Tool: list_data_table_rows
List rows in a data table in Chronicle SIEM.
Retrieves and displays the contents of a data table, showing all rows and their data. This is useful for reviewing table contents and verifying data integrity.
Workflow Integration:
- Use to verify data table contents after creation or updates.
- Essential for auditing data quality and consistency in security context tables.
- Helps understand available data when developing or troubleshooting detection rules.
Use Cases:
- Review threat intelligence data before creating detection rules.
- Verify that asset inventory data is current and accurate.
- Audit user role mappings for consistency and completeness.
Example Usage:
list_data_table_rows(tableName="suspicious_ips", projectId="my-project", customerId="my-customer", region="us")
Next Steps:
- Add more rows using
add_rows_to_data_table. - Delete rows using
delete_data_table_row.
The following sample demonstrate how to use curl to invoke the list_data_table_rows MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "list_data_table_rows", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for ListDataTableRows.
ListDataTableRowsRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string, "tableName": string, "pageSize": integer, "pageToken": string, "filter": string } |
| Fields | |
|---|---|
projectId |
Required. Google Cloud project ID. |
customerId |
Required. Chronicle customer ID. |
region |
Required. Chronicle region (e.g., "us", "europe"). |
tableName |
Name of the data table to list rows from. |
pageSize |
Maximum number of rows to return. Defaults to 50. |
pageToken |
Pagination token. |
filter |
Filter string for row values (case-insensitive substring match). |
Output Schema
Response message for listing data table rows.
ListDataTableRowsResponse
| JSON representation |
|---|
{
"dataTableRows": [
{
object ( |
| Fields | |
|---|---|
dataTableRows[] |
The list of the data table rows returned. |
nextPageToken |
Optional. A token, which can be sent as |
DataTableRow
| JSON representation |
|---|
{ "name": string, "values": [ string ], "createTime": string, "updateTime": string, "rowTimeToLive": string } |
| Fields | |
|---|---|
name |
Identifier. The resource name of the data table Format: projects/{project}/locations/{location}/instances/{instance}/dataTables/{data_table}/dataTableRows/{data_table_row} |
values[] |
Required. All column values for a single row. The values should be in the same order as the columns of the data tables. |
createTime |
Output only. DataTableRow create time Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
updateTime |
Output only. DataTableRow update time Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
rowTimeToLive |
Optional. User-provided TTL of the data table row. |
Timestamp
| JSON representation |
|---|
{ "seconds": string, "nanos": integer } |
| Fields | |
|---|---|
seconds |
Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). |
nanos |
Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌