Tool: execute_actions
Executes one or more enrichment actions on a specific SIEM alert. This tool provides a simplified and batch-oriented API compared to the standard execute_manual_action
tool, optimized for automated enrichment workflows.
It accepts a list of actions to be performed. Each action execution requires: - Action Provider and Name: The integration and specific action identifier (retrieved from fetch_enrichment_actions
). - Integration Instance: The specific instance GUID to run the action against. - Scope and Script Name: Operational parameters for the SOAR backend. - Target Entities: A list of entities (Identifier, Type, and isInternal flag) that the action should be performed on. - Parameters: A dictionary of key-value pairs for any specific parameters required by the action.
Critical Constraint - Entity Types: - You must ONLYexecute an action on entities whose type matches one of the supported entity_types
defined for that action in the fetch_enrichment_actions
response. - For example, if an action supports ['ADDRESS']
, do not attempt to run it on a HOSTNAME
entity, even if they seem related. - Mismatched entity types will likely result in action failure or irrelevant results.
Workflow Integration:- This is the FINAL step in an enrichment loop where the agent triggers the chosen actions. - It returns the results of all executed actions, including status (e.g., 'COMPLETED', 'FAULTED'), human-readable messages, and detailed result values/JSON objects. - If an action is asynchronous, the status will indicate it, and the results can be checked later.
Use Cases:- Batch execute enrichment actions on multiple entities identified in an alert (e.g., enrichment for 3 different suspicious IPs). - Trigger complex enrichment workflows by calling multiple actions in a single tool invocation.
Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). siem_alert_id (str): The unique identifier of the alert in SIEM (required). actions (list): A list of action execution request objects. Each object should contain: - integration
(str): Integration Identifier (e.g., 'VirusTotal'). - display_name
(str): Specific action display name (e.g., 'Get IP Report'). - integration_instance
(str): Instance GUID. - target_entities
(str list): Entities to target. MUST match supported entity types.- parameters
(dict): Dictionary of parameter names and values. Values must be strings.
Returns: ExecuteActionsResponse: A list of action results, including status, messages, and output data.
The following sample demonstrate how to use curl
to invoke the execute_actions
MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "execute_actions", "arguments": { // provide these details according to the tool' s MCP specification } } , "jsonrpc" : "2.0" , "id" : 1 } ' |
Input Schema
Request for ExecuteActions.
ExecuteActionsRequest
| JSON representation |
|---|
{
"projectId"
:
string
,
"customerId"
:
string
,
"region"
:
string
,
"siemAlertId"
:
string
,
"actions"
:
[
{
object (
|
| Fields | |
|---|---|
projectId
|
Project ID of the customer. |
customerId
|
Customer ID of the customer. |
region
|
Region of the customer. |
siemAlertId
|
SIEM alert ID. |
actions[]
|
The actions to execute. |
ExecuteActionRequest
| JSON representation |
|---|
{ "targetEntities" : [ string ] , "parameters" : { string : string , ... } , "displayName" : string , "integration" : string , "integrationInstance" : string } |
| Fields | |
|---|---|
targetEntities[]
|
The target entities. repeated AgentSecurityEntity target_entities = 1; the infrasupport nesting objects here: unnable to generate config for aspect |
parameters
|
The parameters. An object containing a list of |
displayName
|
The action name. |
integration
|
The integration name. |
integrationInstance
|
The integration instance. |
ParametersEntry
| JSON representation |
|---|
{ "key" : string , "value" : string } |
| Fields | |
|---|---|
key
|
|
value
|
|
Output Schema
Response for ExecuteActions. Details of an list of actions that will be executed.
ExecuteActionsResponse
| JSON representation |
|---|
{
"parent"
:
string
,
"results"
:
[
{
object (
|
| Fields | |
|---|---|
parent
|
Output only. The parent, which owns the collection of actions. |
results[]
|
The results of the actions. |
executionTimeSeconds
|
Output only. The execution time of the actions in seconds. |
ExecuteActionResult
| JSON representation |
|---|
{ "integration" : string , "displayName" : string , "message" : string , "executionTimeSeconds" : number , // Union field |
integration
string
Output only. The integration.
displayName
string
Output only. The action display name.
message
string
Output only. The message.
executionTimeSeconds
number
Output only. The execution time of the action in seconds.
Union field _entity_id
.
_entity_id
can be only one of the following:
entityId
string
Output only. The entity identifier.
Union field _result_json
.
_result_json
can be only one of the following:
resultJson
string
Output only. The result JSON object.
Union field _result_entities_delta
.
_result_entities_delta
can be only one of the following:
resultEntitiesDelta
string
Output only. The result entities JSON object.
Union field _result_value
.
_result_value
can be only one of the following:
resultValue
string
Output only. The result value.
Union field _status
.
_status
can be only one of the following:
status
enum (
ActionStatus
)
Output only. The status of the action.
Tool Annotations
Destructive Hint: ✅ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌
