Integrations

Core Actions

Core action namespaces are prefixed with core..

Namespace	Function	Secrets
core	http_poll	`ssl`
core	http_request	`ssl`
core	require	-
core	send_email_smtp	`smtp`
core.cases	create_case	-
core.cases	create_comment	-
core.cases	get_case	-
core.cases	list_cases	-
core.cases	list_comments	-
core.cases	update_case	-
core.cases	update_comment	-
core.cases	search_cases	-
core.table	delete_row	-
core.table	insert_row	-
core.table	lookup	-
core.table	lookup_many	-
core.table	update_row	-
core.transform	apply	-
core.transform	deduplicate	-
core.transform	filter	-
core.transform	is_in	-
core.transform	map	-
core.transform	not_in	-
core.transform	reshape	-
core.workflow	execute	-

AI Actions

Namespace	Function	Secrets
ai	action	-
ai	agent	-
ai	slackbot	-

Integration namespaces are prefixed with tools..

Workspace Variables for Base URLs

Many integrations support workspace variables for base URLs, allowing you to configure them once at the workspace level instead of repeating them in every workflow action. Supported integrations:

Splunk: VARS.splunk.base_url
Elasticsearch: VARS.elasticsearch.base_url
Okta: VARS.okta.base_url
SentinelOne: VARS.sentinel_one.base_url
Jira: VARS.jira.base_url
Gophish: VARS.gophish.base_url
And many more (alertmedia, datadog, elastic_security, okta_oar, ollama, openai, sublime, wazuh)

How it works:

Create a workspace variable with the integration name (e.g., splunk) and key base_url
Set the value to your instance URL (e.g., https://splunk.example.com:8089)
In workflow actions, the base_url input is now optional and will use the workspace variable as a fallback
You can still override the workspace variable by explicitly providing a base_url in specific actions

Example:

# Workspace variable: splunk.base_url = https://splunk.example.com:8089
# Action will use the workspace variable
- ref: search_splunk
  action: tools.splunk.search_events
  args:
    query: "search index=main error"
    # base_url not needed - uses VARS.splunk.base_url

# Or override for specific actions
- ref: search_different_instance
  action: tools.splunk.search_events
  args:
    query: "search index=main error"
    base_url: https://splunk-dev.example.com:8089  # Explicit override

Namespace	Function	Secrets
tools.alertmedia	create_trip	`alertmedia`, `ssl`
tools.alertmedia	delete_trip	`alertmedia`, `ssl`
tools.alertmedia	get_travel_events	`alertmedia`, `ssl`
tools.alertmedia	get_user_trip_by_id	`alertmedia`, `ssl`
tools.alertmedia	get_user_trips	`alertmedia`, `ssl`
tools.alertmedia	search_trips	`alertmedia`, `ssl`
tools.alertmedia	search_users	`alertmedia`, `ssl`
tools.alertmedia	update_trip	`alertmedia`, `ssl`
tools.amazon_s3	download_object	`amazon_s3`
tools.amazon_s3	parse_uri	`amazon_s3`
tools.ansible	run_playbook	`ansible`
tools.aws_boto3	call_api	`aws`
tools.aws_boto3	call_paginated_api	`aws`
tools.crowdsec	lookup_ip_address	`crowdsec_cti`, `ssl`
tools.crowdstrike	list_alerts	`crowdstrike`
tools.crowdstrike	list_cases	`crowdstrike`
tools.crowdstrike	list_detects	`crowdstrike`
tools.datadog	list_security_signals	`datadog`, `ssl`
tools.elastic_security	list_detection_signals	`elastic_security`, `ssl`
tools.falconpy	call_command	`crowdstrike`
tools.google_api	get_access_token	`google_api`
tools.google_maps	get_location_data	`google_maps`, `ssl`
tools.gophish	create_campaign	`gophish`
tools.gophish	create_group	`gophish`
tools.gophish	create_landing_page	`gophish`
tools.gophish	create_sending_profile	`gophish`
tools.gophish	create_template	`gophish`
tools.gophish	delete_campaign	`gophish`
tools.gophish	delete_group	`gophish`
tools.gophish	delete_landing_page	`gophish`
tools.gophish	delete_sending_profile	`gophish`
tools.gophish	delete_template	`gophish`
tools.gophish	get_campaign	`gophish`
tools.gophish	get_campaign_results	`gophish`
tools.gophish	get_campaign_summary	`gophish`
tools.gophish	get_group	`gophish`
tools.gophish	get_group_summary	`gophish`
tools.gophish	get_landing_page	`gophish`
tools.gophish	get_sending_profile	`gophish`
tools.gophish	get_template	`gophish`
tools.gophish	list_campaigns	`gophish`
tools.gophish	list_groups	`gophish`
tools.gophish	list_groups_summary	`gophish`
tools.gophish	list_landing_pages	`gophish`
tools.gophish	list_sending_profiles	`gophish`
tools.gophish	list_templates	`gophish`
tools.gophish	modify_group	`gophish`
tools.gophish	modify_landing_page	`gophish`
tools.gophish	modify_sending_profile	`gophish`
tools.gophish	modify_template	`gophish`
tools.hackerone	get_program	`hackerone`, `ssl`
tools.hackerone	get_programs	`hackerone`, `ssl`
tools.hackerone	get_report	`hackerone`, `ssl`
tools.hackerone	get_reports	`hackerone`, `ssl`
tools.hibp	check_email_breaches	`hibp`, `ssl`
tools.hibp	check_email_pastes	`hibp`, `ssl`
tools.hibp	get_all_breaches	`ssl`
tools.hibp	get_breach_details	`ssl`
tools.hibp	get_data_classes	`ssl`
tools.hibp	get_latest_breach	`ssl`
tools.ipinfo	lookup_ip_address	`ipinfo`, `ssl`
tools.jira	add_issue_comment	`jira`, `ssl`
tools.jira	assign_issue	`jira`, `ssl`
tools.jira	create_issue	`jira`, `ssl`
tools.jira	get_fields	`jira`, `ssl`
tools.jira	get_issue	`jira`, `ssl`
tools.jira	get_priorities	`jira`, `ssl`
tools.jira	get_priority_schemes	`jira`, `ssl`
tools.jira	get_projects	`jira`, `ssl`
tools.jira	get_transitions	`jira`, `ssl`
tools.jira	get_user_id	`jira`, `ssl`
tools.jira	search_issues	`jira`, `ssl`
tools.jira	update_issue_description	`jira`, `ssl`
tools.jira	update_issue_fields	`jira`, `ssl`
tools.jira	update_issue_status	`jira`, `ssl`
tools.jira	upload_attachment	`jira`, `ssl`
tools.ldap	add_entry	`ldap`
tools.leakcheck	search_domain_leak	`leakcheck_api`
tools.leakcheck	search_email_leak	`leakcheck_api`
tools.ldap	delete_entry	`ldap`
tools.ldap	modify_entry	`ldap`
tools.ldap	search_entries	`ldap`
tools.okta	activate_user	`okta`, `ssl`
tools.okta	add_to_group	`okta`, `ssl`
tools.okta	assign_group_to_app	`okta`, `ssl`
tools.okta	clear_user_sessions	`okta`, `ssl`
tools.okta	create_user	`okta`, `ssl`
tools.okta	expire_password	`okta`, `ssl`
tools.okta	expire_password_with_temporary_password	`okta`, `ssl`
tools.okta	get_group_members	`okta`, `ssl`
tools.okta	get_groups_assigned_to_user	`okta`, `ssl`
tools.okta	get_user	`okta`, `ssl`
tools.okta	list_groups_in_org	`okta`, `ssl`
tools.okta	list_users	`okta`, `ssl`
tools.okta	lookup_user_by_email	`okta`, `ssl`
tools.okta	remove_from_group	`okta`, `ssl`
tools.okta	reset_password	`okta`, `ssl`
tools.okta	revoke_sessions	`okta`, `ssl`
tools.okta	search_users	`okta`, `ssl`
tools.okta	suspend_user	`okta`, `ssl`
tools.okta	unsuspend_user	`okta`, `ssl`
tools.okta_oar	create_message	`okta`, `ssl`
tools.okta_oar	get_requests	`okta`, `ssl`
tools.okta_oar	get_specific_request	`okta`, `ssl`
tools.okta_oar	get_user	`okta`, `ssl`
tools.pagerduty	acknowledge_event	-
tools.pagerduty	get_all_schedules	`pagerduty`
tools.pagerduty	get_contact_methods	`pagerduty`
tools.pagerduty	get_incident_data	`pagerduty`
tools.pagerduty	get_incidents	`pagerduty`
tools.pagerduty	get_user_notification_rules	`pagerduty`
tools.pagerduty	get_users_on_call	`pagerduty`
tools.pagerduty	resolve_event	`pagerduty`
tools.pagerduty	trigger_event	-
tools.phishlabs	get_case_data	`phishlabs`
tools.phishlabs	get_feed_data	`phishlabs`
tools.phishlabs	get_threat_data	`phishlabs`
tools.pymongo	execute_operation	`mongodb`
tools.sentinel_one	list_threats	`sentinel_one`, `ssl`
tools.slack	ask_text_input	`slack`
tools.slack	lookup_user_by_email	`slack`
tools.slack	post_message	`slack`
tools.slack	post_notification	`slack`
tools.slack	post_update	`slack`
tools.slack	revoke_sessions	`slack`
tools.slack_sdk	call_method	`slack`
tools.slack_sdk	call_paginated_method	`slack`
tools.splunk	add_kv_fields	`splunk`, `ssl`
tools.splunk	create_kv_collection	`splunk`, `ssl`
tools.splunk	create_kv_entry	`splunk`, `ssl`
tools.splunk	delete_kv_collection	`splunk`, `ssl`
tools.splunk	delete_kv_entry	`splunk`, `ssl`
tools.splunk	discover_fields	`splunk`, `ssl`
tools.splunk	get_kv_collection	`splunk`, `ssl`
tools.splunk	get_kv_entry	`splunk`, `ssl`
tools.splunk	list_data_models	`splunk`, `ssl`
tools.splunk	list_field_extractions	`splunk`, `ssl`
tools.splunk	list_indexes	`splunk`, `ssl`
tools.splunk	list_kv_collections	`splunk`, `ssl`
tools.splunk	list_kv_entries	`splunk`, `ssl`
tools.splunk	list_sourcetypes	`splunk`, `ssl`
tools.splunk	search_events	`splunk`, `ssl`
tools.splunk	submit_hec_event	`splunk_hec`, `ssl`
tools.splunk	update_kv_entry	`splunk`, `ssl`
tools.threatstream	lookup_domain	`ssl`, `threatstream`
tools.threatstream	lookup_email	`ssl`, `threatstream`
tools.threatstream	lookup_file_hash	`ssl`, `threatstream`
tools.threatstream	lookup_ip_address	`ssl`, `threatstream`
tools.threatstream	lookup_url	`ssl`, `threatstream`
tools.urlscan	lookup_url	`ssl`, `urlscan`
tools.virustotal	lookup_domain	`ssl`, `virustotal`
tools.virustotal	lookup_file_hash	`ssl`, `virustotal`
tools.virustotal	lookup_ip_address	`ssl`, `virustotal`
tools.virustotal	lookup_url	`ssl`, `virustotal`
tools.wazuh	active_response	`ssl`, `wazuh_wui`
tools.wazuh	get_access_token	`wazuh_wui`
tools.wazuh	update_agents	`ssl`, `wazuh_wui`
tools.zendesk	get_group_users	`zendesk`, `ssl`
tools.zendesk	get_groups	`zendesk`, `ssl`
tools.zendesk	get_ticket	`zendesk`, `ssl`
tools.zendesk	get_ticket_attachments	`zendesk`, `ssl`
tools.zendesk	get_ticket_comments	`zendesk`, `ssl`
tools.zendesk	get_twilio_recordings	`zendesk`, `ssl`
tools.zendesk	search_tickets	`zendesk`, `ssl`

Credentials

Tracecat uses secret keys associated with each integration for 3rd-party authentication. Find out more about how secrets work in Tracecat here.

Secret Name	Required Keys	Optional Keys
`alertmedia`	`ALERTMEDIA_API_KEY`	-
`amazon_s3`	-	`AWS_ACCESS_KEY_ID` `AWS_PROFILE` `AWS_REGION` `AWS_ROLE_ARN` `AWS_ROLE_SESSION_NAME` `AWS_SECRET_ACCESS_KEY`
`ansible`	`ANSIBLE_SSH_KEY`	`ANSIBLE_PASSWORDS`
`aws`	-	`AWS_ACCESS_KEY_ID` `AWS_PROFILE_NAME` `AWS_REGION` `AWS_ROLE_ARN` `AWS_ROLE_SESSION_NAME` `AWS_SECRET_ACCESS_KEY`
`check_point_infinity`	`CHECKPOINT_ACCESS_KEY` `CHECKPOINT_CLIENT_ID`	-
`crowdsec_cti`	`CTI_API_KEY`	-
`crowdstrike`	`CROWDSTRIKE_CLIENT_ID` `CROWDSTRIKE_CLIENT_SECRET`	-
`datadog`	`DATADOG_API_KEY` `DATADOG_APP_KEY`	-
`elastic_security`	`ELASTIC_API_KEY`	-
`gophish`	`GOPHISH_API_KEY`	-
`google_api`	`GOOGLE_API_CREDENTIALS`	-
`google_maps`	`GOOGLE_MAPS_API_KEY`	-
`hackerone`	`HACKERONE_API_USERNAME` `HACKERONE_API_TOKEN`	-
`hibp`	`HIBP_API_KEY`	-
`ipinfo`	`IPINFO_API_TOKEN`	-
`jamf`	`JAMF_CLIENT_ID` `JAMF_CLIENT_SECRET`	-
`jira`	`JIRA_API_TOKEN` `JIRA_USEREMAIL`	-
`kubernetes`	`KUBECONFIG_BASE64`	-
`ldap`	`LDAP_HOST` `LDAP_PASSWORD` `LDAP_PORT` `LDAP_USER`	-
`microsoft_graph`	`MICROSOFT_GRAPH_CLIENT_ID` `MICROSOFT_GRAPH_CLIENT_SECRET`	-
`mongodb`	`MONGODB_CONNECTION_STRING`	-
`okta`	`OKTA_API_TOKEN`	-
`openai`	`OPENAI_API_KEY`	-
`opencti`	`OPENCTI_API_TOKEN`	-
`pagerduty`	`PAGERDUTY_API_TOKEN`	-
`phishlabs`	`PL_CLIENT_ID` `PL_CLIENT_SECRET` `PL_CUSTOMER_ID` `PL_PASSWORD` `PL_USERNAME`	-
`sentinel_one`	`SENTINEL_ONE_API_TOKEN`	-
`slack`	`SLACK_BOT_TOKEN`	-
`smtp`	`SMTP_HOST` `SMTP_PASS` `SMTP_PORT` `SMTP_USER`	-
`splunk`	`SPLUNK_API_KEY`	-
`splunk_hec`	`SPLUNK_HEC_TOKEN`	-
`ssl`	-	`SSL_CLIENT_CERT` `SSL_CLIENT_KEY` `SSL_CLIENT_PASSWORD`
`thehive`	`THEHIVE_API_KEY`	-
`threatstream`	`ANOMALI_API_KEY` `ANOMALI_USERNAME`	-
`urlscan`	`URLSCAN_API_KEY`	-
`virustotal`	`VIRUSTOTAL_API_KEY`	-
`wazuh_wui`	`WAZUH_WUI_PASSWORD` `WAZUH_WUI_USERNAME`	-
`wiz`	`WIZ_CLIENT_ID` `WIZ_CLIENT_SECRET`	-
`zendesk`	`ZENDESK_EMAIL` `ZENDESK_API_TOKEN`	-

​Core Actions

​AI Actions

​Integrations

​Workspace Variables for Base URLs

​Credentials

Core Actions

AI Actions

Integrations

Workspace Variables for Base URLs

Credentials