Integrations
Secrets Cheatsheet
Integrations
Secrets Cheatsheet
A cheatsheet of all the secrets required by the UDFs and integrations.
API Credentials
The secret keys required by each secret are listed below.
| Secret Name | Secret Keys |
|---|---|
aws_guardduty | AWS_ACCESS_KEY_ID, AWS_REGION, AWS_SECRET_ACCESS_KEY |
microsoft_defender_endpoint | MICROSOFT_GRAPH_CLIENT_ID, MICROSOFT_GRAPH_CLIENT_SECRET, MICROSOFT_GRAPH_TENANT_ID |
okta | OKTA_API_TOKEN, OKTA_BASE_URL |
crowdstrike | CROWDSTRIKE_CLIENT_ID, CROWDSTRIKE_CLIENT_SECRET |
slack | SLACK_BOT_TOKEN |
microsoft_defender_cloud | MICROSOFT_GRAPH_CLIENT_ID, MICROSOFT_GRAPH_CLIENT_SECRET, MICROSOFT_GRAPH_TENANT_ID |
datadog | DD_API_KEY, DD_APP_KEY, DD_REGION |
resend_api_key | RESEND_API_KEY |
openai | OPENAI_API_KEY |
virustotal | VIRUSTOTAL_API_KEY |
sentinel_one | SENTINEL_ONE_API_TOKEN, SENTINEL_ONE_BASE_URL |
wiz | WIZ_API_URL, WIZ_AUTH_URL, WIZ_CLIENT_ID, WIZ_CLIENT_SECRET |
elastic | ELASTIC_API_KEY, ELASTIC_API_URL |
ldap | LDAP_BIND_DN, LDAP_BIND_PASS |
Core Actions
Note that the fully qualified namespace for each Core Action UDF is prefixed with core..
| Sub-namespace | Function | Secrets |
|---|---|---|
| - | send_email_smtp | - |
| - | open_case | - |
| condition | regex | - |
| condition | compare | - |
| condition | membership | - |
| - | http_request | - |
| - | ai_action | openai |
| transform | reshape | - |
| transform | filter | - |
| transform | build_reference_table | - |
| workflow | execute | - |
Integrations
Note that the fully qualified namespace for each Integration UDF is prefixed with integrations..
| Sub-namespace | Function | Secrets |
|---|---|---|
| aws.guardduty | list_guardduty_alerts | aws_guardduty |
| microsoft_defender | list_defender_cloud_alerts | microsoft_defender_cloud |
| wiz | list_wiz_alerts | wiz |
| chat.slack | post_slack_message | slack |
| chat.slack | list_slack_conversations | slack |
| chat.slack | list_slack_users | slack |
| chat.slack | tag_slack_users | slack |
| crowdstrike | list_crowdstrike_alerts | crowdstrike |
| crowdstrike | list_crowdstrike_detects | crowdstrike |
| crowdstrike | update_crowdstrike_alert_status | crowdstrike |
| crowdstrike | update_crowdstrike_detect_status | crowdstrike |
| microsoft_defender | list_defender_endpoint_alerts | microsoft_defender_endpoint |
| sentinel_one | list_sentinelone_alerts | sentinel_one |
| sentinel_one | update_sentinelone_alert_status | sentinel_one |
| sentinel_one | get_sentinelone_agents_by_username | sentinel_one |
| sentinel_one | get_sentinelone_agents_by_hostname | sentinel_one |
| sentinel_one | isolate_sentinelone_agent | sentinel_one |
| sentinel_one | unisolate_sentinelone_agent | sentinel_one |
| sentinel_one | get_sentinel_one_firewall_rule | sentinel_one |
| sentinel_one | update_sentinel_one_firewall_rule | sentinel_one |
| email.resend | send_email_resend | resend_api_key |
| virustotal | analyze_url | virustotal |
| virustotal | analyze_ip_address | virustotal |
| virustotal | analyze_malware_sample | virustotal |
| ldap | find_ldap_users | ldap |
| ldap | disable_ad_user | ldap |
| ldap | enable_ad_user | ldap |
| okta | find_okta_users | okta |
| okta | suspend_okta_user | okta |
| okta | unsuspend_okta_user | okta |
| okta | expire_okta_sessions | okta |
| okta | list_okta_user_events | okta |
| datadog | list_datadog_alerts | datadog |
| elastic | list_elastic_alerts | elastic |
| sinks | write_to_database | - |
ETL Actions
Note that the fully qualified namespace for each ETL UDF is prefixed with etl..
| Sub-namespace | Function | Secrets |
|---|---|---|
| extraction | extract_emails | - |
| extraction | extract_ipv4_addresses | - |
| extraction | extract_urls | - |