MCP Tools Reference: chronicle.googleapis.com

Tool: execute_actions

Executes one or more enrichment actions on a specific SIEM alert. This tool provides a simplified and batch-oriented API compared to the standard execute_manual_action tool, optimized for automated enrichment workflows.

It accepts a list of actions to be performed. Each action execution requires: - Action Provider and Name: The integration and specific action identifier (retrieved from fetch_enrichment_actions). - Integration Instance: The specific instance GUID to run the action against. - Scope and Script Name: Operational parameters for the SOAR backend. - Target Entities: A list of entities (Identifier, Type, and isInternal flag) that the action should be performed on. - Parameters: A dictionary of key-value pairs for any specific parameters required by the action.

Critical Constraint - Entity Types: - You must ONLY execute an action on entities whose type matches one of the supported entity_types defined for that action in the fetch_enrichment_actions response. - For example, if an action supports ['ADDRESS'], do not attempt to run it on a HOSTNAME entity, even if they seem related. - Mismatched entity types will likely result in action failure or irrelevant results.

Workflow Integration: - This is the FINAL step in an enrichment loop where the agent triggers the chosen actions. - It returns the results of all executed actions, including status (e.g., 'COMPLETED', 'FAULTED'), human-readable messages, and detailed result values/JSON objects. - If an action is asynchronous, the status will indicate it, and the results can be checked later.

Use Cases: - Batch execute enrichment actions on multiple entities identified in an alert (e.g., enrichment for 3 different suspicious IPs). - Trigger complex enrichment workflows by calling multiple actions in a single tool invocation.

Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). siem_alert_id (str): The unique identifier of the alert in SIEM (required). actions (list): A list of action execution request objects. Each object should contain: - integration (str): Integration Identifier (e.g., 'VirusTotal'). - display_name (str): Specific action display name (e.g., 'Get IP Report'). - integration_instance (str): Instance GUID. - target_entities (str list): Entities to target. MUST match supported entity types. - parameters (dict): Dictionary of parameter names and values. Values must be strings.

Returns: ExecuteActionsResponse: A list of action results, including status, messages, and output data.

The following sample demonstrate how to use curl to invoke the execute_actions MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "execute_actions",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request for ExecuteActions.

ExecuteActionsRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "siemAlertId": string,
  "actions": [
    {
      object (ExecuteActionRequest)
    }
  ]
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
siemAlertId

string

SIEM alert ID.
actions[]

object (ExecuteActionRequest)

The actions to execute.

ExecuteActionRequest

JSON representation 
{
  "targetEntities": [
    string
  ],
  "parameters": {
    string: string,
    ...
  },
  "displayName": string,
  "integration": string,
  "integrationInstance": string
}
Fields
targetEntities[]

string

The target entities. repeated AgentSecurityEntity target_entities = 1; the infrasupport nesting objects here: unnable to generate config for aspect mcp-config: Invalid mapping spec: comprehension nesting limit (1) exceeded
parameters

map (key: string, value: string)

The parameters.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
displayName

string

The action name.
integration

string

The integration name.
integrationInstance

string

The integration instance.

ParametersEntry

JSON representation 
{
  "key": string,
  "value": string
}
Fields
key

string
value

string

Output Schema

Response for ExecuteActions. Details of an list of actions that will be executed.

ExecuteActionsResponse

JSON representation 
{
  "parent": string,
  "results": [
    {
      object (ExecuteActionResult)
    }
  ],
  "executionTimeSeconds": number
}
Fields
parent

string

Output only. The parent, which owns the collection of actions.
results[]

object (ExecuteActionResult)

The results of the actions.
executionTimeSeconds

number

Output only. The execution time of the actions in seconds.

ExecuteActionResult

JSON representation 
{
  "integration": string,
  "displayName": string,
  "message": string,
  "executionTimeSeconds": number,

  // Union field _entity_id can be only one of the following:
  "entityId": string
  // End of list of possible types for union field _entity_id.

  // Union field _result_json can be only one of the following:
  "resultJson": string
  // End of list of possible types for union field _result_json.

  // Union field _result_entities_delta can be only one of the following:
  "resultEntitiesDelta": string
  // End of list of possible types for union field _result_entities_delta.

  // Union field _result_value can be only one of the following:
  "resultValue": string
  // End of list of possible types for union field _result_value.

  // Union field _status can be only one of the following:
  "status": enum (ActionStatus)
  // End of list of possible types for union field _status.
}
Fields
integration

string

Output only. The integration.
displayName

string

Output only. The action display name.
message

string

Output only. The message.
executionTimeSeconds

number

Output only. The execution time of the action in seconds.

Union field _entity_id.

_entity_id can be only one of the following:
entityId

string

Output only. The entity identifier.

Union field _result_json.

_result_json can be only one of the following:
resultJson

string

Output only. The result JSON object.

Union field _result_entities_delta.

_result_entities_delta can be only one of the following:
resultEntitiesDelta

string

Output only. The result entities JSON object.

Union field _result_value.

_result_value can be only one of the following:
resultValue

string

Output only. The result value.

Union field _status.

_status can be only one of the following:
status

enum (ActionStatus)

Output only. The status of the action.

Tool Annotations

Destructive Hint: ✅ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌