MCP Tools Reference: chronicle.googleapis.com

Tool: execute_actions

Executes one or more enrichment actions on a specific SIEM alert. This tool provides a simplified and batch-oriented API compared to the standard execute_manual_action tool, optimized for automated enrichment workflows.

It accepts a list of actions to be performed. Each action execution requires:

  • Action Provider and Name: The integration and specific action identifier (retrieved from fetch_enrichment_actions).
  • Integration Instance: The specific instance GUID to run the action against.
  • Scope and Script Name: Operational parameters for the SOAR backend.
  • Target Entities: A list of entities (Identifier, Type, and isInternal flag) that the action should be performed on.
  • Parameters: A dictionary of key-value pairs for any specific parameters required by the action.

Critical Constraint - Entity Types:

  • You should ONLY execute an action on entities whose type matches one of the supported entity_types defined for that action in the fetch_enrichment_actions response.
  • For example, if an action supports ['ADDRESS'], do not attempt to run it on a HOSTNAME entity, even if they seem related.
  • Mismatched entity types will likely result in action failure or irrelevant results.

Workflow Integration:

  • This is the FINAL step in an enrichment loop where the agent triggers the chosen actions.
  • It returns the results of all executed actions, including status (e.g., 'COMPLETED', 'FAULTED'), human-readable messages, and detailed result values/JSON objects.
  • If an action is asynchronous, the status will indicate it, and the results can be checked later.

Use Cases:

  • Batch execute enrichment actions on multiple entities identified in an alert (e.g., enrichment for 3 different suspicious IPs).
  • Trigger complex enrichment workflows by calling multiple actions in a single tool invocation.

The following sample demonstrate how to use curl to invoke the execute_actions MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "execute_actions",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request for ExecuteActions.

ExecuteActionsRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "siemAlertId": string,
  "actions": [
    {
      object (ExecuteActionRequest)
    }
  ]
}
Fields
projectId

string

Required. Google Cloud project ID.
customerId

string

Required. Chronicle customer ID.
region

string

Required. Chronicle region (e.g., "us", "europe").
siemAlertId

string

Required. The unique identifier of the alert in SIEM.
actions[]

object (ExecuteActionRequest)

A list of actions to be performed.

ExecuteActionRequest

JSON representation 
{
  "targetEntities": [
    string
  ],
  "parameters": {
    string: string,
    ...
  },
  "displayName": string,
  "integration": string,
  "integrationInstance": string
}
Fields
targetEntities[]

string

Entities to target. MUST match supported entity types.
parameters

map (key: string, value: string)

Dictionary of parameter names and values. Values must be strings.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
displayName

string

Specific action display name (e.g., "Get IP Report") taken from "fetch_enrichment_actions" tool -> integrations key -> "actions" key -> "displayName" key.
integration

string

Integration Identifier (e.g., "VirusTotal") used for the action execution taken from "fetch_enrichment_actions" tool -> integrations key -> "integration" key.
integrationInstance

string

Integration Instance GUID taken from "fetch_enrichment_actions" tool -> integrations key -> "integrationInstance" key.

ParametersEntry

JSON representation 
{
  "key": string,
  "value": string
}
Fields
key

string
value

string

Output Schema

Response for ExecuteActions. Details of an list of actions that will be executed.

ExecuteActionsResponse

JSON representation 
{
  "parent": string,
  "results": [
    {
      object (ExecuteActionResult)
    }
  ],
  "executionTimeSeconds": number
}
Fields
parent

string

Output only. The parent, which owns the collection of actions.
results[]

object (ExecuteActionResult)

The results of the actions.
executionTimeSeconds

number

Output only. The execution time of the actions in seconds.

ExecuteActionResult

JSON representation 
{
  "integration": string,
  "displayName": string,
  "message": string,
  "executionTimeSeconds": number,

  // Union field _entity_id can be only one of the following:
  "entityId": string
  // End of list of possible types for union field _entity_id.

  // Union field _result_json can be only one of the following:
  "resultJson": string
  // End of list of possible types for union field _result_json.

  // Union field _result_entities_delta can be only one of the following:
  "resultEntitiesDelta": string
  // End of list of possible types for union field _result_entities_delta.

  // Union field _result_value can be only one of the following:
  "resultValue": string
  // End of list of possible types for union field _result_value.

  // Union field _status can be only one of the following:
  "status": enum (ActionStatus)
  // End of list of possible types for union field _status.
}
Fields
integration

string

Output only. The integration.
displayName

string

Output only. The action display name.
message

string

Output only. The message.
executionTimeSeconds

number

Output only. The execution time of the action in seconds.

Union field _entity_id.

_entity_id can be only one of the following:
entityId

string

Output only. The entity identifier.

Union field _result_json.

_result_json can be only one of the following:
resultJson

string

Output only. The result JSON object.

Union field _result_entities_delta.

_result_entities_delta can be only one of the following:
resultEntitiesDelta

string

Output only. The result entities JSON object.

Union field _result_value.

_result_value can be only one of the following:
resultValue

string

Output only. The result value.

Union field _status.

_status can be only one of the following:
status

enum (ActionStatus)

Output only. The status of the action.

Tool Annotations

Destructive Hint: ✅ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌