Tool: list_data_table_rows
List rows in a data table in Chronicle SIEM.
Retrieves and displays the contents of a data table, showing all rows and their data. This is useful for reviewing table contents and verifying data integrity.
Workflow Integration:
- Use to verify data table contents after creation or updates.
- Essential for auditing data quality and consistency in security context tables.
- Helps understand available data when developing or troubleshooting detection rules.
Use Cases:
- Review threat intelligence data before creating detection rules.
- Verify that asset inventory data is current and accurate.
- Audit user role mappings for consistency and completeness.
Example Usage:
-
list_data_table_rows(tableName="suspicious_ips", projectId="my-project", customerId="my-customer", region="us")
Next Steps:
- Add more rows using
add_rows_to_data_table. - Delete rows using
delete_data_table_row.
The following sample demonstrate how to use curl
to invoke the list_data_table_rows
MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "list_data_table_rows", "arguments": { // provide these details according to the tool' s MCP specification } } , "jsonrpc" : "2.0" , "id" : 1 } ' |
Input Schema
Request message for ListDataTableRows.
ListDataTableRowsRequest
| JSON representation |
|---|
{ "projectId" : string , "customerId" : string , "region" : string , "tableName" : string , "pageSize" : integer , "pageToken" : string , "filter" : string } |
| Fields | |
|---|---|
projectId
|
Required. Google Cloud project ID. |
customerId
|
Required. Chronicle customer ID. |
region
|
Required. Chronicle region (e.g., "us", "europe"). |
tableName
|
Name of the data table to list rows from. |
pageSize
|
Maximum number of rows to return. Defaults to 50. |
pageToken
|
Pagination token. |
filter
|
Filter string for row values (case-insensitive substring match). |
Output Schema
Response message for listing data table rows.
ListDataTableRowsResponse
| JSON representation |
|---|
{
"dataTableRows"
:
[
{
object (
|
| Fields | |
|---|---|
dataTableRows[]
|
The list of the data table rows returned. |
nextPageToken
|
Optional. A token, which can be sent as |
DataTableRow
| JSON representation |
|---|
{ "name" : string , "values" : [ string ] , "createTime" : string , "updateTime" : string , "rowTimeToLive" : string } |
| Fields | |
|---|---|
name
|
Identifier. The resource name of the data table Format: projects/{project}/locations/{location}/instances/{instance}/dataTables/{data_table}/dataTableRows/{data_table_row} |
values[]
|
Required. All column values for a single row. The values should be in the same order as the columns of the data tables. |
createTime
|
Output only. DataTableRow create time Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
updateTime
|
Output only. DataTableRow update time Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
rowTimeToLive
|
Optional. User-provided TTL of the data table row. |
Timestamp
| JSON representation |
|---|
{ "seconds" : string , "nanos" : integer } |
| Fields | |
|---|---|
seconds
|
Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). |
nanos
|
Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌
