MCP Tools Reference: chronicle.googleapis.com

Tool: delete_data_table_row

Delete a specific row from a data table in Chronicle SIEM.

Removes a single row from a data table based on its row ID. This action cannot be undone. This is useful for maintaining data quality by removing outdated, incorrect, or no-longer-relevant entries from tables used in detection rules. To delete multiple rows, this tool must be called for each row ID.

Agent Responsibilities: 1. Row ID Lookup: If the row ID is not provided, the agent MUST use the list_data_table_rows tool to find the row_id for the specific row to delete. 2. Handle 'Not Found' Errors (Idempotency): This tool WILL return an error if the specified row_id does not exist (e.g., a 404 Not Found error). The agent MUST intercept this specific error and treat it as a SUCCESS. The desired state (the row being absent) is met. The agent should report to the user that the row was not found. 3. Handle Other Errors: If the deletion fails for any other reason (e.g., permission denied, invalid table name), the agent MUST return a clear error message to the user.

Workflow Integration: - Use to maintain data quality by removing obsolete or incorrect entries. - Essential for keeping threat intelligence and context data current and accurate. - Supports data lifecycle management for security-relevant datasets. - Enables correction of data entry errors or removal of false positive triggers.

Use Cases: - Remove IP addresses that are no longer considered suspicious. - Delete outdated asset inventory entries for decommissioned systems. - Remove user role mappings for employees who have left the organization. - Clean up threat intelligence data that has been invalidated or superseded. - Remove exception list entries that are no longer needed.

Safety Considerations: - Ensure row IDs are correct before deletion as this operation cannot be undone. - Consider the impact on existing detection rules that reference the deleted data. - Coordinate deletions with detection rule updates if necessary. - Maintain backups or logs of deleted data for audit purposes.

Args: table_name (str): Name of the data table to delete the row from. row_id (str): The unique ID of the row to delete. Use list_data_table_rows to get row IDs. project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required).

Returns: str: Success message confirming the deletion of the specified row. Returns an error message if deletion fails for reasons other than the row not existing.

Example Usage: # First, list rows to get their IDs using list_data_table_rows

# Then delete a specific row
        delete_data_table_row(
            table_name="suspicious_ips",
            row_id="row_12345",
            project_id="my-project",
            customer_id="my-customer",
            region="us"
        )
        

Next Steps (using MCP-enabled tools): - Verify the deletions using list_data_table_rows to confirm rows were removed. - Test detection rules that reference the table to ensure they still work correctly. - Add replacement data using add_rows_to_data_table if new entries are needed. - Document the reason for deletions for audit and operational tracking. - Review and update any documentation that references the deleted data.

The following sample demonstrate how to use curl to invoke the delete_data_table_row MCP tool.

Input Schema

{
  "projectId": string,
  "customerId": string,
  "region": string,
  "tableName": string,
  "rowId": string
}

Output Schema

service Foo {
  rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
}

Tool Annotations

Destructive Hint: ✅ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌