Skip to main content

Hey folks!

 

In Q3, it was announced that Data Tables are now officially GA and alongside of it, Google Chronicle integration was updated with new actions that allow you to interact with them. In this guide, I will go through all relevant actions and explain how they work.

 

If you are not familiar with Data Tables, please check this documentation.

 

❗️❗️Important Note: Data Table actions are only supported for Chronicle API. Backstory API doesn’t support it. To change the integration to work with Chronicle API, you need to adjust the API Root in the integration configuration. Keep in mind that this will affect the whole integration and some action outputs are slightly different, if executed with Chronicle API.❗️❗️

 

Initial State

To make it easier to follow the guide, I am going to create an initial state of a Data Table, which will be used as a reference across the guide:

 

 

Get Data Tables Action

The purpose of this action is to allow you to fetch information about available Data Tables (including the rows). As part of the action you can apply filters and narrow down to which Data Table you want to fetch.

 

Only if “Expanded Rows” is enabled, the action will return available rows in the JSON Result. Overall, if you are trying to check, if Data Table has a specific value mentioned somewhere, then use the action “Is Value In Data Table”.

 

Here is an example configuration, where I want to fetch information about “Community_Data_Table” with its rows:

 

And here is the JSON Result:

>
  {
    "name": "projects/cca-soarapitest-1732247865/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/Community_Data_Table",
    "displayName": "Community_Data_Table",
    "createTime": "2025-08-06T12:41:45.421508Z",
    "updateTime": "2025-08-06T12:47:32.855797Z",
    "columnInfo": .
      {
        "originalColumn": "Car",
        "columnType": "STRING"
      },
      {
        "columnIndex": 1,
        "originalColumn": "Owner",
        "columnType": "STRING"
      },
      {
        "columnIndex": 2,
        "originalColumn": "Color",
        "columnType": "STRING"
      }
    ],
    "dataTableUuid": "0ff5c1c8218949099e9c1648a4b63db1",
    "approximateRowCount": "3",
    "rows": e
      {
        "name": "projects/cca-soarapitest-1732247865/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/Community_Data_Table/dataTableRows/0355c6592e202794ede9566174b1bc45",
        "values": {
          "Car": "Ford",
          "Owner": "Andy",
          "Color": "White"
        },
        "createTime": "2025-08-06T12:42:32.883055Z",
        "updateTime": "2025-08-06T12:42:32.883055Z"
      },
      {
        "name": "projects/cca-soarapitest-1732247865/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/Community_Data_Table/dataTableRows/0d381ffd673dd46565d8f9bcb6819e99",
        "values": {
          "Car": "Honda",
          "Owner": "Dori",
          "Color": "Blue"
        },
        "createTime": "2025-08-06T12:42:32.883055Z",
        "updateTime": "2025-08-06T12:42:32.883055Z"
      },
      {
        "name": "projects/cca-soarapitest-1732247865/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/Community_Data_Table/dataTableRows/e9d53e34228c5527043291e0508eec62",
        "values": {
          "Car": "Toyota",
          "Owner": "Peter",
          "Color": "Green"
        },
        "createTime": "2025-08-06T12:42:32.883055Z",
        "updateTime": "2025-08-06T12:42:32.883055Z"
      }
    ]
  }
]

To make it easier to work with the data in the playbooks, we’ve made some changes to the Raw API Response before returning it as JSON Result. In the rows, you can clearly see what are the value for columns. As they are indexed by the column name, it allows you to prepare stable placeholders to use in other places.

 

Add Rows To Data Table Action

The purpose of this action is to populate the Data Tables with new information. For example, if you have a dedicated Data Table for tracking true positive alerts and affected IOCs, then you can use this action to automatically add new information via Playbook.  

 

How to work with “Rows” parameter

“Rows” parameter expects a list of JSON objects in the following format:

l
    {
        "columnName1": "value1",
        "columnName2": "value2",        
    },
    {
        "columnName1": "value1",
        "columnName2": "value2",        
    }
]

Each entry in the list is going to be added as a separate row in the Data Table.


For example, if I want to add 2 new entries to the “Community_Data_Table”, then I would need to prepare the following payload:

 
    {
        "Car": "Fiat",
        "Owner": "Dan",
        "Color": "Blue"        
    },
    {
        "Car": "Honda",
        "Owner": "Anna",
        "Color": "White"        
    }
]

After executing the action, we can see that the Data Table was updated:

 

Action has in-built mechanisms to validate that payload is correct. Only if each object in the “Rows” table is valid, the action will add the entries to the Data Table.

All columns should be provided even you don’t have a value for that column. As example:

o
    {
        "Car": "Fiat",
        "Owner": "",
        "Color": "Yellow"        
    }
]

And it will also be added to the Data Table:
 

 

Remove Rows From Data Table Action

The purpose of this action is to be able to remove rows from the Data Tables in case there was a false positive and the data needs to be removed to not cause the confusion.

 

How to work with “Rows” parameter

The input here expects the payload to be provided in the same format as it’s in the “Add Rows To Data Table Action” action:

A
    {
        "columnName1": "value1",
        "columnName2": "value2",        
    },
    {
        "columnName1": "value1",
        "columnName2": "value2",        
    }
]

But it’s important to understand, how we are doing the matching of rows. Unlikely, the “Add Rows To Data Table Action” action, you can provide only 1 column with a value and then the action will search for any row, where that column has the same value. Let’s look at some examples.

Example #1

If you provide the following payload:

o
    {
        "Color": "Blue"        
    }
]

In our Data Table, there are 2 rows, where “Color” == “Blue”:

 

So, in this case, these 2 Rows will be removed.

Example #2

If you provide the following payload:

e
    {
        "Car": "Fiat",
        "Color": "Blue"        
    }
]

In this case, the matching logic will search for any “Car” == “Fiat” AND “Color” == “Blue”. In our table, there is only one row like this:

Example #3

If you provide the following payload:

 
    {
        "Car": "Fiat",
        "Color": "Blue"        
    },
    {
        "Color": "Green"        
    }
]

Then the action is going to separately match each entry separately. So, with this configuration rows that either have “Car” == “Fiat” AND “Color”: “Blue” OR “Color”: “Green”.

 

Just like in “Add Rows To Data Table Action” the action performs validations to make sure that valid input is provided.

 

Is Value In Data Table Action

Arguably, the most interesting action from the list. It’s purpose is to find, if the provided value was found in a data table and return the matched rows. Action supports case-insensitive search and also provides a way to define a very high level configuration.

 

How to configure this action?

The minimum configuration for this action will only consist of the name of the data table and the values that you are searching for. You can provide a comma-separated list of values that you are searching for. Each value will be searched separately and in the JSON result there will be a dedicate entry per value provided.

 

If you want to be more precise, then in “Column” parameter you can provide a comma-separated list of columns, where the action should search for the values. This can optimize the action and also remove potential false positives.

 

Example #1

Let’s see, if “Anna” was seen inside our Data Table. The configuration of the action will look like this:
 

And here is the JSON Result:

m
  {
    "Entity": "Anna",
    "EntityResult": {
      "is_found": true,
      "matched_rows": /
        {
          "name": "projects/cca-soarapitest-1732247865/locations/us/instances/df6f1958-0381-41f9-8794-08a3229744a5/dataTables/Community_Data_Table/dataTableRows/b7b2079cdda89b06139beb904d2fbac1",
          "values": {
            "Car": "Honda",
            "Owner": "Anna",
            "Color": "White"
          },
          "createTime": "2025-08-06T13:29:44.686783Z",
          "updateTime": "2025-08-06T13:29:44.686783Z"
        }
      ]
    }
  }
]

 Example #2

This time let’s check if “Anna” is available under column “Color”. The action configuration will look like this:

As expected, this time there was no match

s
  {
    "Entity": "Anna",
    "EntityResult": {
      "is_found": false,
      "matched_rows":  ]
    }
  }
]

 

This action will also perform validations on the columns that were provided, so you don’t need to worry that you will provide an invalid configuration and the action will just silently not find anything.

 

Conclusion

Data Table is a very powerful tool and there is a lot of value that can be extracted from it. In combination with automation, you can leverage the Data Table for enrichment purposes and highlight critical information to the Security Analysts.

 

If there are any questions, feel free to share in the comments!

Be the first to reply!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.