Tables are the built-in structured data store behind core.table.*.
Use them when your workflows need durable, queryable records such as asset inventories, user allowlists, enrichment results, or investigation evidence.
What tables are good for
- Persisting enrichment data across workflow runs
- Looking up records by a known field such as hostname, email, or indicator
- Searching and exporting structured data for analysts
- Attaching case context to reusable datasets
Common workflow pattern
Most table workflows follow the same lifecycle:
- Create the table once with a schema that fits your data.
- Insert or upsert rows as new events arrive.
- Look up, search, or export rows later from another workflow step.
- ref: ensure_inventory_table
action: core.table.create_table
args:
name: asset_inventory
columns:
- name: hostname
type: text
- name: owner
type: text
- name: last_seen
type: timestamptz
raise_on_duplicate: false
- ref: upsert_asset
action: core.table.insert_row
args:
table: asset_inventory
upsert: true
row_data:
hostname: ${{ TRIGGER.hostname }}
owner: ${{ TRIGGER.owner }}
last_seen: ${{ FN.now() }}
- ref: find_asset
action: core.table.lookup
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
Notes
- Use
lookup or is_in when you already know the column and value you need.
- Use
search_rows when you need broader text search or paginated results.
- Use
download when you want to export rows as JSON, NDJSON, CSV, or Markdown.
core.table.create_table
Create a new lookup table with optional columns.
The name of the table to create.
List of column definitions. Each column should have ‘name’, ‘type’, and optionally ‘nullable’ and ‘default’ fields.Default: null.
If true, raise an error if the table already exists.Default: true.
Examples
Create and inspect a table
- ref: create_table
action: core.table.create_table
args:
name: asset_inventory
columns:
- name: hostname
type: text
- name: owner
type: text
raise_on_duplicate: false
- ref: list_tables
action: core.table.list_tables
- ref: table_metadata
action: core.table.get_table_metadata
args:
name: asset_inventory
core.table.list_tables
Get a list of all available tables in the workspace.
This action does not take input fields.
Examples
Create and inspect a table
- ref: create_table
action: core.table.create_table
args:
name: asset_inventory
columns:
- name: hostname
type: text
- name: owner
type: text
raise_on_duplicate: false
- ref: list_tables
action: core.table.list_tables
- ref: table_metadata
action: core.table.get_table_metadata
args:
name: asset_inventory
The name of the table to get.
Examples
Create and inspect a table
- ref: create_table
action: core.table.create_table
args:
name: asset_inventory
columns:
- name: hostname
type: text
- name: owner
type: text
raise_on_duplicate: false
- ref: list_tables
action: core.table.list_tables
- ref: table_metadata
action: core.table.get_table_metadata
args:
name: asset_inventory
core.table.lookup
Get a single row from a table corresponding to the given column and value.
The column to lookup the value in.
The table to lookup the value in.
Examples
Look up rows
- ref: lookup_row
action: core.table.lookup
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
- ref: row_exists
action: core.table.is_in
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
- ref: lookup_many_rows
action: core.table.lookup_many
args:
table: asset_inventory
column: owner
value: secops
limit: 25
core.table.is_in
Check if a value exists in a table column.
Examples
Look up rows
- ref: lookup_row
action: core.table.lookup
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
- ref: row_exists
action: core.table.is_in
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
- ref: lookup_many_rows
action: core.table.lookup_many
args:
table: asset_inventory
column: owner
value: secops
limit: 25
core.table.lookup_many
Get multiple rows from a table corresponding to the given column and values.
The column to lookup the value in.
The table to lookup the value in.
The maximum number of rows to return.Default: 100.
Examples
Look up rows
- ref: lookup_row
action: core.table.lookup
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
- ref: row_exists
action: core.table.is_in
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
- ref: lookup_many_rows
action: core.table.lookup_many
args:
table: asset_inventory
column: owner
value: secops
limit: 25
core.table.search_rows
Search for rows in a table with optional filtering.
Cursor for pagination.Default: null.
Filter rows created before this time.Default: null.
The maximum number of rows to return.Default: 100.
If true, return cursor pagination metadata along with items.Default: false.
Reverse pagination direction.Default: false.
Text to search for across all text and JSONB columns.Default: null.
Filter rows created after this time.Default: null.
Filter rows updated after this time.Default: null.
Filter rows updated before this time.Default: null.
Examples
Search table rows
- ref: search_rows
action: core.table.search_rows
args:
table: asset_inventory
search_term: database
limit: 50
paginate: true
core.table.insert_row
Insert a row into a table.
The data to insert into the row.
The table to insert the row into.
If true, update the row if it already exists (based on primary key).Default: false.
Examples
Insert, update, and delete rows
- ref: insert_row
action: core.table.insert_row
args:
table: asset_inventory
row_data:
hostname: app-01
owner: secops
- ref: insert_rows
action: core.table.insert_rows
args:
table: asset_inventory
rows_data:
- hostname: app-02
owner: secops
- hostname: app-03
owner: platform
- ref: update_row
action: core.table.update_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
row_data:
owner: incident-response
- ref: delete_row
action: core.table.delete_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
core.table.insert_rows
Insert multiple rows into a table.
The list of data to insert into the table.
The table to insert the rows into.
If true, update the rows if they already exist (based on primary key).Default: false.
Examples
Insert, update, and delete rows
- ref: insert_row
action: core.table.insert_row
args:
table: asset_inventory
row_data:
hostname: app-01
owner: secops
- ref: insert_rows
action: core.table.insert_rows
args:
table: asset_inventory
rows_data:
- hostname: app-02
owner: secops
- hostname: app-03
owner: platform
- ref: update_row
action: core.table.update_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
row_data:
owner: incident-response
- ref: delete_row
action: core.table.delete_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
core.table.update_row
Update a row in a table.
The new data for the row.
The ID of the row to update.
The table to update the row in.
Examples
Insert, update, and delete rows
- ref: insert_row
action: core.table.insert_row
args:
table: asset_inventory
row_data:
hostname: app-01
owner: secops
- ref: insert_rows
action: core.table.insert_rows
args:
table: asset_inventory
rows_data:
- hostname: app-02
owner: secops
- hostname: app-03
owner: platform
- ref: update_row
action: core.table.update_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
row_data:
owner: incident-response
- ref: delete_row
action: core.table.delete_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
core.table.delete_row
Delete a row from a table.
The ID of the row to delete.
The table to delete the row from.
Examples
Insert, update, and delete rows
- ref: insert_row
action: core.table.insert_row
args:
table: asset_inventory
row_data:
hostname: app-01
owner: secops
- ref: insert_rows
action: core.table.insert_rows
args:
table: asset_inventory
rows_data:
- hostname: app-02
owner: secops
- hostname: app-03
owner: platform
- ref: update_row
action: core.table.update_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
row_data:
owner: incident-response
- ref: delete_row
action: core.table.delete_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
core.table.download
Download a table’s data by name as list of dicts, JSON string, NDJSON string, CSV or Markdown.
The name of the table to download.
The format to download the table data in.Default: null.
The maximum number of rows to download.Default: 1000.
Examples
Export table data
- ref: export_table
action: core.table.download
args:
name: asset_inventory
format: csv
limit: 1000
