Integrations
Secrets Cheatsheet
A cheatsheet of all the secrets required by the UDFs and integrations.
API Credentials
The secret keys required by each secret are listed below.
Secret Name | Secret Keys |
---|---|
aws_guardduty | AWS_ACCESS_KEY_ID , AWS_REGION , AWS_SECRET_ACCESS_KEY |
microsoft_defender_endpoint | MICROSOFT_GRAPH_CLIENT_ID , MICROSOFT_GRAPH_CLIENT_SECRET , MICROSOFT_GRAPH_TENANT_ID |
okta | OKTA_API_TOKEN , OKTA_BASE_URL |
crowdstrike | CROWDSTRIKE_CLIENT_ID , CROWDSTRIKE_CLIENT_SECRET |
slack | SLACK_BOT_TOKEN |
microsoft_defender_cloud | MICROSOFT_GRAPH_CLIENT_ID , MICROSOFT_GRAPH_CLIENT_SECRET , MICROSOFT_GRAPH_TENANT_ID |
datadog | DD_API_KEY , DD_APP_KEY , DD_REGION |
resend_api_key | RESEND_API_KEY |
openai | OPENAI_API_KEY |
virustotal | VIRUSTOTAL_API_KEY |
sentinel_one | SENTINEL_ONE_API_TOKEN , SENTINEL_ONE_BASE_URL |
wiz | WIZ_API_URL , WIZ_AUTH_URL , WIZ_CLIENT_ID , WIZ_CLIENT_SECRET |
elastic | ELASTIC_API_KEY , ELASTIC_API_URL |
ldap | LDAP_BIND_DN , LDAP_BIND_PASS |
Core Actions
Note that the fully qualified namespace for each Core Action UDF is prefixed with core.
.
Sub-namespace | Function | Secrets |
---|---|---|
- | send_email_smtp | - |
- | open_case | - |
condition | regex | - |
condition | compare | - |
condition | membership | - |
- | http_request | - |
- | ai_action | openai |
transform | reshape | - |
transform | filter | - |
transform | build_reference_table | - |
workflow | execute | - |
Integrations
Note that the fully qualified namespace for each Integration UDF is prefixed with integrations.
.
Sub-namespace | Function | Secrets |
---|---|---|
aws.guardduty | list_guardduty_alerts | aws_guardduty |
microsoft_defender | list_defender_cloud_alerts | microsoft_defender_cloud |
wiz | list_wiz_alerts | wiz |
chat.slack | post_slack_message | slack |
chat.slack | list_slack_conversations | slack |
chat.slack | list_slack_users | slack |
chat.slack | tag_slack_users | slack |
crowdstrike | list_crowdstrike_alerts | crowdstrike |
crowdstrike | list_crowdstrike_detects | crowdstrike |
crowdstrike | update_crowdstrike_alert_status | crowdstrike |
crowdstrike | update_crowdstrike_detect_status | crowdstrike |
microsoft_defender | list_defender_endpoint_alerts | microsoft_defender_endpoint |
sentinel_one | list_sentinelone_alerts | sentinel_one |
sentinel_one | update_sentinelone_alert_status | sentinel_one |
sentinel_one | get_sentinelone_agents_by_username | sentinel_one |
sentinel_one | get_sentinelone_agents_by_hostname | sentinel_one |
sentinel_one | isolate_sentinelone_agent | sentinel_one |
sentinel_one | unisolate_sentinelone_agent | sentinel_one |
sentinel_one | get_sentinel_one_firewall_rule | sentinel_one |
sentinel_one | update_sentinel_one_firewall_rule | sentinel_one |
email.resend | send_email_resend | resend_api_key |
virustotal | analyze_url | virustotal |
virustotal | analyze_ip_address | virustotal |
virustotal | analyze_malware_sample | virustotal |
ldap | find_ldap_users | ldap |
ldap | disable_ad_user | ldap |
ldap | enable_ad_user | ldap |
okta | find_okta_users | okta |
okta | suspend_okta_user | okta |
okta | unsuspend_okta_user | okta |
okta | expire_okta_sessions | okta |
okta | list_okta_user_events | okta |
datadog | list_datadog_alerts | datadog |
elastic | list_elastic_alerts | elastic |
sinks | write_to_database | - |
ETL Actions
Note that the fully qualified namespace for each ETL UDF is prefixed with etl.
.
Sub-namespace | Function | Secrets |
---|---|---|
extraction | extract_emails | - |
extraction | extract_ipv4_addresses | - |
extraction | extract_urls | - |