Cheatsheets
Integrations
Cheatsheets
Integrations
A cheatsheet of all the integrations and their required secrets.
API Credentials
The secret keys required by each secret are listed below.
| Secret Name | Required Keys | Optional Keys |
|---|---|---|
abuseipdb | ABUSEIPDB_API_KEY | - |
alienvault | OTX_API_KEY | - |
aws | AWS_ACCESS_KEY_ID AWS_REGION AWS_SECRET_ACCESS_KEY | - |
censys | CENSYS_API_KEY | - |
checkpoint | CHECKPOINT_ACCESS_KEY CHECKPOINT_API_URL CHECKPOINT_AUTH_URL CHECKPOINT_CLIENT_ID | - |
crowdsec | CROWDSEC_API_KEY | - |
crowdsec | CROWDSEC_API_TOKEN | - |
crowdstrike | CROWDSTRIKE_CLIENT_ID CROWDSTRIKE_CLIENT_SECRET | - |
datadog | DATADOG_API_KEY DATADOG_APP_KEY | - |
elastic | ELASTIC_API_KEY ELASTIC_API_URL | - |
emailrep | EMAILREP_API_KEY | - |
hybrid_analysis | HYBRID_ANALYSIS_API_KEY | - |
jira | - | JIRA_API_TOKEN JIRA_BASE64_TOKEN JIRA_USEREMAIL |
ldap | LDAP_BIND_DN LDAP_BIND_PASS LDAP_HOST LDAP_PORT | - |
limacharlie | LIMACHARLIE_SECRET LIMACHARLIE_UID | LIMACHARLIE_OID |
llm | - | OPENAI_API_KEY |
malwarebazaar | MALWAREBAZAAR_API_KEY | - |
microsoft_graph | MICROSOFT_GRAPH_CLIENT_ID MICROSOFT_GRAPH_CLIENT_SECRET MICROSOFT_GRAPH_TENANT_ID | MICROSOFT_GRAPH_SCOPE |
mongodb | MONGODB_CONNECTION_STRING | - |
okta | OKTA_API_TOKEN OKTA_BASE_URL | - |
pulsedive | PULSEDIVE_API_KEY | - |
sentinel_one | SENTINEL_ONE_API_TOKEN SENTINEL_ONE_BASE_URL | - |
shodan | SHODAN_API_KEY | - |
slack | SLACK_BOT_TOKEN | - |
virustotal | VIRUSTOTAL_API_KEY | - |
wiz | WIZ_API_URL WIZ_AUTH_URL WIZ_CLIENT_ID WIZ_CLIENT_SECRET | - |
Core Actions
Note that the fully qualified namespace for each Core Action UDF is prefixed with core..
| Sub-namespace | Function | Secrets |
|---|---|---|
| core | ai_action | llm |
| core | http_request | - |
| core | send_email_smtp | - |
| core.transform | build_reference_table | - |
| core.transform | filter | - |
| core.transform | reshape | - |
| core.workflow | execute | - |
Integrations
Note that the fully qualified namespace for each Integration UDF is prefixed with integrations..
| Sub-namespace | Function | Secrets |
|---|---|---|
| integrations.abuseipdb | search_ip_address | abuseipdb |
| integrations.alienvault | search_domain | alienvault |
| integrations.alienvault | search_hostname | alienvault |
| integrations.alienvault | search_ip_address | alienvault |
| integrations.alienvault | search_malware_sample | alienvault |
| integrations.aws | call_boto3_client | aws |
| integrations.aws | call_boto3_paginator | aws |
| integrations.aws | list_findings | aws, aws, aws |
| integrations.censys | search_ip_address | censys |
| integrations.checkpoint | get_auth_token | checkpoint |
| integrations.crowdsec | block_ip_address | crowdsec |
| integrations.crowdsec | search_ip_address | crowdsec |
| integrations.crowdsec | unblock_ip_address | crowdsec |
| integrations.crowdstrike | call_falconpy_command | crowdstrike |
| integrations.crowdstrike | get_detect_summaries | crowdstrike |
| integrations.crowdstrike | list_alerts | crowdstrike |
| integrations.crowdstrike | list_detects | crowdstrike |
| integrations.crowdstrike | update_alert_status | crowdstrike |
| integrations.crowdstrike | update_detect_status | crowdstrike |
| integrations.datadog | list_alerts | datadog |
| integrations.elastic | list_alerts | elastic |
| integrations.elastic | update_alert_status | elastic |
| integrations.elastic | update_alert_status_by_ids | elastic |
| integrations.emailrep | report_email | emailrep |
| integrations.emailrep | search_email | emailrep |
| integrations.hybrid_analysis | search_malware_sample | hybrid_analysis |
| integrations.jira | create_issue | jira |
| integrations.jira | update_issue | jira |
| integrations.ldap | disable_active_directory_user | ldap |
| integrations.ldap | enable_active_directory_user | ldap |
| integrations.ldap | find_ldap_users | ldap |
| integrations.limacharlie | get_auth_token | limacharlie |
| integrations.malwarebazaar | search_malware_sample | malwarebazaar |
| integrations.microsoft_graph | get_auth_token | microsoft_graph |
| integrations.mongodb | get_document | mongodb |
| integrations.mongodb | list_documents | mongodb |
| integrations.mongodb | perform_mongodb_crud | mongodb |
| integrations.okta | expire_sessions | okta |
| integrations.okta | find_users | okta |
| integrations.okta | list_user_events | okta |
| integrations.okta | suspend_user | okta |
| integrations.okta | unsuspend_user | okta |
| integrations.pulsedive | search_ioc | pulsedive |
| integrations.sentinel_one | get_agents_by_hostname | sentinel_one |
| integrations.sentinel_one | get_agents_by_hostname_exact | sentinel_one |
| integrations.sentinel_one | get_agents_by_username | sentinel_one |
| integrations.sentinel_one | get_agents_by_username_exact | sentinel_one |
| integrations.sentinel_one | get_firewall_rules | sentinel_one |
| integrations.sentinel_one | isolate_agents | sentinel_one |
| integrations.sentinel_one | list_alerts | sentinel_one |
| integrations.sentinel_one | unisolate_agents | sentinel_one |
| integrations.sentinel_one | update_alert_status | sentinel_one |
| integrations.sentinel_one | update_firewall_rule | sentinel_one |
| integrations.shodan | search_ip_address | shodan |
| integrations.sinks | write_to_database | - |
| integrations.slack | call_paginated_slack_api | slack |
| integrations.slack | call_slack_api | slack |
| integrations.slack | list_conversations | slack |
| integrations.slack | list_users | slack |
| integrations.slack | post_message | slack |
| integrations.virustotal | search_ip_address | virustotal |
| integrations.virustotal | search_malware_sample | virustotal |
| integrations.virustotal | search_url | virustotal |
| integrations.wiz | get_auth_token | wiz |
ETL Actions
Note that the fully qualified namespace for each ETL UDF is prefixed with etl..
| Sub-namespace | Function | Secrets |
|---|---|---|
| etl.extraction | extract_emails | - |
| etl.extraction | extract_ipv4_addresses | - |
| etl.extraction | extract_urls | - |