Tool: add_rows_to_data_table
Add rows to an existing data table in Chronicle SIEM.
Adds new data rows to an existing data table, expanding the dataset available for detection rules. This is useful for maintaining and growing your threat intelligence, asset inventories, or other contextual data used in security detection. The tool is designed to be smart and can often infer the correct row structure from natural language prompts.
Agent Responsibilities: 1. Format Rows: The rows argument must be a list of objects, where each object has a "values" key. The value for "values" should be a list of strings representing the data for each column in that row. The agent should intelligently convert user input into this structure. For example, if a user provides [['a', 'b'], ['c', 'd']], the agent should transform it to [{"values": ["a", "b"]}, {"values": ["c", "d"]}] before calling the tool. 2. Handle Bad Request (400) Errors: If the API returns a 400 Bad Request error, it almost always means the provided rows data is invalid. This could be due to: - An incorrect number of values in an inner list (not matching the table's column count). - Data of the wrong type (e.g., "abc" for a CIDR column). - Mismatched schema. If this error occurs, the agent MUST inform the user, explain the likely cause, and provide a clear example of the correct rows format based on the target table's schema (which may require using list_data_tables with view="DATA_TABLE_VIEW_FULL" to find the schema if unknown). 3. Respect API Limits: The request should contain a maximum of 1000 rows, and the total size of the row data should be less than 4MB. The agent must handle batching for larger datasets.
Workflow Integration: - Use to continuously update data tables with new threat intelligence or asset information. - Essential for maintaining current and accurate contextual data for detection rules. - Enables automated data table updates as part of threat intelligence feeds. - Supports operational workflows that add new entities or update security contexts.
Use Cases: - Add newly discovered malicious IP addresses to threat intelligence tables. - Update asset inventories with new systems or changed criticality ratings. - Expand user role mappings as organizational structure changes. - Add new IOCs from threat intelligence feeds to detection enhancement tables. - Populate exception lists to reduce false positives in detection rules.
Data Consistency: - Ensure new rows match the table's column schema and data types. - Validate data quality to maintain detection rule effectiveness. - Consider deduplication to avoid redundant entries in the table.
Args: table_name (str): Name of the existing data table. rows (List[Dict[str, List[str]]]): A list of row objects. Each object must have a "values" key containing a list of strings for that row's columns. Example: [{"values": ["val1", "val2"]}, {"values": ["val3", "val4"]}]. project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required).
Returns: str: Success message with details about the added rows from the API response. Returns error message if row addition fails.
Example Usage: # Add new suspicious IP addresses add_rows_to_data_table( table_name="suspicious_ips", rows=[ {"values": ["172.16.0.1", "Low", "Unusual outbound connection", "true"]}, {"values": ["192.168.2.200", "Critical", "Data exfiltration attempt", "true"]} ], project_id="my-project", customer_id="my-customer", region="us" )
Next Steps (using MCP-enabled tools): - Verify the rows were added correctly using list_data_table_rows. - Test detection rules that reference the updated table to ensure they work as expected. - Monitor detection rule performance to assess the impact of the new data. - Consider setting up automated processes to regularly update the table. - Document the data sources and update procedures for operational teams.
The following sample demonstrate how to use curl to invoke the add_rows_to_data_table MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "add_rows_to_data_table", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for AddRowsToDataTable.
BulkCreateDataTableRowsRequest
| JSON representation |
|---|
{
"projectId": string,
"customerId": string,
"region": string,
"tableName": string,
"rows": [
{
object ( |
| Fields | |
|---|---|
projectId |
Project ID of the customer. |
customerId |
Customer ID of the customer. |
region |
Region of the customer. |
tableName |
Name of the data table. |
rows[] |
Rows to be added to the data table. |
DataTableRow
| JSON representation |
|---|
{ "name": string, "values": [ string ], "createTime": string, "updateTime": string, "rowTimeToLive": string } |
| Fields | |
|---|---|
name |
Identifier. The resource name of the data table Format: projects/{project}/locations/{location}/instances/{instance}/dataTables/{data_table}/dataTableRows/{data_table_row} |
values[] |
Required. All column values for a single row. The values should be in the same order as the columns of the data tables. |
createTime |
Output only. DataTableRow create time Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
updateTime |
Output only. DataTableRow update time Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
rowTimeToLive |
Optional. User-provided TTL of the data table row. |
Timestamp
| JSON representation |
|---|
{ "seconds": string, "nanos": integer } |
| Fields | |
|---|---|
seconds |
Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). |
nanos |
Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive. |
Output Schema
Response message with created data table rows.
BulkCreateDataTableRowsResponse
| JSON representation |
|---|
{
"dataTableRows": [
{
object ( |
| Fields | |
|---|---|
dataTableRows[] |
DataTableRows created |
DataTableRow
| JSON representation |
|---|
{ "name": string, "values": [ string ], "createTime": string, "updateTime": string, "rowTimeToLive": string } |
| Fields | |
|---|---|
name |
Identifier. The resource name of the data table Format: projects/{project}/locations/{location}/instances/{instance}/dataTables/{data_table}/dataTableRows/{data_table_row} |
values[] |
Required. All column values for a single row. The values should be in the same order as the columns of the data tables. |
createTime |
Output only. DataTableRow create time Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
updateTime |
Output only. DataTableRow update time Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
rowTimeToLive |
Optional. User-provided TTL of the data table row. |
Timestamp
| JSON representation |
|---|
{ "seconds": string, "nanos": integer } |
| Fields | |
|---|---|
seconds |
Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). |
nanos |
Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌