Tool: list_playbooks
Lists all available playbooks for a given Chronicle instance.
Retrieves a list of all configured playbooks (automated workflows), allowing users to see the available automated response and investigation capabilities. This is useful for discovering what playbooks can be run on cases or alerts.
Workflow Integration:- Used to populate a UI with a list of available playbooks for manual execution on a case or alert. - Enables automated systems to discover and select appropriate playbooks to run based on incident criteria. - Essential for auditing and managing the inventory of automated workflows in the SOAR platform.
Use Cases:- A security analyst lists available playbooks to decide which one to run on a newly created case. - A SOAR engineer reviews the list of all playbooks to identify any that need to be updated or retired. - An automated script queries for playbooks of a specific type (e.g., 'REGULAR') to perform bulk operations.
Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). playbook_types (list of str, required, must not be empty list): A list of playbook types to filter the results. Supported values are 'REGULAR' and 'NESTED'. Must contain at least one value.
Returns: A response object containing a list of playbooks. Each playbook includes details such as its name, identifier, creator, type ('REGULAR' or 'NESTED'), and whether it is enabled. Returns an error message if the parent instance is not found or the request is invalid.
Example Usage: # List all playbooks for a specific instance list_playbooks(project_id='123', region='us', customer_id='abc', playbook_types=['REGULAR', 'NESTED'])
# List only regular playbooks
list_playbooks(project_id='123', region='us', customer_id='abc', playbook_types=['REGULAR'])
Next Steps (using MCP-enabled tools): - Use 'playbook_instances' to see instances of a specific playbook that have been run. - Use other playbook tools to get more details or execute a playbook.
The following sample demonstrate how to use curl
to invoke the list_playbooks
MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "list_playbooks", "arguments": { // provide these details according to the tool' s MCP specification } } , "jsonrpc" : "2.0" , "id" : 1 } ' |
Input Schema
Request message for ListPlaybooks.
ListPlaybooksRequest
| JSON representation |
|---|
{
"projectId"
:
string
,
"customerId"
:
string
,
"region"
:
string
,
"playbookTypes"
:
[
enum (
|
| Fields | |
|---|---|
projectId
|
Project ID of the customer. |
customerId
|
Customer ID of the customer. |
region
|
Region of the customer. |
playbookTypes[]
|
Playbook types to filter. |
Output Schema
LegacyPlaybookGetWorkflowMenuCardsWithEnvFilterResponse is a response for getting the workflows that contains action.
LegacyPlaybookGetWorkflowMenuCardsWithEnvFilterResponse
| JSON representation |
|---|
{
"payload"
:
[
{
object (
|
| Fields | |
|---|---|
payload[]
|
Optional. The workflow menu cards. |
ApiWorkflowMenuCardDefinitionDataModel
| JSON representation |
|---|
{ "id" : string , "identifier" : string , "originalWorkflowIdentifier" : string , "name" : string , "creator" : string , "creatorFullName" : string , "priority" : integer , "categoryId" : integer , "categoryName" : string , "environments" : [ string ] , "creationTime" : string , "creationTimeUnixTimeInMs" : string , "modificationTimeUnixTimeInMs" : string , "playbookType" : enum ( |
id
string ( int64
format)
Required. Id is the unique identifier.
identifier
string
Required. The identifier of the workflow menu card.
originalWorkflowIdentifier
string
Required. OriginalWorkflowIdentifier is the identifier of the original workflow.
name
string
Required. Name is the name of the workflow.
creator
string
Required. Creator is the creator of the workflow.
creatorFullName
string
Required. The full name of the creator of the workflow.
priority
integer
Required. Priority is the priority of the workflow.
categoryId
integer
Optional. CategoryId is the identifier of the category.
categoryName
string
Optional. CategoryName is the name of the category.
environments[]
string
Optional. Environments is a list of environments the workflow is enabled on.
creationTime
string (
Timestamp
format)
Optional. CreationTime is the original workflow creation time. Represents DateTime CreationTime as unix time
Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z"
, "2014-10-02T15:01:23.045123456Z"
or "2014-10-02T15:01:23+05:30"
.
creationTimeUnixTimeInMs
string ( int64
format)
Required. CreationTimeUnixTimeInMs is the current workflow record creation time. Represents DateTime CreationTimeUnixTimeInMs as unix time
modificationTimeUnixTimeInMs
string ( int64
format)
Required. ModificationTimeUnixTimeInMs is the modification time of the workflow. Represents DateTime ModificationTimeUnixTimeInMs as unix time
playbookType
enum (
PlaybookType
)
Required. PlaybookType is the type of playbook.
Union field _is_enabled
.
_is_enabled
can be only one of the following:
isEnabled
boolean
Optional. IsEnabled indicates if the workflow is enabled.
Union field _is_debug_mode
.
_is_debug_mode
can be only one of the following:
isDebugMode
boolean
Optional. IsDebugMode indicates if debug mode is enabled for the workflow.
Union field _has_restricted_environments
.
_has_restricted_environments
can be only one of the following:
hasRestrictedEnvironments
boolean
Optional. HasRestrictedEnvironments indicates if the workflow has restricted environments.
Timestamp
| JSON representation |
|---|
{ "seconds" : string , "nanos" : integer } |
| Fields | |
|---|---|
seconds
|
Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). |
nanos
|
Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌
