" : string , "timeoutSeconds" : integer , "asyncPollingIntervalSeconds" : integer , "asyncTotalTimeoutSeconds" : integer , "dynamicResults" : [ { object ( |
name
string
Identifier. The unique name(ID) of the action. Format: projects/{project}/locations/{location}/instances/{instance}/integrations/{integration}/actions/{action}
displayName
string
Required. Action's definition name, limited to a maximum of 150 characters.
script
string
Required. Action's script, limited to a maximum size of 5MB.
timeoutSeconds
integer ( uint32
format)
Required. Action timeout in seconds. The maximum allowed value is 1200 seconds.
asyncPollingIntervalSeconds
integer ( uint32
format)
Optional. The async polling interval time in seconds. The maximum allowed value can not exceed total timeout secs. Relevant only for async actions
asyncTotalTimeoutSeconds
integer ( uint32
format)
Optional. The total async polling interval timeout in seconds. The maximum allowed value is 14(days)x24x3600 = 1209600 secs. Relevant only for async actions
dynamicResults[]
object (
DynamicResultMetadata
)
Optional. List of dynamic results metadata. The max count for the items is 50.
parameters[]
object (
ActionParameter
)
Optional. Action's parameters. The max count for the items is 50.
integration
string
Output only. The parent integration identifier.
integrationInstances[]
object (
IntegrationInstance
)
Output only. The integration instances.
id
string ( int64
format)
Output only. The action id.
Union field _description
.
_description
can be only one of the following:
description
string
Optional. Action's description, limited to a maximum or 400 characters.
Union field _author
.
_author
can be only one of the following:
author
string
Output only. User that created the action in the system.
Union field _enabled
.
_enabled
can be only one of the following:
enabled
boolean
Required. Determines whether the action is enabled or disabled.
Union field _script_result_name
.
_script_result_name
can be only one of the following:
scriptResultName
string
Required. The script result name. Describes the field name that holds the script result. Has a maximum character limit of 100 characters.
Union field _async
.
_async
can be only one of the following:
async
boolean
Required. Determines whether the action is async or not.
Union field _default_result_value
.
_default_result_value
can be only one of the following:
defaultResultValue
string
Optional. Action's default result value. Has a maximum character limit of 1000 characters.
Union field _widget_template_identifier
.
_widget_template_identifier
can be only one of the following:
widgetTemplateIdentifier
string
Output only. The widget template identifier. Relevant only for actions which contain a widget.
Union field _custom
.
_custom
can be only one of the following:
custom
boolean
Output only. Determines whether the action is custom or not.
Union field _has_json_result
.
_has_json_result
can be only one of the following:
hasJsonResult
boolean
Output only. Describes whether the action has a json result.
Union field _dynamic_results_metadata_json
.
_dynamic_results_metadata_json
can be only one of the following:
dynamicResultsMetadataJson
string
Output only. The dynamic results metadata json.
Union field _ai_generated
.
_ai_generated
can be only one of the following:
aiGenerated
boolean
Optional. Determines whether the action was generated by AI or not.
DynamicResultMetadata
| JSON representation |
|---|
{ // Union field |
Union field _result_name
.
_result_name
can be only one of the following:
resultName
string
Output only. The result name.
Union field _result_example
.
_result_example
can be only one of the following:
resultExample
string
Optional. The result example. Has a maximum character limit of 100000 characters.
Union field _display_result
.
_display_result
can be only one of the following:
displayResult
boolean
Required. Determines whether to display the result.
ActionParameter
| JSON representation |
|---|
{ "id" : integer , "actionId" : integer , "optionalValues" : [ string ] , // Union field |
id
integer
Output only. The parameter's id.
actionId
integer
Output only. The action's id.
optionalValues[]
string
Optional. Parameter's optional values. The max count for the items is 50.
Union field _mandatory
.
_mandatory
can be only one of the following:
mandatory
boolean
Required. Describes whether the parameter is mandatory.
Union field _default_value
.
_default_value
can be only one of the following:
defaultValue
string
Optional. The default value of the parameter. Has a maximum character limit of 150 characters.
Union field _display_name
.
_display_name
can be only one of the following:
displayName
string
Required. The parameter's display name. Has a maximum character limit of 150 characters.
Union field _type
.
_type
can be only one of the following:
type
enum (
ActionParamType
)
Required. The parameter's type.
Union field _description
.
_description
can be only one of the following:
description
string
Required. The parameter's description. Has a maximum character limit of 150 characters.
IntegrationInstance
| JSON representation |
|---|
{ "name" : string , "environment" : string , "displayName" : string , "parameters" : [ { object ( |
name
string
Identifier. The unique name of the integration instance. Format: projects/{project}/locations/{location}/instances/{instance}/integrations/{integration}/integrationInstances/{instance}
environment
string
Required. The integration instance environment.
displayName
string
Optional. The display name of the integration instance. Automatically generated if not assigned. Limited to 110 characters.
parameters[]
object (
IntegrationInstanceParameter
)
Optional. Integration's parameters.
integrationIdentifier
string
Output only. The integration identifier.
identifier
string
Output only. The integration instance identifier.
Union field _description
.
_description
can be only one of the following:
description
string
Optional. The integration instance description. Limited to 1500 characters.
Union field _configured
.
_configured
can be only one of the following:
configured
boolean
Output only. Determines whether the integration instance is configured.
Union field _remote
.
_remote
can be only one of the following:
remote
boolean
Output only. True if the integration instance is a remote instance. Instance is created with remote = false by default.
Union field _agent
.
_agent
can be only one of the following:
agent
string
Optional. The agent identifier for a remote integration instance
Union field _system_default
.
_system_default
can be only one of the following:
systemDefault
boolean
Output only. Indicates whether the integration instance is the system default.
IntegrationInstanceParameter
| JSON representation |
|---|
{ "id" : string , "displayName" : string , "type" : enum ( |
id
string ( int64
format)
Output only. The unique id of the integration instance parameter.
displayName
string
Output only. The integration instance parameter display name.
type
enum (
IntegrationParameterType
)
Output only. The integration instance parameter type.
Union field _description
.
_description
can be only one of the following:
description
string
Output only. The integration instance parameter description.
Union field _property_name
.
_property_name
can be only one of the following:
propertyName
string
Output only. The integration instance parameter property name.
Union field _mandatory
.
_mandatory
can be only one of the following:
mandatory
boolean
Output only. Indicates if the parameter is required when configuring the integration instance.
Union field _value
.
_value
can be only one of the following:
value
string
Optional. The parameter's value.
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌
