Tool: delete_data_table_row
Delete a specific row from a data table in Chronicle SIEM.
Removes a single row from a data table based on its row ID. This action cannot be undone. This is useful for maintaining data quality by removing outdated, incorrect, or no-longer-relevant entries from tables used in detection rules. To delete multiple rows, this tool should be called for each row ID.
Agent Responsibilities:
- Row ID Lookup: If the row ID is not provided, the agent should use the
list_data_table_rowstool to find therow_idfor the specific row to delete. - Handle 'Not Found' Errors (Idempotency): This tool WILL return an error if the specified
row_iddoes not exist (e.g., a 404 Not Found error). The agent should intercept this specific error and treat it as a SUCCESS. The desired state (the row being absent) is met. The agent should report to the user that the row was not found. - Handle Other Errors: If the deletion fails for any other reason (e.g., permission denied, invalid table name), the agent should return a clear error message to the user.
Workflow Integration:
- Use to maintain data quality by removing obsolete or incorrect entries.
- Essential for keeping threat intelligence and context data current and accurate.
- Supports data lifecycle management for security-relevant datasets.
- Enables correction of data entry errors or removal of false positive triggers.
Use Cases:
- Remove IP addresses that are no longer considered suspicious.
- Delete outdated asset inventory entries for decommissioned systems.
- Remove user role mappings for employees who have left the organization.
- Clean up threat intelligence data that has been invalidated or superseded.
- Remove exception list entries that are no longer needed.
Safety Considerations:
- Ensure row IDs are correct before deletion as this operation cannot be undone.
- Consider the impact on existing detection rules that reference the deleted data.
- Coordinate deletions with detection rule updates if necessary.
- Maintain backups or logs of deleted data for audit purposes.
Example Usage:
delete_data_table_row(tableName="suspicious_ips", rowId="row_12345", projectId="my-project", customerId="my-customer", region="us")
Next Steps (using MCP-enabled tools):
- Verify the deletions using
list_data_table_rowsto confirm rows were removed. - Test detection rules that reference the table to ensure they still work correctly.
- Add replacement data using
add_rows_to_data_tableif new entries are needed. - Document the reason for deletions for audit and operational tracking.
- Review and update any documentation that references the deleted data.
The following sample demonstrate how to use curl to invoke the delete_data_table_row MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "delete_data_table_row", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for DeleteDataTableRow.
DeleteDataTableRowRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string, "tableName": string, "rowId": string } |
| Fields | |
|---|---|
projectId |
Required. Google Cloud project ID. |
customerId |
Required. Chronicle customer ID. |
region |
Required. Chronicle region (e.g., "us", "europe"). |
tableName |
Name of the data table to delete the row from. |
rowId |
The unique ID of the row to delete. Use "list_dataTableRows" to get row IDs. |
Output Schema
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance:
service Foo {
rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
}
Tool Annotations
Destructive Hint: ✅ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌