Tool: create_data_table
Create a new data table in Chronicle SIEM by calling the CreateDataTable API.
Creates a structured data table that can be referenced in detection rules. The agent is responsible for defining the table schema via the column_info argument.
Agent Responsibilities: 1. Construct column_info: The agent MUST provide the complete column_info list. Each element in the list is an object (dictionary) defining a column, and must match the Chronicle API's DataTableColumnInfo structure. This includes: - columnIndex: Integer, starting from 0. - originalColumn: String, the name of the column. - columnType: String, one of "STRING", "REGEX", "CIDR", "NUMBER". This is mutually exclusive with mappedColumnPath. - mappedColumnPath: String, the UDM field path if mapping to an entity. Mutually exclusive with columnType. - key_column: Optional boolean. - repeated_values: Optional boolean. 2. Example for a single item in column_info: {"columnIndex": 0, "originalColumn": "ip", "columnType": "CIDR"} {"columnIndex": 1, "originalColumn": "user_agent", "mappedColumnPath": "network.http.user_agent"}
Workflow Integration: - Use to store structured security data that enhances detection rule logic. - Essential for maintaining context data used in threat detection and investigation. - Enables dynamic rule behavior based on curated datasets without hardcoding values. - Supports threat intelligence integration by storing IOC lists and contextual data.
Use Cases: - Create tables of known malicious IP addresses with severity and description context. - Store asset inventories with criticality ratings for enhanced alert prioritization. - Maintain user role mappings for behavior-based detection rules. - Build threat intelligence feeds with IOC metadata for detection enhancement. - Create exception lists for reducing false positives in detection rules.
Column Types: - STRING: Text values - CIDR: IP address ranges (e.g., "192.168.1.0/24") - INT64: Integer values - BOOL: Boolean values (true/false)
Args: name (str): Unique name for the data table. description (str): Description of the data table. column_info (List[Dict[str, Any]]): A list of dictionaries, where each dictionary defines a column, adhering to the DataTableColumnInfo structure. project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required).
Returns: str: Success message with the created data table details from the API response. Returns error message if table creation fails.
Example Usage: # Create a table for suspicious IP addresses create_data_table( name="suspicious_ips", description="Known suspicious IP addresses with context", column_info=[ {"columnIndex": 0, "originalColumn": "ip_address", "columnType": "CIDR"}, {"columnIndex": 1, "originalColumn": "severity", "columnType": "STRING"}, {"columnIndex": 2, "originalColumn": "description", "columnType": "STRING"}, {"columnIndex": 3, "originalColumn": "is_active", "columnType": "STRING"} # Note: BOOL is not a type, use STRING for true/false ], project_id="my-project", customer_id="my-customer", region="us" )
Next Steps (using MCP-enabled tools): - Add rows using add_rows_to_data_table. - Reference the table in detection rules using the table name (e.g., data_table.suspicious_ips). - List table contents using list_data_table_rows to verify data integrity. - Update or remove specific rows using data table row management tools. - Use the table data to enhance detection logic and reduce false positives.
The following sample demonstrate how to use curl to invoke the create_data_table MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "create_data_table", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for CreateDataTable.
CreateDataTableRequest
| JSON representation |
|---|
{
"projectId": string,
"customerId": string,
"region": string,
"name": string,
"description": string,
"columnInfo": [
{
object ( |
| Fields | |
|---|---|
projectId |
Project ID of the customer. |
customerId |
Customer ID of the customer. |
region |
Region of the customer. |
name |
Name of the data table. |
description |
Description of the data table. |
columnInfo[] |
Column information of the data table. |
DataTableColumnInfo
| JSON representation |
|---|
{ "columnIndex": integer, "originalColumn": string, "keyColumn": boolean, "repeatedValues": boolean, // Union field |
| Fields | |
|---|---|
columnIndex |
Required. Column Index. 0,1,2... |
originalColumn |
Required. Original column name of the Data Table (present in the CSV header in case of creation of data tables using file uploads). It must satisfy the following requirements: - Starts with letter. - Contains only letters, numbers and underscore. - Must be unique and has length < 256. |
keyColumn |
Optional. Whether to include this column in the calculation of the row ID. If no columns have key_column = true, all columns will be included in the calculation of the row ID. |
repeatedValues |
Optional. Whether the column is a repeated values column. |
Union field
|
|
mappedColumnPath |
Entity proto field path that the column is mapped to |
columnType |
Column type can be STRING, CIDR (Ex- 10.1.1.0/24), REGEX |
Output Schema
DataTable represents the data table resource.
DataTable
| JSON representation |
|---|
{ "name": string, "displayName": string, "description": string, "createTime": string, "updateTime": string, "columnInfo": [ { object ( |
| Fields | |
|---|---|
name |
Identifier. The resource name of the data table Format: "{project}/locations/{region}/instances/{instance}/dataTables/{data_table}" |
displayName |
Output only. The unique display name of the data table. |
description |
Required. A user-provided description of the data table. |
createTime |
Output only. Table create time Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
updateTime |
Output only. Table update time Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
columnInfo[] |
Immutable. Details of all the columns in the table |
dataTableUuid |
Output only. Data table unique id |
rules[] |
Output only. The resource names for the associated Rules that use this data table. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}. {rule} here refers to the rule id. |
ruleAssociationsCount |
Output only. The count of rules using the data table. |
rowTimeToLive |
Optional. User-provided TTL of the data table. |
approximateRowCount |
Output only. The count of rows in the data table. |
scopeInfo |
Optional. The scope info of the data table. During data table creation, if this field is not set, the data table without scopes (an unscoped table) will be created for a global user. For a scoped user, this field must be set. During data table update, if scope_info is requested to be updated, this field must be set. |
updateSource |
Output only. Source of the data table update. |
rowTimeToLiveUpdateTime |
Output only. Last update time of the TTL of the data table. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Timestamp
| JSON representation |
|---|
{ "seconds": string, "nanos": integer } |
| Fields | |
|---|---|
seconds |
Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). |
nanos |
Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive. |
DataTableColumnInfo
| JSON representation |
|---|
{ "columnIndex": integer, "originalColumn": string, "keyColumn": boolean, "repeatedValues": boolean, // Union field |
| Fields | |
|---|---|
columnIndex |
Required. Column Index. 0,1,2... |
originalColumn |
Required. Original column name of the Data Table (present in the CSV header in case of creation of data tables using file uploads). It must satisfy the following requirements: - Starts with letter. - Contains only letters, numbers and underscore. - Must be unique and has length < 256. |
keyColumn |
Optional. Whether to include this column in the calculation of the row ID. If no columns have key_column = true, all columns will be included in the calculation of the row ID. |
repeatedValues |
Optional. Whether the column is a repeated values column. |
Union field
|
|
mappedColumnPath |
Entity proto field path that the column is mapped to |
columnType |
Column type can be STRING, CIDR (Ex- 10.1.1.0/24), REGEX |
DataTableScopeInfo
| JSON representation |
|---|
{ "dataAccessScopes": [ string ] } |
| Fields | |
|---|---|
dataAccessScopes[] |
Required. Contains the list of scope names of the data table. If the list is empty, the data table is treated as unscoped. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}" |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌