# AI action Source: https://docs.tracecat.com/agents/ai-action Use `ai.action` to run a single LLM call inside a Tracecat workflow: pick a model, pass instructions and inputs, and shape structured output for downstream actions. Use `ai.action` when you only need a prompt and an output. It runs one model call and does not let the model call tools. ## Capabilities * Pass task instructions in `instructions` and task data in `user_prompt`. * Use `output_type` when you need a string, list, or JSON-shaped response for downstream actions. * Tune provider-specific behavior with `model_settings`. ## Structured outputs Use `output_type` when a downstream action needs a predictable shape. * Use a scalar such as `str` or `int` for simple classification or routing. * Use a JSON schema object when you need named fields. * Tracecat parses valid JSON before storing it in the action result. ## Reference ### `ai.action` Call an LLM with a given prompt and model (no tools). #### Inputs Name of the model to use. Provider of the model to use. User prompt to the agent. Base URL of the model to use. Default: `null`. Instructions for the agent. Default: `null`. Maximum number of requests for the agent. Default: `45`. Model settings for the agent. Default: `null`. Output type for agent responses. Select from a list of supported types or provide a JSONSchema. Default: `null`. Number of retries for the agent. Default: `3`. #### Examples **Extract structured fields from an alert** ```yaml theme={null} - ref: extract_alert action: ai.action args: model_name: gpt-4.1-mini model_provider: openai instructions: | Extract the alert into the requested schema. Use null for fields that are missing. user_prompt: | Parse this alert and normalize the key fields: ${{ TRIGGER.raw_alert }} output_type: type: object properties: severity: type: string user: type: - string - "null" src_ip: type: - string - "null" needs_escalation: type: boolean required: - severity - needs_escalation ``` **Classify an email triage decision** ```yaml theme={null} - ref: classify_email action: ai.action args: model_name: claude-3-5-sonnet-latest model_provider: anthropic instructions: | Return one of: phishing, benign, spam, unknown. user_prompt: | Subject: ${{ TRIGGER.subject }} Sender: ${{ TRIGGER.sender }} Body: ${{ TRIGGER.body }} output_type: type: string enum: - phishing - benign - spam - unknown ``` # AI agent Source: https://docs.tracecat.com/agents/ai-agent Use `ai.agent` and `ai.preset_agent` for tool-calling agent runs inside Tracecat workflows: configure tools, secrets, and instructions for autonomous reasoning. Use `ai.agent` when the model needs tool calls. You give the agent a prompt, instructions, and an allowlist of actions it can call during the run. ## Capabilities * `ai.agent`: Prompt plus tool calls. Use the `actions` list to control which Tracecat actions the agent can use. * EE `ai.preset_agent`: Prompt plus a saved agent configuration. Use this when you want reusable instructions, tools, and MCP integrations across workflows. * `tool_approvals`: Require approval before selected tools run. This is an enterprise feature. * `max_tool_calls` and `max_requests`: Bound how much work the agent can do in a single run. ## Structured outputs `ai.agent` also supports `output_type`. * Use it when the agent should return a final object or typed value after tool use. * Keep the schema focused on the final answer, not the intermediate tool steps. ## MCP Enterprise Edition `ai.agent` does not take MCP servers directly in the workflow action. If you need MCP, save that configuration in an agent preset and run it with `ai.preset_agent`. `ai.preset_agent` supports both remote and stdio MCP servers. Internet access is controlled by the root preset for the shared sandbox process. Subagent presets can define their own tools and MCP integrations, but their internet setting does not grant network access unless the root preset also enables it. See [MCP integrations](/automations/integrations/mcp-integrations) to learn more. ## Reference ### `ai.agent` AI agent with tool calling capabilities. Returns the output and full message history. #### Inputs Name of the model to use. Provider of the model to use. User prompt to the agent. Actions (e.g. 'tools.slack.post\_message') to include in the agent. Default: `null`. Base URL of the model to use. Default: `null`. Instructions for the agent. Default: `null`. Maximum number of requests for the agent. Default: `45`. Maximum number of tool calls for the agent. Default: `15`. Model settings for the agent. Default: `null`. Output type for agent responses. Select from a list of supported types or provide a JSONSchema. Default: `null`. Number of retries for the agent. Default: `3`. Per-tool approval overrides keyed by action name (e.g. 'core.cases.create\_case'). Use true to require approval, false to allow auto-execution. Default: `null`. #### Examples **Investigate an alert with tools** ```yaml theme={null} - ref: investigate_alert action: ai.agent args: model_name: gpt-4.1 model_provider: openai instructions: | You are a security triage agent. Review the alert, gather missing context, and write a concise analyst summary. user_prompt: | Investigate this alert and explain whether it needs escalation: ${{ TRIGGER.alert }} actions: - tools.slack.lookup_users_by_email - tools.github.search_code - core.cases.create_comment max_tool_calls: 6 output_type: type: object properties: verdict: type: string summary: type: string required: - verdict - summary ``` **Require approval for sensitive tools** ```yaml theme={null} - ref: draft_case_update action: ai.agent args: model_name: claude-3-5-sonnet-latest model_provider: anthropic instructions: | Investigate the incident, then propose the next action. Create or update records only if the required approval is granted. user_prompt: | Review the latest evidence for case ${{ TRIGGER.case_id }} and decide what to do next. actions: - core.cases.get - core.cases.create_comment - core.cases.update tool_approvals: core.cases.update: true max_tool_calls: 4 ``` ### `ai.preset_agent` Enterprise Edition Run an AI agent using a saved agent preset. #### Inputs Preset of the agent to run (e.g. 'security-analyst'). User prompt to the agent. Optional override for the actions (e.g. 'tools.slack.post\_message') that the agent should be allowed to call. Default: `null`. Additional instructions to append to the preset instructions for this run. Default: `null`. Maximum number of requests for the agent. Default: `45`. Maximum number of tool calls for the agent. Default: `15`. Optional preset version number to pin for this run. Default: `null`. #### Examples **Run a saved agent preset** ```yaml theme={null} - ref: run_security_analyst action: ai.preset_agent args: preset: security-analyst preset_version: 3 user_prompt: | Review the incident below and decide whether to escalate it: ${{ TRIGGER.incident }} max_tool_calls: 8 ``` ## FAQ * Use `ai.action` when you only need one model response and no tools. * Use `ai.agent` when the model must call Tracecat actions during the run. * Use `ai.preset_agent` when you want a reusable saved configuration, especially for shared instructions, approvals, or MCP integrations. ```yaml Use ai.agent for tool calls theme={null} - ref: analyze_input action: ai.agent args: model_name: gpt-4.1-mini model_provider: openai instructions: | Investigate the alert and summarize the next step. user_prompt: | Review this alert: ${{ TRIGGER.alert }} actions: - tools.github.search_code - core.cases.create_comment max_tool_calls: 4 ``` ```yaml Use ai.preset_agent for saved configuration theme={null} - ref: analyze_with_preset action: ai.preset_agent args: preset: security-analyst user_prompt: | Review this alert and write a short analyst summary: ${{ TRIGGER.alert }} ``` MCP integrations are configured on the preset, not on the `ai.agent` workflow action itself. If the run needs MCP tools, create or update an agent preset, attach the MCP integrations there, and execute it with `ai.preset_agent`. Use `ai.agent` when Tracecat workflow actions alone are enough. Use `ai.preset_agent` when the agent needs access to MCP servers in addition to regular Tracecat actions. # Custom LLM providers Source: https://docs.tracecat.com/agents/custom-llm-providers Configure custom OpenAI-compatible model providers for Tracecat agents: add a custom source, discover models, and enable them for presets and defaults. Use a custom LLM provider when an agent should call your own OpenAI-compatible gateway instead of Tracecat's managed LiteLLM gateway. Custom providers are managed as custom sources in organization agent settings. ## Routing model Each agent uses its own model configuration to decide where its LLM requests go. | Agent model configuration | Request route | | ----------------------------- | -------------------------------------------- | | `passthrough: true` | Direct to that agent's configured `base_url` | | `passthrough: false` or unset | Tracecat's managed LiteLLM gateway | Root agents and subagents follow the same rule. A root agent can use a custom passthrough gateway while a subagent uses managed LiteLLM, or a subagent can use its own passthrough gateway while the root agent uses managed LiteLLM. Tracecat strips the trailing version segment from the base URL before forwarding sandbox requests because SDK clients append paths such as `/v1/messages`. This prevents doubled paths such as `/v1/v1/messages`. ## Root agents For a root agent, Tracecat keys direct passthrough routing by the model string the root agent sends. ```yaml theme={null} model_name: customer-alias model_provider: custom-model-provider base_url: https://customer-litellm.example/v1 passthrough: true ``` Requests with `model: customer-alias` go directly to `https://customer-litellm.example`. ## Subagents For a subagent, Tracecat keys direct passthrough routing by the subagent's scoped model route. This lets Tracecat route each preset agent independently, even when several agents share the same sandbox process. ```yaml theme={null} model_name: child-alias model_provider: custom-model-provider base_url: https://child-litellm.example/v1 passthrough: true ``` Requests for that subagent go directly to `https://child-litellm.example`. Requests for other subagents fall back to managed LiteLLM unless those subagents also enable passthrough. ## Credentials Tracecat resolves passthrough credentials from the custom provider selected by the agent's model configuration. If a root agent and subagent use different passthrough providers, each route uses its own provider credentials. Managed LiteLLM requests keep the sandbox's managed gateway token. ## Add a custom source Go to Organization settings, open Agent, then go to Custom sources and click Add custom source. Add custom source dialog Set the source fields: * **Name**: A readable label, such as `Local gateway`. * **Base URL**: The OpenAI-compatible API base URL, e.g. `https://gateway.example/v1`. * **Auth header**: Leave blank to use `Authorization`. * **Auth value**: The provider credential. If Auth header is blank, Tracecat sends `Authorization: Bearer `. * **Passthrough mode**: Enable this to route agent requests directly to this gateway instead of Tracecat's managed LiteLLM. Required for bring-your-own gateways such as LiteLLM, vLLM, and Ollama-compatible endpoints. Use Advanced > Additional headers only for static non-auth headers. The value must be a JSON object with string keys and string values. ```json theme={null} { "X-Custom-Header": "value" } ``` Click Test connection to verify the source before saving it, then click Add source. ## Discover and enable models After you save the source, click Refresh. Tracecat calls the source's `/models` endpoint and adds the returned models to the organization catalog. Custom source model list Enable the models you want available to agent presets and organization defaults. If your organization does not have agent add-ons enabled, Tracecat enables discovered custom source models automatically after refresh. ## Use the provider Choose the enabled custom source model anywhere Tracecat lets you select an agent model, such as the default model selector or a preset agent configuration. Refresh the source again after you add or remove models from the upstream gateway. Edit the source when you rotate credentials, change the base URL, or update static headers. ## Related pages * See [AI agent](/agents/ai-agent) for the `ai.agent` and `ai.preset_agent` action reference. * See [AI action](/agents/ai-action) for single-call LLM workflow actions. * See [Secrets and variables](/agents/secrets-variables) for agent secret handling. * See [MCP servers](/automations/integrations/mcp-integrations) for connecting MCP tools to agents. # Secrets and variables Source: https://docs.tracecat.com/agents/secrets-variables Pass Tracecat secrets and workspace variables to preset agent tool calls securely: scope credentials per agent run and inject values without exposing them to the model. ## Overview Preset agents can reference secrets and variables using Tracecat expression syntax. Include `${{ SECRETS.. }}` or `${{ VARS.. }}` in a preset agent's saved instructions so the agent passes them as tool arguments at runtime. ## Security Preset agent tool calls go through a secure server-side proxy. The LLM only sees the raw expression placeholder (e.g. `${{ SECRETS.threatintel.API_KEY }}`). The actual secret values are injected server-side at the tool execution layer after the model responds, so the LLM never has access to your credentials. `ai.action` and `ai.agent` actions do **not** support secure secrets injection. Secret and variable expressions are evaluated immediately in workflow action inputs and will be exposed to the LLM. ## Secrets Use `${{ SECRETS.. }}` to reference a secret stored in your workspace credentials. In a workflow action this looks like: ```yaml theme={null} - ref: triage_alert action: ai.preset_agent args: preset: security-triage user_prompt: | Look up the reputation of this IP address: ${{ TRIGGER.source_ip }} ``` Where the `security-triage` preset instructions contain: ```text theme={null} You are a security triage agent. When you make HTTP requests to the threat intel API, pass `${{ SECRETS.threatintel.API_KEY }}` in the Authorization header as a Bearer token. Do not print or return secret values in your final answer. ``` ## Variables Use `${{ VARS.. }}` for non-sensitive configuration such as base URLs, project IDs, or channel names. In a workflow action: ```yaml theme={null} - ref: triage_alert action: ai.preset_agent args: preset: security-triage user_prompt: | Investigate this alert and file a ticket with your findings: ${{ TRIGGER.alert }} ``` Where the `security-triage` preset instructions contain: ```text theme={null} You are a security triage agent. When you call the threat intel API, use `${{ VARS.threatintel.base_url }}` as the base URL. When you file tickets, use `${{ VARS.ticketing.project_id }}` as the project ID and `${{ VARS.ticketing.base_url }}` as the base URL. ``` ## Secrets and variables Use secrets for credentials and variables for everything else. Full workflow example: ```yaml theme={null} - ref: investigate_and_respond action: ai.preset_agent args: preset: security-triage user_prompt: | Investigate this alert: ${{ TRIGGER.alert }} max_tool_calls: 10 ``` Where the `security-triage` preset instructions contain: ```text theme={null} You are a security triage agent. Investigate the alert, enrich it, and file a ticket. Credentials: - Threat intel API key: `${{ SECRETS.threatintel.API_KEY }}` - Ticketing API key: `${{ SECRETS.ticketing.API_KEY }}` Configuration: - Threat intel base URL: `${{ VARS.threatintel.base_url }}` - Ticketing base URL: `${{ VARS.ticketing.base_url }}` - Ticketing project ID: `${{ VARS.ticketing.project_id }}` Steps: 1. Look up the source IP using the threat intel API. 2. File a ticket with your findings in the ticketing system. Do not print or return secret values in your final answer. ``` ## OAuth secrets OAuth tokens follow a different naming convention. The secret name is `_oauth` and the key is the provider ID in uppercase plus `_USER_TOKEN` or `_SERVICE_TOKEN`. ```yaml theme={null} # authorization_code grant (delegated user access) ${{ SECRETS._oauth._USER_TOKEN }} # client_credentials grant (service-to-service) ${{ SECRETS._oauth._SERVICE_TOKEN }} ``` In a workflow action: ```yaml theme={null} - ref: query_sentinel action: ai.preset_agent args: preset: sentinel-analyst user_prompt: | Query Microsoft Sentinel for recent incidents related to this IP: ${{ TRIGGER.source_ip }} ``` Where the `sentinel-analyst` preset instructions contain: ```text theme={null} You are a security triage agent. When you make HTTP requests to the Microsoft Sentinel API, pass `${{ SECRETS.microsoft_sentinel_oauth.MICROSOFT_SENTINEL_USER_TOKEN }}` in the Authorization header as a Bearer token. Do not print or return secret values in your final answer. ``` See [OAuth integrations](/automations/integrations/oauth-integrations) for setup and the full list of built-in providers. ## Related pages * [Secrets](/automations/core-concepts/secrets) — create and manage workspace secrets * [Variables](/automations/core-concepts/variables) — create and manage workspace variables * [Expressions](/automations/core-concepts/expressions) — full expression syntax reference * [AI agent](/agents/ai-agent) — `ai.agent` and `ai.preset_agent` reference * [OAuth integrations](/automations/integrations/oauth-integrations) — OAuth setup and providers # Skills Source: https://docs.tracecat.com/agents/skills Create, publish, and attach Tracecat skills to preset agents so reusable instructions and files are available during agent runs. Enterprise Edition Skills let you package reusable agent instructions and supporting files. Attach published skill versions to a preset agent when the agent needs the same playbook, reference material, or helper files across runs. ## Create a skill Open `Skills` from the workspace navigation. Click `Create new`, then choose `Skill` to start with an empty working copy or `Upload` to import an existing skill directory. Skills list Skill names use lowercase letters, numbers, and single hyphens. Tracecat seeds new skills with a root `SKILL.md` file. ## Write SKILL.md Use `SKILL.md` for the skill metadata and instructions. The root file must include frontmatter with `name` and `description`. ```md theme={null} --- name: threat-intel description: Enrich indicators and summarize threat intelligence findings. --- # threat-intel Use this skill when you need to enrich IP addresses, domains, URLs, or file hashes during alert triage. ``` Tracecat uses the frontmatter `name` as the published skill name. Keep published skill names unique among skills attached to the same preset agent. Write the body as instructions the agent can follow during a run. Skill editor ## Add files Add supporting files when the agent needs more than instructions. Use files for examples, checklists, schemas, helper scripts, or reference data. Editable text files open inline in the skill editor. Other file types can be replaced, deleted, or downloaded. ## Publish a version Save the working copy, then click `Publish version`. Publishing creates an immutable version from the current files and makes the skill available to preset agents. Published skill version Publishing requires: * A root `SKILL.md` file. * Valid YAML frontmatter in `SKILL.md`. * A frontmatter `name` that follows the skill name rules. * No duplicate paths or path conflicts. ## Attach skills to a preset agent Open the preset agent, then use the `Skills` tab to attach published skills. Each attachment pins one published skill version. Attach skills to a preset agent Only published skills can be attached. When you publish a new skill version, update the preset if you want future runs to use it. ## How agents load skills When a preset agent runs, Tracecat stages the pinned skill versions into the agent runtime. The agent can discover the skill by its `SKILL.md` metadata and use the bundled files during the run. Use skills for reusable agent behavior. Use preset instructions for behavior that belongs only to one preset agent. ## Related pages * See [AI agent](/agents/ai-agent) for the `ai.agent` and `ai.preset_agent` workflow actions. * See [Secrets and variables](/agents/secrets-variables) to pass credentials and configuration to preset agent tool calls. * See [MCP integrations](/automations/integrations/mcp-integrations) to attach MCP servers to preset agents. # Basic Source: https://docs.tracecat.com/authentication/basic Authenticate into self-hosted Tracecat with basic email-and-password sign-in: configure user accounts, password policies, and admin bootstrap for small deployments. In production, use OIDC or SAML SSO. Basic auth is meant for local development only. ## Overview Basic auth lets you sign in to Tracecat with an email and password. Tracecat sign-in ## Configuration In your `.env` file, enable the basic auth type: ```bash theme={null} TRACECAT__AUTH_TYPES=basic ``` You can also combine auth types if you need to: ```bash theme={null} TRACECAT__AUTH_TYPES=basic,oidc ``` ## Minimum password length When you use basic auth, your password must be at least `TRACECAT__AUTH_MIN_PASSWORD_LENGTH` characters long. The default minimum is `12`. # OIDC Source: https://docs.tracecat.com/authentication/oidc Authenticate into Tracecat using OpenID Connect: register an OIDC client with your IdP, map claims, and enable SSO sign-in across the platform. ## Configuration In your `.env` file, enable the OIDC auth type. ```bash theme={null} TRACECAT__AUTH_TYPES=oidc ``` ## Required environment variables Set the following variables for your provider: * `TRACECAT__PUBLIC_APP_URL` * `OIDC_ISSUER` * `OIDC_CLIENT_ID` * `OIDC_CLIENT_SECRET` * `OIDC_SCOPES` (optional, defaults to `openid profile email`) ## Instructions Register Tracecat as an application with your provider and allow the standard OpenID Connect scopes needed for sign-in. Set the provider redirect URI to `/auth/oauth/callback`. For the local Docker Compose deployment, use `http://localhost/auth/oauth/callback`. Add the public Tracecat URL, issuer URL, and client credentials to your `.env` file. Tracecat generates OAuth callback URLs from `TRACECAT__PUBLIC_APP_URL`, so this must match the external URL users visit. Example: ```bash theme={null} TRACECAT__PUBLIC_APP_URL=https://tracecat.example.com OIDC_ISSUER=https://issuer.example.com OIDC_CLIENT_ID=tracecat OIDC_CLIENT_SECRET=replace-me OIDC_SCOPES="openid profile email" ``` Restart the application so the new auth configuration is loaded. # SAML SSO Source: https://docs.tracecat.com/authentication/saml Authenticate into Tracecat with SAML SSO: configure your identity provider, map attributes, and enable single sign-on for organization-wide access. ## Supported identity providers * [Okta](#okta) * [Microsoft Entra ID](#microsoft-entra-id) * [Authentik](#authentik) * [Keycloak](#keycloak) ## Configuration In your `.env` file, make sure you have the following values set. ```bash theme={null} TRACECAT__AUTH_TYPES=saml SAML_IDP_METADATA_URL=https:// ``` ## Access policy After SAML authentication succeeds, Tracecat allows organization access when at least one of the following is true: * The user already has membership in the organization. * The user has a pending invitation for the organization. * The user is the first-user superadmin bootstrap account in the default organization. * The user is a platform superadmin (owner). Tracecat only auto-provisions SAML user accounts for: * Pending organization invitations. * First-user superadmin bootstrap (default organization only). If this is a new deployment, make sure `TRACECAT__AUTH_SUPERADMIN_EMAIL` exactly matches the email claim sent by your IdP for the owner account. ## Instructions Tracecat always requires signed assertions and signed responses. If you are using a self-signed certificate for your metadata URL, configure a base64-encoded CA certificates `.pem` bundle with `SAML_CA_CERTS` in your deployment environment. ### Okta Go to **Applications** and select **Add Application**. Select **SAML 2.0** and click on **Create**. * Set the **Single sign-on URL**, **Recipient URL**, and **Destination URL** to `https:///auth/saml/acs`. * Set the **Audience Restriction** to `https://`. Okta SAML Map `email` to `user.email` Okta attribute statements Set the following environment variables in your `.env` file: * `SAML_IDP_METADATA_URL`: Okta metadata URL Restart Tracecat to apply the changes. Navigate to your Tracecat instance and click on the **Login** button. You should be redirected to Okta for authentication. ### Microsoft Entra ID You must enable **Sign SAML response and assertion** in your Microsoft SAML app settings. Microsoft SAML apps only sign assertions by default. Go to **Enterprise applications** and select the **New application** button. Find and select the **Microsoft Entra SAML toolkit** app. * Set the **Reply URL** and **Sign on URL** to `https:///auth/saml/acs`. * Set **Identifier** to `https:///api`. * Set **Relay State** to `https://`. * Make sure that **Sign SAML response and assertion** is enabled. Microsoft Entra SAML Map `email` to `user.mail` ### Authentik Go to **Providers** and select the **Create** button. Choose **SAML Provider** and select the **Next** button. * Enter a name and choose an authorization flow * Set the **ACS URL** to `https:///auth/saml/acs`. * Set the **Audience** to `https:///api`. Authentik Provider * Expand the **Advanced protocol settings** section. * Select a **Signing Certificate** and ensure **Sign assertions** is enabled. Authentik Provider * Select **authentik default SAML Mapping: Name** in **Selected User Property Mappings**. * Click the **\<** button to deselect it. * Select the **Finish** button. Authentik Provider Go to **Applications** and select the **Create** button. Fill in the details as desired. * Select the provider you created previously. * Select the **Metadata** tab. * Select the **Copy download URL** button. Set the following environment variables in your `.env` file: * `SAML_IDP_METADATA_URL`: Metadata download URL Restart Tracecat to apply the changes. Navigate to your Tracecat instance and click on the **Login** button. You should be redirected to Authentik for authentication. ### Keycloak * Go to **Clients** and select the **Create client** button. * Set the **Client type** to **SAML**. * Set the **Client ID** to `https:///api` and select the **Next** button. Keycloak Client General Settings * Set the **Valid redirect URIs** to `https:///auth/saml/acs`. * Set the **Master SAML Processing URL** to `https:///auth/saml/acs` and select the **Save** button. Keycloak Client Login Settings * In **Settings** tab scroll down to **Signature and Encryption** section. * Ensure **Sign documents** is enabled. Keycloak Document Signing * Open **Keys** tab and look into **Signing keys config** section. * Ensure **Client signature required** is disabled. Keycloak Client Signing * Open **Client scopes** tab and click on client scope `https:///api-dedicated`. * Create new **User Property** mapper for **email** attribute and click **Save**. Keycloak Property Mapping * Go to **Realm Settings** ➤ **General** ➤ **Endpoints**. * Copy the **SAML 2.0 Identity Provider Metadata** link. Keycloak Property Mapping Set the following environment variables in your `.env` file: * `SAML_IDP_METADATA_URL`: Metadata download URL Restart Tracecat to apply the changes. Navigate to your Tracecat instance and click on the **Login** button. You should be redirected to Keycloak for authentication. ## Environment variables For standard self-hosted SAML setup, provide your IdP metadata URL in the deployment environment. ### Protocol configuration * `SAML_ALLOW_UNSOLICITED`: Whether to allow unsolicited SAML responses (default: `false`) * `SAML_ACCEPTED_TIME_DIFF`: Time difference in seconds for SAML authentication (default: `3`) Tracecat always requires signed assertions and signed responses. These checks are not configurable. ### SSL transport configuration * `SAML_VERIFY_SSL_ENTITY`: Whether to verify SSL certificates for general SAML entity operations (default: `true`) * `SAML_VERIFY_SSL_METADATA`: Whether to verify SSL certificates when fetching metadata (default: `true`) * `SAML_CA_CERTS`: Base64 encoded CA certificates for SSL/TLS transport layer validation # Actions Source: https://docs.tracecat.com/automations/actions Connect Tracecat actions to build workflows: configure inputs and outputs, reference upstream results, and chain core, integration, and custom actions. You can view all available actions in the `/actions` page. Actions page ## Action names Every Tracecat action has a title, namespace, and name. Actions IDs are defined as `.`. For example, `tools.slack.post_message` uses the `tools.slack` namespace and the `post_message` name. ## Action types Tracecat actions are defined in either Python UDFs (user-defined functions) or YAML templates (domain-specific language for actions). See [Custom actions](/custom-actions/custom-registry) for more details. ## Action toolbar If you're building workflows in the UI, you can quickly find actions by namespace using the actions toolbar: Actions toolbar * `core` for built-in utilities such as HTTP requests, Python scripts, email, and gRPC actions * `ai` for non-agent AI actions * `ai` also powers the separate `Agent` group for actions such as `ai.agent` and `ai.preset_agent` * `core.workflow` for workflow actions, plus scatter and gather helpers * `core.transform` for transform actions * `core.cases` for case actions * `core.table` for table actions * `core.sql` and `core.duckdb` for SQL actions * `tools.*` for installed integrations; this menu also supports search ## Expressions Expressions use `${{ ... }}`. Use these references inside expressions: * `TRIGGER.` * `ACTIONS..result` * `SECRETS..` * `VARS..` * `ENV.` * `var.` * `FN.(...)` See [Expressions](/automations/core-concepts/expressions) for syntax, operators, and literals. See [JSONPath](/automations/core-concepts/jsonpath) for field access and array access. See [Functions](/automations/core-concepts/functions) for the full function list. ## Success and error paths Every action has a success and error path. The success path, which is represented by the green dot, runs when the action succeeds. The error path, which is represented by the red dot, runs when the action fails. Success error paths ## Control flow You can configure how an action runs from the "Control flow" tab in the action panel. Action control flow ### Mask output Use `mask_output` to hide an action's result in workflow execution views and execution API responses. Tracecat keeps the object and array shape, but replaces each individual value with `[REDACTED]`. You can still copy JSONPath references from the displayed structure. `mask_output` only affects display; downstream actions can still use the original result with expressions such as `${{ ACTIONS.lookup_user.result.id }}`. ```yaml theme={null} - ref: lookup_user action: core.http_request mask_output: true args: url: "https://api.example.com/users/${{ TRIGGER.user_id }}" method: GET ``` ### Run if Use `run_if` to execute an action only when a condition evaluates to a truthy value. If the condition is falsy, Tracecat skips the action. ```yaml High severity only theme={null} - ref: notify_team action: tools.slack.post_message run_if: ${{ TRIGGER.severity == "high" }} args: channel: ${{ SECRETS.slack.SECURITY_CHANNEL }} text: "High severity alert: ${{ TRIGGER.alert_id }}" ``` ```yaml Status and owner check theme={null} - ref: escalate_case action: core.cases.update run_if: ${{ TRIGGER.status == "open" && TRIGGER.owner != None }} args: case_id: ${{ TRIGGER.case_id }} status: in_progress ``` ```yaml Retry on empty result theme={null} - ref: fetch_user action: core.http_request run_if: ${{ ACTIONS.lookup_user.result == None }} args: url: "https://api.example.com/users/${{ TRIGGER.user_id }}" method: GET ``` ### For each Use `for_each` to run the same action once per item in a collection. If `items` contains `N` values, Tracecat runs the action `N` times. Inside the action inputs, reference the current item with `var.`. For example, `for_each: ${{ for var.user in TRIGGER.users }}` runs the action `len(TRIGGER.users)` times, and each run reads the current item from `var.user`. ```yaml Send one email per user theme={null} - ref: email_user action: core.email.send for_each: ${{ for var.user in TRIGGER.users }} args: recipients: - ${{ var.user.email }} subject: "Tracecat notification" body: "Hello ${{ var.user.name }}" ``` ```yaml Fetch one record per alert theme={null} - ref: fetch_alert action: core.http_request for_each: ${{ for var.alert in TRIGGER.alerts }} args: url: "https://api.example.com/alerts/${{ var.alert.id }}" method: GET headers: Authorization: "Bearer ${{ SECRETS.alerts.API_TOKEN }}" ``` ```yaml Create one case comment per finding theme={null} - ref: comment_on_case action: core.cases.create_comment for_each: ${{ for var.finding in ACTIONS.parse_findings.result }} args: case_id: ${{ TRIGGER.case_id }} comment: "Finding: ${{ var.finding.title }}" ``` ### Join strategy `join_strategy` controls how a downstream action waits on multiple upstream branches. Use `all` to wait for every branch, or `any` to continue after the first branch completes. ### Environment Use `environment` to override which secrets or variables environment an action reads from. This is useful to target different secrets or variables for the same pre-built action (e.g. different Slack apps for `tools.slack.post_message`). ### Start delay Use `start_delay` to wait a fixed number of seconds before an action starts. ### Timeout Use `timeout` to cap how long Tracecat waits for an action attempt to finish. Defaults to 300 seconds. ### Max attempts Use `max_attempts` to control how many times Tracecat retries the action if it fails. Defaults to 1 attempt. ## FAQ Most validation errors come from expression shape rather than action behavior: * Wrap the whole expression once as `${{ ... }}`. Do not split one condition across multiple expression blocks. * `run_if` must evaluate to a boolean value such as `${{ TRIGGER.severity == "high" }}`. * Use comparison operators such as `==` and `!=`. A single `=` is not a valid comparison. * `for_each` must use the iteration form `${{ for var.item in ... }}` and the value on the right side must be a list. ```yaml Valid run_if theme={null} - ref: notify_team action: tools.slack.post_message run_if: ${{ TRIGGER.severity == "high" && TRIGGER.status != "closed" }} args: channel: ${{ SECRETS.slack.SECURITY_CHANNEL }} text: "High-severity alert: ${{ TRIGGER.alert_id }}" ``` ```yaml Valid for_each theme={null} - ref: create_comment action: core.cases.create_comment for_each: ${{ for var.item in TRIGGER.findings }} args: case_id: ${{ TRIGGER.case_id }} comment: "Finding: ${{ var.item.title }}" ``` # Cases Source: https://docs.tracecat.com/automations/cases Track and resolve Tracecat cases: triage alerts, run agents and workflows on case events, manage tasks and comments, and report on outcomes. Cases give you a shared place to triage, investigate, and resolve work. You can use them to keep status, evidence, comments, and follow-up work together in one record. ## Features Create, update, search, assign, tag, and delete cases. Add comments, replies, and thread lookups. Upload, list, download, and delete case attachments. EE Add todo items with attachable workflows. EE Link structured data to cases. EE Track custom case metrics. ## Working with cases Use a case when you need a durable investigation record instead of a single workflow run. Your workflows can create or update a case, attach evidence, add comments, and move the case forward as new context arrives. * Track the current owner, severity, priority, and status in one place * Add comments and replies so analysts and workflows share the same timeline * Store evidence as attachments instead of passing large blobs between actions * Link structured rows, tasks, and metrics to keep investigation context organized ## Tags Tags help you group and find related cases. You can use them to label incidents by team, detection source, campaign, environment, or any other shared dimension. Case tags Tags work well when you want lightweight organization across many cases. You can also set tags from workflows with `core.cases.create_case` and `core.cases.update_case`. ## Custom fields Custom fields let you store case-specific data that does not fit into the default case properties. You can use them for values such as ticket IDs, affected systems, request metadata, or triage notes. Case custom field Use custom fields when you need flexible structured data on a case. Your workflows can read and update them through the `fields` input on case actions. Case custom fields use the same storage type family as tables: `TEXT`, `INTEGER`, `NUMERIC`, `BOOLEAN`, `DATE`, `TIMESTAMPTZ`, `JSONB`, `SELECT`, and `MULTI_SELECT`. In the case field picker, raw `JSONB` is currently surfaced through the case-only `URL` kind, and the picker also exposes `Long text`, which is layered on top of `TEXT`. ## AI copilot in a case Open source The AI copilot lets you work inside a case instead of switching to a separate chat tool. You can use it to summarize activity, answer questions, and draft next steps from the case timeline, linked evidence, and workflow output. Case copilot ## AI copilot across cases Enterprise Enterprise extends the copilot beyond a single case. You can use it to correlate related cases, compare investigation history, and surface patterns across incidents. This is useful when you want to: * Correlate repeated alerts across multiple cases * Spot shared indicators, assets, or actors * Find similar investigations before you start a new one * Build broader investigation context across your case queue ## Dropdowns Enterprise Dropdowns add custom top-level case filters alongside built-in filters such as status, priority, and severity. You can use them to add workspace-specific classifications such as queue, business unit, incident type, or escalation path. Case dropdown Unlike free-form fields, dropdowns give you a fixed set of options. This makes them useful when you want consistent filtering, routing, and reporting across your case queue. ## Durations Enterprise Durations track elapsed time between case events. You can use them to measure intervals such as time to triage, time to assign, or time to resolution. Case duration Durations help you understand how cases move through your process. They are useful when you want operational reporting or workflow triggers based on how long a case has been in a given state. ## Tasks Enterprise Tasks let you break an investigation into concrete follow-up work. They work well for analyst handoffs, evidence requests, and repeatable remediation steps. Case tasks Use tasks to: * Assign work to a person or queue * Capture checklist-style next steps * Attach workflows to routine case operations * Keep completion state visible alongside comments and evidence ## Linked rows Enterprise Linked rows connect a case to structured data in tables. Use them when a case needs more than free-form notes, such as indicators, assets, or external detections. Linked rows For example, you can link: * Related SIEM alerts * Indicators of compromise (IoCs) * Affected assets such as hosts, users, or devices * Threat intelligence matches * Evidence artifacts such as domains, IPs, or hashes Linked rows are especially useful when workflows enrich a case over time. You can insert new rows as evidence arrives or link existing rows that are already part of another workflow or lookup table. Linked rows use regular tables. When you create a table for case-linked evidence, use the same `columns` JSON schema documented in [Tables](/automations/tables) and [Table actions](/automations/core-actions/memory-actions/tables). ## Case actions Use `core.cases.*` actions when you want your workflows to create or update cases. * [Cases](/automations/core-actions/case-actions/cases) to create, fetch, update, search, and delete cases * [Comments](/automations/core-actions/case-actions/comments) to add analyst or workflow notes * [Attachments](/automations/core-actions/case-actions/attachments) to upload and retrieve evidence files * [Tasks](/automations/core-actions/case-actions/tasks) for case task management in Enterprise * [Linked rows](/automations/core-actions/case-actions/linked-rows) to connect case records to tables in Enterprise * [Metrics](/automations/core-actions/case-actions/metrics) for custom case measurements in Enterprise For example: ```yaml theme={null} - ref: create_case action: core.cases.create_case args: summary: "Investigate alert ${{ TRIGGER.alert_id }}" description: "Created from the SIEM alert pipeline." priority: high severity: high tags: - triage - ref: add_triage_note action: core.cases.create_comment args: case_id: ${{ ACTIONS.create_case.result.id }} content: "Automated triage started." ``` # Attachments Source: https://docs.tracecat.com/automations/core-actions/case-actions/attachments ## `core.cases.upload_attachment` Upload a file attachment to a case. ### Inputs The ID of the case to attach the file to. The file content encoded in base64. The MIME type of the file (e.g., 'application/pdf'). The original filename. ### Examples **Work with attachments** ```yaml theme={null} - ref: upload_attachment action: core.cases.upload_attachment args: case_id: ${{ TRIGGER.case_id }} file_name: note.txt content_base64: Zm9yZW5zaWMgbm90ZXM= content_type: text/plain - ref: upload_attachment_from_url action: core.cases.upload_attachment_from_url args: case_id: ${{ TRIGGER.case_id }} url: https://artifacts.example.com/evidence/${{ TRIGGER.alert_id }} headers: Authorization: Bearer ${{ SECRETS.artifacts.API_TOKEN }} file_name: evidence.json - ref: list_attachments action: core.cases.list_attachments args: case_id: ${{ TRIGGER.case_id }} - ref: get_attachment action: core.cases.get_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} - ref: get_download_url action: core.cases.get_attachment_download_url args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} expiry: 900 - ref: download_attachment action: core.cases.download_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} - ref: delete_attachment action: core.cases.delete_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} ``` ## `core.cases.upload_attachment_from_url` Upload a file attachment to a case from a URL. ### Inputs The ID of the case to attach the file to. The URL of the file to upload. Filename of the file to upload. If not provided, the filename will be inferred from the URL. Default: `null`. The headers to use when downloading the file. Default: `null`. ### Examples **Work with attachments** ```yaml theme={null} - ref: upload_attachment action: core.cases.upload_attachment args: case_id: ${{ TRIGGER.case_id }} file_name: note.txt content_base64: Zm9yZW5zaWMgbm90ZXM= content_type: text/plain - ref: upload_attachment_from_url action: core.cases.upload_attachment_from_url args: case_id: ${{ TRIGGER.case_id }} url: https://artifacts.example.com/evidence/${{ TRIGGER.alert_id }} headers: Authorization: Bearer ${{ SECRETS.artifacts.API_TOKEN }} file_name: evidence.json - ref: list_attachments action: core.cases.list_attachments args: case_id: ${{ TRIGGER.case_id }} - ref: get_attachment action: core.cases.get_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} - ref: get_download_url action: core.cases.get_attachment_download_url args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} expiry: 900 - ref: download_attachment action: core.cases.download_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} - ref: delete_attachment action: core.cases.delete_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} ``` ## `core.cases.list_attachments` List all attachments for a case. ### Inputs The ID of the case to list attachments for. ### Examples **Work with attachments** ```yaml theme={null} - ref: upload_attachment action: core.cases.upload_attachment args: case_id: ${{ TRIGGER.case_id }} file_name: note.txt content_base64: Zm9yZW5zaWMgbm90ZXM= content_type: text/plain - ref: upload_attachment_from_url action: core.cases.upload_attachment_from_url args: case_id: ${{ TRIGGER.case_id }} url: https://artifacts.example.com/evidence/${{ TRIGGER.alert_id }} headers: Authorization: Bearer ${{ SECRETS.artifacts.API_TOKEN }} file_name: evidence.json - ref: list_attachments action: core.cases.list_attachments args: case_id: ${{ TRIGGER.case_id }} - ref: get_attachment action: core.cases.get_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} - ref: get_download_url action: core.cases.get_attachment_download_url args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} expiry: 900 - ref: download_attachment action: core.cases.download_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} - ref: delete_attachment action: core.cases.delete_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} ``` ## `core.cases.get_attachment` Get attachment metadata without downloading the content. ### Inputs The ID of the attachment to get. The ID of the case containing the attachment. ### Examples **Work with attachments** ```yaml theme={null} - ref: upload_attachment action: core.cases.upload_attachment args: case_id: ${{ TRIGGER.case_id }} file_name: note.txt content_base64: Zm9yZW5zaWMgbm90ZXM= content_type: text/plain - ref: upload_attachment_from_url action: core.cases.upload_attachment_from_url args: case_id: ${{ TRIGGER.case_id }} url: https://artifacts.example.com/evidence/${{ TRIGGER.alert_id }} headers: Authorization: Bearer ${{ SECRETS.artifacts.API_TOKEN }} file_name: evidence.json - ref: list_attachments action: core.cases.list_attachments args: case_id: ${{ TRIGGER.case_id }} - ref: get_attachment action: core.cases.get_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} - ref: get_download_url action: core.cases.get_attachment_download_url args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} expiry: 900 - ref: download_attachment action: core.cases.download_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} - ref: delete_attachment action: core.cases.delete_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} ``` ## `core.cases.get_attachment_download_url` Get a presigned S3 URL for downloading an attachment. ### Inputs The ID of the attachment. The ID of the case containing the attachment. URL expiry time in seconds. If not provided, uses the default from configuration. Default: `null`. ### Examples **Work with attachments** ```yaml theme={null} - ref: upload_attachment action: core.cases.upload_attachment args: case_id: ${{ TRIGGER.case_id }} file_name: note.txt content_base64: Zm9yZW5zaWMgbm90ZXM= content_type: text/plain - ref: upload_attachment_from_url action: core.cases.upload_attachment_from_url args: case_id: ${{ TRIGGER.case_id }} url: https://artifacts.example.com/evidence/${{ TRIGGER.alert_id }} headers: Authorization: Bearer ${{ SECRETS.artifacts.API_TOKEN }} file_name: evidence.json - ref: list_attachments action: core.cases.list_attachments args: case_id: ${{ TRIGGER.case_id }} - ref: get_attachment action: core.cases.get_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} - ref: get_download_url action: core.cases.get_attachment_download_url args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} expiry: 900 - ref: download_attachment action: core.cases.download_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} - ref: delete_attachment action: core.cases.delete_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} ``` ## `core.cases.download_attachment` Download an attachment's content. ### Inputs The ID of the attachment to download. The ID of the case containing the attachment. ### Examples **Work with attachments** ```yaml theme={null} - ref: upload_attachment action: core.cases.upload_attachment args: case_id: ${{ TRIGGER.case_id }} file_name: note.txt content_base64: Zm9yZW5zaWMgbm90ZXM= content_type: text/plain - ref: upload_attachment_from_url action: core.cases.upload_attachment_from_url args: case_id: ${{ TRIGGER.case_id }} url: https://artifacts.example.com/evidence/${{ TRIGGER.alert_id }} headers: Authorization: Bearer ${{ SECRETS.artifacts.API_TOKEN }} file_name: evidence.json - ref: list_attachments action: core.cases.list_attachments args: case_id: ${{ TRIGGER.case_id }} - ref: get_attachment action: core.cases.get_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} - ref: get_download_url action: core.cases.get_attachment_download_url args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} expiry: 900 - ref: download_attachment action: core.cases.download_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} - ref: delete_attachment action: core.cases.delete_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} ``` ## `core.cases.delete_attachment` Delete an attachment from a case. ### Inputs The ID of the attachment to delete. The ID of the case containing the attachment. ### Examples **Work with attachments** ```yaml theme={null} - ref: upload_attachment action: core.cases.upload_attachment args: case_id: ${{ TRIGGER.case_id }} file_name: note.txt content_base64: Zm9yZW5zaWMgbm90ZXM= content_type: text/plain - ref: upload_attachment_from_url action: core.cases.upload_attachment_from_url args: case_id: ${{ TRIGGER.case_id }} url: https://artifacts.example.com/evidence/${{ TRIGGER.alert_id }} headers: Authorization: Bearer ${{ SECRETS.artifacts.API_TOKEN }} file_name: evidence.json - ref: list_attachments action: core.cases.list_attachments args: case_id: ${{ TRIGGER.case_id }} - ref: get_attachment action: core.cases.get_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} - ref: get_download_url action: core.cases.get_attachment_download_url args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} expiry: 900 - ref: download_attachment action: core.cases.download_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} - ref: delete_attachment action: core.cases.delete_attachment args: case_id: ${{ TRIGGER.case_id }} attachment_id: ${{ TRIGGER.attachment_id }} ``` # Cases Source: https://docs.tracecat.com/automations/core-actions/case-actions/cases ## `core.cases.create_case` Create a new case. ### Inputs The description of the case. The summary of the case. Dropdown selections to set on the case. Each item must include either definition\_id or definition\_ref, and either option\_id or option\_ref (or null to clear). Default: `null`. Custom fields for the case. Default: `null`. Payload for the case. Default: `null`. The priority of the case. Default: `"unknown"`. Allowed values: `unknown`, `low`, `medium`, `high`, `critical`, `other`. The severity of the case. Default: `"unknown"`. Allowed values: `unknown`, `informational`, `low`, `medium`, `high`, `critical`, `fatal`, `other`. The status of the case. Default: `"unknown"`. Allowed values: `unknown`, `new`, `in_progress`, `on_hold`, `resolved`, `closed`, `other`. List of tag identifiers (IDs or refs) to add to the case. Default: `null`. ### Examples **Create and fetch a case** ```yaml theme={null} - ref: create_case action: core.cases.create_case args: summary: "Investigate alert ${{ TRIGGER.alert_id }}" description: "Created from workflow trigger." priority: high severity: high tags: - phishing - ref: get_case action: core.cases.get_case depends_on: - create_case args: case_id: ${{ ACTIONS.create_case.result.id }} ``` ## `core.cases.get_case` Get details of a specific case by ID. ### Inputs The ID of the case to retrieve. ### Examples **Create and fetch a case** ```yaml theme={null} - ref: create_case action: core.cases.create_case args: summary: "Investigate alert ${{ TRIGGER.alert_id }}" description: "Created from workflow trigger." priority: high severity: high tags: - phishing - ref: get_case action: core.cases.get_case depends_on: - create_case args: case_id: ${{ ACTIONS.create_case.result.id }} ``` ## `core.cases.update_case` Update an existing case. ### Inputs The ID of the case to update. If true, append the provided description to the existing description when it is not empty. Default: `false`. The updated description of the case. Default: `null`. Dropdown selections to set or clear. Each item must include either definition\_id or definition\_ref, and either option\_id or option\_ref (or null to clear). Default: `null`. Updated custom fields for the case. Default: `null`. Updated payload for the case. Default: `null`. The updated priority of the case. Default: `null`. The updated severity of the case. Default: `null`. The updated status of the case. Default: `null`. The updated summary of the case. Default: `null`. List of tag identifiers (IDs or refs) to set on the case. This will replace all existing tags. Default: `null`. ### Examples **Update case fields** ```yaml theme={null} - ref: update_case action: core.cases.update_case args: case_id: ${{ TRIGGER.case_id }} status: in_progress priority: critical append: true description: | Analyst note: - Escalated after credential theft indicators were confirmed. ``` ## `core.cases.list_cases` List all cases. ### Inputs Pagination cursor used to fetch a specific page when paginate=true. Default: `null`. Maximum number of cases to return. Default: `100`. The field to order the cases by. Default: `null`. If true, return cursor pagination metadata along with items. Default: `false`. Reverse pagination direction when paginate=true. Default: `false`. The direction to order the cases by. Default: `null`. ### Examples **List, search, and inspect case activity** ```yaml theme={null} - ref: list_cases action: core.cases.list_cases args: limit: 25 order_by: updated_at sort: desc - ref: search_cases action: core.cases.search_cases args: search_term: phishing status: - new - in_progress limit: 25 - ref: case_events action: core.cases.list_case_events args: case_id: ${{ TRIGGER.case_id }} ``` ## `core.cases.search_cases` Search cases based on various criteria. ### Inputs Filter by assignee ID or 'unassigned'. Default: `null`. Pagination cursor used to fetch a specific page when paginate=true. Default: `null`. Filter by dropdown values in definition\_ref:option\_ref format. Default: `null`. Filter cases created before this time. Default: `null`. Maximum number of cases to return. Default: `100`. The field to order the cases by. Default: `null`. If true, return cursor pagination metadata along with items. Default: `false`. Filter by case priority. Default: `null`. Reverse pagination direction when paginate=true. Default: `false`. Text to search for in case summary and description. Default: `null`. Filter by case severity. Default: `null`. The direction to order the cases by. Default: `null`. Filter cases created after this time. Default: `null`. Filter by case status. Default: `null`. Filter by tag IDs or refs (AND logic). Default: `null`. Filter cases updated after this time. Default: `null`. Filter cases updated before this time. Default: `null`. ### Examples **List, search, and inspect case activity** ```yaml theme={null} - ref: list_cases action: core.cases.list_cases args: limit: 25 order_by: updated_at sort: desc - ref: search_cases action: core.cases.search_cases args: search_term: phishing status: - new - in_progress limit: 25 - ref: case_events action: core.cases.list_case_events args: case_id: ${{ TRIGGER.case_id }} ``` ## `core.cases.list_case_events` List all events for a case in chronological order. ### Inputs The ID of the case to get events for. ### Examples **List, search, and inspect case activity** ```yaml theme={null} - ref: list_cases action: core.cases.list_cases args: limit: 25 order_by: updated_at sort: desc - ref: search_cases action: core.cases.search_cases args: search_term: phishing status: - new - in_progress limit: 25 - ref: case_events action: core.cases.list_case_events args: case_id: ${{ TRIGGER.case_id }} ``` ## `core.cases.assign_user` Assign a user to an existing case. ### Inputs The ID of the user to assign to the case. The ID of the case to assign a user to. ### Examples **Assign a case** ```yaml theme={null} - ref: assign_by_id action: core.cases.assign_user args: case_id: ${{ TRIGGER.case_id }} assignee_id: ${{ TRIGGER.assignee_id }} - ref: assign_by_email action: core.cases.assign_user_by_email args: case_id: ${{ TRIGGER.case_id }} assignee_email: analyst@example.com ``` ## `core.cases.assign_user_by_email` Assign a user to an existing case by email. ### Inputs The email of the user to assign to the case. The ID of the case to assign a user to. ### Examples **Assign a case** ```yaml theme={null} - ref: assign_by_id action: core.cases.assign_user args: case_id: ${{ TRIGGER.case_id }} assignee_id: ${{ TRIGGER.assignee_id }} - ref: assign_by_email action: core.cases.assign_user_by_email args: case_id: ${{ TRIGGER.case_id }} assignee_email: analyst@example.com ``` ## `core.cases.add_case_tag` Add a tag to a case by tag ID or ref. ### Inputs The ID of the case to add a tag to. The tag identifier (ID or ref) to add to the case. If true, create the tag if it does not exist. Default: `false`. ### Examples **Add and remove tags** ```yaml theme={null} - ref: add_tag action: core.cases.add_case_tag args: case_id: ${{ TRIGGER.case_id }} tag: credential-theft create_if_missing: true - ref: remove_tag action: core.cases.remove_case_tag args: case_id: ${{ TRIGGER.case_id }} tag: needs-triage ``` ## `core.cases.remove_case_tag` Remove a tag from a case by tag ID or ref. ### Inputs The ID of the case to remove a tag from. The tag identifier (ID or ref) to remove from the case. ### Examples **Add and remove tags** ```yaml theme={null} - ref: add_tag action: core.cases.add_case_tag args: case_id: ${{ TRIGGER.case_id }} tag: credential-theft create_if_missing: true - ref: remove_tag action: core.cases.remove_case_tag args: case_id: ${{ TRIGGER.case_id }} tag: needs-triage ``` ## `core.cases.delete_case` Delete a case. ### Inputs The ID of the case to delete. ### Examples **Delete a case** ```yaml theme={null} - ref: close_case action: core.cases.update_case args: case_id: ${{ TRIGGER.case_id }} status: closed - ref: delete_case action: core.cases.delete_case depends_on: - close_case args: case_id: ${{ TRIGGER.case_id }} ``` # Comments Source: https://docs.tracecat.com/automations/core-actions/case-actions/comments ## `core.cases.create_comment` Add a comment to an existing case. ### Inputs The ID of the case to comment on. The comment content. The ID of the parent comment if this is a reply. Default: `null`. The ID of the workflow to run when the comment is created. Default: `null`. ### Examples **Manage case comments** ```yaml theme={null} - ref: create_comment action: core.cases.create_comment args: case_id: ${{ TRIGGER.case_id }} content: "Initial triage started." - ref: reply_to_comment action: core.cases.reply_to_comment depends_on: - create_comment args: case_id: ${{ TRIGGER.case_id }} parent_comment_id: ${{ ACTIONS.create_comment.result.id }} content: "Added IOC context." - ref: update_comment action: core.cases.update_comment depends_on: - create_comment args: comment_id: ${{ ACTIONS.create_comment.result.id }} content: "Initial triage started. Waiting on endpoint data." - ref: list_comments action: core.cases.list_comments args: case_id: ${{ TRIGGER.case_id }} - ref: list_comment_threads action: core.cases.list_comment_threads args: case_id: ${{ TRIGGER.case_id }} - ref: get_comment_thread action: core.cases.get_comment_thread depends_on: - create_comment args: comment_id: ${{ ACTIONS.create_comment.result.id }} ``` ## `core.cases.reply_to_comment` Reply to a top-level case comment. ### Inputs The ID of the case containing the parent comment. The reply content. The ID of the top-level comment to reply to. ### Examples **Manage case comments** ```yaml theme={null} - ref: create_comment action: core.cases.create_comment args: case_id: ${{ TRIGGER.case_id }} content: "Initial triage started." - ref: reply_to_comment action: core.cases.reply_to_comment depends_on: - create_comment args: case_id: ${{ TRIGGER.case_id }} parent_comment_id: ${{ ACTIONS.create_comment.result.id }} content: "Added IOC context." - ref: update_comment action: core.cases.update_comment depends_on: - create_comment args: comment_id: ${{ ACTIONS.create_comment.result.id }} content: "Initial triage started. Waiting on endpoint data." - ref: list_comments action: core.cases.list_comments args: case_id: ${{ TRIGGER.case_id }} - ref: list_comment_threads action: core.cases.list_comment_threads args: case_id: ${{ TRIGGER.case_id }} - ref: get_comment_thread action: core.cases.get_comment_thread depends_on: - create_comment args: comment_id: ${{ ACTIONS.create_comment.result.id }} ``` ## `core.cases.update_comment` Update an existing case comment. ### Inputs The ID of the comment to update. The updated comment content. ### Examples **Manage case comments** ```yaml theme={null} - ref: create_comment action: core.cases.create_comment args: case_id: ${{ TRIGGER.case_id }} content: "Initial triage started." - ref: reply_to_comment action: core.cases.reply_to_comment depends_on: - create_comment args: case_id: ${{ TRIGGER.case_id }} parent_comment_id: ${{ ACTIONS.create_comment.result.id }} content: "Added IOC context." - ref: update_comment action: core.cases.update_comment depends_on: - create_comment args: comment_id: ${{ ACTIONS.create_comment.result.id }} content: "Initial triage started. Waiting on endpoint data." - ref: list_comments action: core.cases.list_comments args: case_id: ${{ TRIGGER.case_id }} - ref: list_comment_threads action: core.cases.list_comment_threads args: case_id: ${{ TRIGGER.case_id }} - ref: get_comment_thread action: core.cases.get_comment_thread depends_on: - create_comment args: comment_id: ${{ ACTIONS.create_comment.result.id }} ``` ## `core.cases.list_comments` List all comments for a case. ### Inputs The ID of the case to get comments for. ### Examples **Manage case comments** ```yaml theme={null} - ref: create_comment action: core.cases.create_comment args: case_id: ${{ TRIGGER.case_id }} content: "Initial triage started." - ref: reply_to_comment action: core.cases.reply_to_comment depends_on: - create_comment args: case_id: ${{ TRIGGER.case_id }} parent_comment_id: ${{ ACTIONS.create_comment.result.id }} content: "Added IOC context." - ref: update_comment action: core.cases.update_comment depends_on: - create_comment args: comment_id: ${{ ACTIONS.create_comment.result.id }} content: "Initial triage started. Waiting on endpoint data." - ref: list_comments action: core.cases.list_comments args: case_id: ${{ TRIGGER.case_id }} - ref: list_comment_threads action: core.cases.list_comment_threads args: case_id: ${{ TRIGGER.case_id }} - ref: get_comment_thread action: core.cases.get_comment_thread depends_on: - create_comment args: comment_id: ${{ ACTIONS.create_comment.result.id }} ``` ## `core.cases.list_comment_threads` List comment threads for a case. ### Inputs The ID of the case to get comment threads for. ### Examples **Manage case comments** ```yaml theme={null} - ref: create_comment action: core.cases.create_comment args: case_id: ${{ TRIGGER.case_id }} content: "Initial triage started." - ref: reply_to_comment action: core.cases.reply_to_comment depends_on: - create_comment args: case_id: ${{ TRIGGER.case_id }} parent_comment_id: ${{ ACTIONS.create_comment.result.id }} content: "Added IOC context." - ref: update_comment action: core.cases.update_comment depends_on: - create_comment args: comment_id: ${{ ACTIONS.create_comment.result.id }} content: "Initial triage started. Waiting on endpoint data." - ref: list_comments action: core.cases.list_comments args: case_id: ${{ TRIGGER.case_id }} - ref: list_comment_threads action: core.cases.list_comment_threads args: case_id: ${{ TRIGGER.case_id }} - ref: get_comment_thread action: core.cases.get_comment_thread depends_on: - create_comment args: comment_id: ${{ ACTIONS.create_comment.result.id }} ``` ## `core.cases.get_comment_thread` Get the full thread for a comment ID. ### Inputs The ID of a comment within the thread. ### Examples **Manage case comments** ```yaml theme={null} - ref: create_comment action: core.cases.create_comment args: case_id: ${{ TRIGGER.case_id }} content: "Initial triage started." - ref: reply_to_comment action: core.cases.reply_to_comment depends_on: - create_comment args: case_id: ${{ TRIGGER.case_id }} parent_comment_id: ${{ ACTIONS.create_comment.result.id }} content: "Added IOC context." - ref: update_comment action: core.cases.update_comment depends_on: - create_comment args: comment_id: ${{ ACTIONS.create_comment.result.id }} content: "Initial triage started. Waiting on endpoint data." - ref: list_comments action: core.cases.list_comments args: case_id: ${{ TRIGGER.case_id }} - ref: list_comment_threads action: core.cases.list_comment_threads args: case_id: ${{ TRIGGER.case_id }} - ref: get_comment_thread action: core.cases.get_comment_thread depends_on: - create_comment args: comment_id: ${{ ACTIONS.create_comment.result.id }} ``` # Linked rows Source: https://docs.tracecat.com/automations/core-actions/case-actions/linked-rows Linked rows use regular tables. When you create a table for case-linked evidence, use the same `columns` JSON schema documented in [Tables](/automations/tables) and [Table actions](/automations/core-actions/memory-actions/tables). ## `core.cases.link_row` Link an existing table row to a case. ### Inputs Case ID Row ID Table ID ### Examples **Link table rows to a case** ```yaml theme={null} - ref: link_row action: core.cases.link_row args: case_id: ${{ TRIGGER.case_id }} table_id: indicators row_id: ${{ TRIGGER.row_id }} - ref: unlink_row action: core.cases.unlink_row args: case_id: ${{ TRIGGER.case_id }} table_id: indicators row_id: ${{ TRIGGER.row_id }} - ref: insert_case_row action: core.cases.insert_row args: case_id: ${{ TRIGGER.case_id }} table_id: indicators row: value: ${{ TRIGGER.indicator }} indicator_type: domain ``` ## `core.cases.unlink_row` Remove a linked table row from a case. ### Inputs Case ID Row ID Table ID ### Examples **Link table rows to a case** ```yaml theme={null} - ref: link_row action: core.cases.link_row args: case_id: ${{ TRIGGER.case_id }} table_id: indicators row_id: ${{ TRIGGER.row_id }} - ref: unlink_row action: core.cases.unlink_row args: case_id: ${{ TRIGGER.case_id }} table_id: indicators row_id: ${{ TRIGGER.row_id }} - ref: insert_case_row action: core.cases.insert_row args: case_id: ${{ TRIGGER.case_id }} table_id: indicators row: value: ${{ TRIGGER.indicator }} indicator_type: domain ``` ## `core.cases.insert_row` Insert a row into a table and link it to a case. ### Inputs Case ID Row values Table ID ### Examples **Link table rows to a case** ```yaml theme={null} - ref: link_row action: core.cases.link_row args: case_id: ${{ TRIGGER.case_id }} table_id: indicators row_id: ${{ TRIGGER.row_id }} - ref: unlink_row action: core.cases.unlink_row args: case_id: ${{ TRIGGER.case_id }} table_id: indicators row_id: ${{ TRIGGER.row_id }} - ref: insert_case_row action: core.cases.insert_row args: case_id: ${{ TRIGGER.case_id }} table_id: indicators row: value: ${{ TRIGGER.indicator }} indicator_type: domain ``` # Metrics Source: https://docs.tracecat.com/automations/core-actions/case-actions/metrics ## `core.cases.get_case_metrics` Get case metrics as OTEL-aligned time-series for the provided case IDs. Enterprise Edition ### Inputs List of case IDs to get case metrics for. ### Examples **Read case metrics** ```yaml theme={null} - ref: case_metrics action: core.cases.get_case_metrics args: case_ids: - ${{ TRIGGER.case_id }} - ${{ TRIGGER.related_case_id }} ``` # Tasks Source: https://docs.tracecat.com/automations/core-actions/case-actions/tasks ## `core.cases.create_task` Create a new task for a case. Enterprise Edition ### Inputs The ID of the case to create a task for. The title of the task. The ID of the user to assign the task to. Default: `null`. The default trigger values for the task. Default: `null`. The description of the task. Default: `null`. The priority of the task (unknown, low, medium, high, critical). Default: `"unknown"`. The status of the task (todo, in\_progress, blocked, completed). Default: `"todo"`. The ID of the workflow associated with this task. Default: `null`. ### Examples **Manage case tasks** ```yaml theme={null} - ref: create_task action: core.cases.create_task args: case_id: ${{ TRIGGER.case_id }} title: Collect email headers description: Pull the original message from the mail gateway. priority: high status: todo - ref: get_task action: core.cases.get_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} - ref: list_tasks action: core.cases.list_tasks args: case_id: ${{ TRIGGER.case_id }} - ref: update_task action: core.cases.update_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} status: in_progress - ref: delete_task action: core.cases.delete_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} ``` ## `core.cases.get_task` Get a specific case task by ID. Enterprise Edition ### Inputs The ID of the task to retrieve. ### Examples **Manage case tasks** ```yaml theme={null} - ref: create_task action: core.cases.create_task args: case_id: ${{ TRIGGER.case_id }} title: Collect email headers description: Pull the original message from the mail gateway. priority: high status: todo - ref: get_task action: core.cases.get_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} - ref: list_tasks action: core.cases.list_tasks args: case_id: ${{ TRIGGER.case_id }} - ref: update_task action: core.cases.update_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} status: in_progress - ref: delete_task action: core.cases.delete_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} ``` ## `core.cases.list_tasks` List all tasks for a case. Enterprise Edition ### Inputs The ID of the case to list tasks for. ### Examples **Manage case tasks** ```yaml theme={null} - ref: create_task action: core.cases.create_task args: case_id: ${{ TRIGGER.case_id }} title: Collect email headers description: Pull the original message from the mail gateway. priority: high status: todo - ref: get_task action: core.cases.get_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} - ref: list_tasks action: core.cases.list_tasks args: case_id: ${{ TRIGGER.case_id }} - ref: update_task action: core.cases.update_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} status: in_progress - ref: delete_task action: core.cases.delete_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} ``` ## `core.cases.update_task` Update an existing case task. Enterprise Edition ### Inputs The ID of the task to update. The ID of the user to assign the task to. Default: `null`. The default trigger values for the task. Default: `null`. The updated description of the task. Default: `null`. The updated priority of the task (unknown, low, medium, high, critical). Default: `null`. The updated status of the task (todo, in\_progress, blocked, completed). Default: `null`. The updated title of the task. Default: `null`. The ID of the workflow associated with this task. Default: `null`. ### Examples **Manage case tasks** ```yaml theme={null} - ref: create_task action: core.cases.create_task args: case_id: ${{ TRIGGER.case_id }} title: Collect email headers description: Pull the original message from the mail gateway. priority: high status: todo - ref: get_task action: core.cases.get_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} - ref: list_tasks action: core.cases.list_tasks args: case_id: ${{ TRIGGER.case_id }} - ref: update_task action: core.cases.update_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} status: in_progress - ref: delete_task action: core.cases.delete_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} ``` ## `core.cases.delete_task` Delete a case task. Enterprise Edition ### Inputs The ID of the task to delete. ### Examples **Manage case tasks** ```yaml theme={null} - ref: create_task action: core.cases.create_task args: case_id: ${{ TRIGGER.case_id }} title: Collect email headers description: Pull the original message from the mail gateway. priority: high status: todo - ref: get_task action: core.cases.get_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} - ref: list_tasks action: core.cases.list_tasks args: case_id: ${{ TRIGGER.case_id }} - ref: update_task action: core.cases.update_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} status: in_progress - ref: delete_task action: core.cases.delete_task depends_on: - create_task args: task_id: ${{ ACTIONS.create_task.result.id }} ``` # Filesystem Source: https://docs.tracecat.com/automations/core-actions/memory-actions/filesystem Filesystem actions are in private beta. Contact [founders@tracecat.com](mailto:founders@tracecat.com) to learn more. Give your agents a persistent filesystem to store files and data as memory. Share these filesystems between agent runs and other agents. # Tables Source: https://docs.tracecat.com/automations/core-actions/memory-actions/tables Tables are the built-in structured data store behind `core.table.*`. Use them when your workflows need durable, queryable records such as asset inventories, user allowlists, enrichment results, or investigation evidence. ## What tables are good for * Persisting enrichment data across workflow runs * Looking up records by a known field such as hostname, email, or indicator * Searching and exporting structured data for analysts * Attaching case context to reusable datasets ## Common workflow pattern Most table workflows follow the same lifecycle: 1. Create the table once with a schema that fits your data. 2. Insert or upsert rows as new events arrive. 3. Look up, search, or export rows later from another workflow step. ```yaml theme={null} - ref: ensure_inventory_table action: core.table.create_table args: name: asset_inventory columns: - name: hostname type: TEXT - name: owner type: TEXT - name: last_seen type: TIMESTAMPTZ raise_on_duplicate: false - ref: upsert_asset action: core.table.insert_row args: table: asset_inventory upsert: true row_data: hostname: ${{ TRIGGER.hostname }} owner: ${{ TRIGGER.owner }} last_seen: ${{ FN.now() }} - ref: find_asset action: core.table.lookup args: table: asset_inventory column: hostname value: ${{ TRIGGER.hostname }} ``` ## Column schema `core.table.create_table` takes `columns` as a JSON array of column objects. This is the same schema you use for tables that you later link to cases. * `name`: Required string. Use letters, numbers, and underscores, and start with a letter or underscore. * `type`: Required uppercase string. Use `TEXT`, `INTEGER`, `NUMERIC`, `BOOLEAN`, `DATE`, `TIMESTAMPTZ`, `JSONB`, `SELECT`, or `MULTI_SELECT`. * `nullable`: Optional boolean. Defaults to `true`. * `default`: Optional value. It must match the column type. * `options`: Optional array of strings. Required for `SELECT` and `MULTI_SELECT`, and invalid for other types. The documented `type` values match the custom tables picker. Case custom fields use the same storage type family: `TEXT`, `INTEGER`, `NUMERIC`, `BOOLEAN`, `DATE`, `TIMESTAMPTZ`, `JSONB`, `SELECT`, and `MULTI_SELECT`. In the case field picker, raw `JSONB` is currently surfaced through the `URL` kind, and `Long text` is layered on top of `TEXT`. ## Notes * Use `lookup` or `is_in` when you already know the column and value you need. * Use `search_rows` when you need broader text search or paginated results. * Use `download` when you want to export rows as JSON, NDJSON, CSV, or Markdown. ## FAQ `core.table.insert_rows` is best for batch inserts, but you should split large imports into smaller batches first. Create batches upstream, then run one `insert_rows` action per batch. ```yaml theme={null} - ref: insert_batch action: core.table.insert_rows for_each: ${{ for var.batch in TRIGGER.row_batches }} args: table: asset_inventory rows_data: ${{ var.batch }} ``` Each `var.batch` should be a list of rows that stays within your chosen batch size. This keeps imports predictable and makes retry behavior easier to reason about. Use the documented uppercase type names: `TEXT`, `INTEGER`, `NUMERIC`, `BOOLEAN`, `DATE`, `TIMESTAMPTZ`, `JSONB`, `SELECT`, and `MULTI_SELECT`. * Use `SELECT` and `MULTI_SELECT` only when you also provide `options`. * Use `TEXT` or `JSONB` for flexible payloads. * Case-linked custom fields follow the same storage type family as tables. ```yaml theme={null} - ref: create_table action: core.table.create_table args: name: asset_inventory columns: - name: hostname type: TEXT - name: first_seen_at type: TIMESTAMPTZ - name: owner_team type: SELECT options: - secops - platform - it ``` ## `core.table.create_table` Create a new lookup table with optional columns. ### Inputs The name of the table to create. List of column definitions. Each item is a JSON object with required `name` and uppercase `type`, plus optional `nullable`, `default`, and `options` fields. Use `options` only with `SELECT` or `MULTI_SELECT`. Default: `null`. If true, raise an error if the table already exists. Default: `true`. ### Examples **Create and inspect a table** ```yaml theme={null} - ref: create_table action: core.table.create_table args: name: asset_inventory columns: - name: hostname type: TEXT - name: owner type: TEXT raise_on_duplicate: false - ref: list_tables action: core.table.list_tables - ref: table_metadata action: core.table.get_table_metadata args: name: asset_inventory ``` ## `core.table.list_tables` Get a list of all available tables in the workspace. ### Inputs This action does not take input fields. ### Examples **Create and inspect a table** ```yaml theme={null} - ref: create_table action: core.table.create_table args: name: asset_inventory columns: - name: hostname type: TEXT - name: owner type: TEXT raise_on_duplicate: false - ref: list_tables action: core.table.list_tables - ref: table_metadata action: core.table.get_table_metadata args: name: asset_inventory ``` ## `core.table.get_table_metadata` Get a table's metadata by name. This includes the columns and whether they are indexed. ### Inputs The name of the table to get. ### Examples **Create and inspect a table** ```yaml theme={null} - ref: create_table action: core.table.create_table args: name: asset_inventory columns: - name: hostname type: TEXT - name: owner type: TEXT raise_on_duplicate: false - ref: list_tables action: core.table.list_tables - ref: table_metadata action: core.table.get_table_metadata args: name: asset_inventory ``` ## `core.table.lookup` Get a single row from a table corresponding to the given column and value. ### Inputs The column to lookup the value in. The table to lookup the value in. The value to lookup. ### Examples **Look up rows** ```yaml theme={null} - ref: lookup_row action: core.table.lookup args: table: asset_inventory column: hostname value: ${{ TRIGGER.hostname }} - ref: row_exists action: core.table.is_in args: table: asset_inventory column: hostname value: ${{ TRIGGER.hostname }} - ref: lookup_many_rows action: core.table.lookup_many args: table: asset_inventory column: owner value: secops limit: 25 ``` ## `core.table.is_in` Check if a value exists in a table column. ### Inputs The column to check in. The table to check. The value to check for. ### Examples **Look up rows** ```yaml theme={null} - ref: lookup_row action: core.table.lookup args: table: asset_inventory column: hostname value: ${{ TRIGGER.hostname }} - ref: row_exists action: core.table.is_in args: table: asset_inventory column: hostname value: ${{ TRIGGER.hostname }} - ref: lookup_many_rows action: core.table.lookup_many args: table: asset_inventory column: owner value: secops limit: 25 ``` ## `core.table.lookup_many` Get multiple rows from a table corresponding to the given column and values. ### Inputs The column to lookup the value in. The table to lookup the value in. The value to lookup. The maximum number of rows to return. Default: `100`. ### Examples **Look up rows** ```yaml theme={null} - ref: lookup_row action: core.table.lookup args: table: asset_inventory column: hostname value: ${{ TRIGGER.hostname }} - ref: row_exists action: core.table.is_in args: table: asset_inventory column: hostname value: ${{ TRIGGER.hostname }} - ref: lookup_many_rows action: core.table.lookup_many args: table: asset_inventory column: owner value: secops limit: 25 ``` ## `core.table.search_rows` Search for rows in a table with optional filtering. ### Inputs The table to search in. Cursor for pagination. Default: `null`. Filter rows created before this time. Default: `null`. The maximum number of rows to return. Default: `100`. If true, return cursor pagination metadata along with items. Default: `false`. Reverse pagination direction. Default: `false`. Text to search for across all text and JSONB columns. Default: `null`. Filter rows created after this time. Default: `null`. Filter rows updated after this time. Default: `null`. Filter rows updated before this time. Default: `null`. ### Examples **Search table rows** ```yaml theme={null} - ref: search_rows action: core.table.search_rows args: table: asset_inventory search_term: database limit: 50 paginate: true ``` ## `core.table.insert_row` Insert a row into a table. ### Inputs The data to insert into the row. The table to insert the row into. If true, update the row if it already exists (based on primary key). Default: `false`. ### Examples **Insert, update, and delete rows** ```yaml theme={null} - ref: insert_row action: core.table.insert_row args: table: asset_inventory row_data: hostname: app-01 owner: secops - ref: insert_rows action: core.table.insert_rows args: table: asset_inventory rows_data: - hostname: app-02 owner: secops - hostname: app-03 owner: platform - ref: update_row action: core.table.update_row args: table: asset_inventory row_id: ${{ TRIGGER.row_id }} row_data: owner: incident-response - ref: delete_row action: core.table.delete_row args: table: asset_inventory row_id: ${{ TRIGGER.row_id }} ``` ## `core.table.insert_rows` Insert multiple rows into a table. ### Inputs The list of data to insert into the table. The table to insert the rows into. If true, update the rows if they already exist (based on primary key). Default: `false`. ### Examples **Insert, update, and delete rows** ```yaml theme={null} - ref: insert_row action: core.table.insert_row args: table: asset_inventory row_data: hostname: app-01 owner: secops - ref: insert_rows action: core.table.insert_rows args: table: asset_inventory rows_data: - hostname: app-02 owner: secops - hostname: app-03 owner: platform - ref: update_row action: core.table.update_row args: table: asset_inventory row_id: ${{ TRIGGER.row_id }} row_data: owner: incident-response - ref: delete_row action: core.table.delete_row args: table: asset_inventory row_id: ${{ TRIGGER.row_id }} ``` ## `core.table.update_row` Update a row in a table. ### Inputs The new data for the row. The ID of the row to update. The table to update the row in. ### Examples **Insert, update, and delete rows** ```yaml theme={null} - ref: insert_row action: core.table.insert_row args: table: asset_inventory row_data: hostname: app-01 owner: secops - ref: insert_rows action: core.table.insert_rows args: table: asset_inventory rows_data: - hostname: app-02 owner: secops - hostname: app-03 owner: platform - ref: update_row action: core.table.update_row args: table: asset_inventory row_id: ${{ TRIGGER.row_id }} row_data: owner: incident-response - ref: delete_row action: core.table.delete_row args: table: asset_inventory row_id: ${{ TRIGGER.row_id }} ``` ## `core.table.delete_row` Delete a row from a table. ### Inputs The ID of the row to delete. The table to delete the row from. ### Examples **Insert, update, and delete rows** ```yaml theme={null} - ref: insert_row action: core.table.insert_row args: table: asset_inventory row_data: hostname: app-01 owner: secops - ref: insert_rows action: core.table.insert_rows args: table: asset_inventory rows_data: - hostname: app-02 owner: secops - hostname: app-03 owner: platform - ref: update_row action: core.table.update_row args: table: asset_inventory row_id: ${{ TRIGGER.row_id }} row_data: owner: incident-response - ref: delete_row action: core.table.delete_row args: table: asset_inventory row_id: ${{ TRIGGER.row_id }} ``` ## `core.table.download` Download a table's data by name as list of dicts, JSON string, NDJSON string, CSV or Markdown. ### Inputs The name of the table to download. The format to download the table data in. Default: `null`. The maximum number of rows to download. Default: `1000`. ### Examples **Export table data** ```yaml theme={null} - ref: export_table action: core.table.download args: name: asset_inventory format: csv limit: 1000 ``` # Email Source: https://docs.tracecat.com/automations/core-actions/request-actions/email ## `core.send_email_smtp` Send email using SMTP. ### Secrets Required secrets: * `smtp`: required values `SMTP_HOST`, `SMTP_PORT`, `SMTP_USER`, `SMTP_PASS`. ### Inputs Body content of the email List of recipient email addresses Email address of the sender Subject of the email Key-value pairs of allowed attributes to add to the email body. e.g. \{'\*': \['style']}. This allows all tags to have a style attribute Default: `null`. Recipient(s) to be copied in the BCC field Default: `null`. Recipient(s) to be copied in the CC field Default: `null`. Email content type ('text/plain' or 'text/html'). Defaults to 'text/plain'. Default: `"text/plain"`. Allowed values: `text/plain`, `text/html`. Enable SMTP authentication Default: `false`. Enable SSL for secure connection Default: `false`. Enable STARTTLS for secure connection Default: `false`. Additional email headers Default: `null`. Ignore SSL certificate errors Default: `false`. Email address(es) to be used in the Reply-To field Default: `null`. Email address prefix of the sender Default: `null`. Timeout for SMTP operations in seconds Default: `null`. ### Examples **Send a notification** ```yaml theme={null} - ref: notify_team action: core.send_email_smtp args: sender: no-reply@example.com recipients: - secops@example.com subject: "Tracecat alert ${{ TRIGGER.alert_id }}" body: "Severity: ${{ TRIGGER.severity }}" content_type: text/plain enable_starttls: true enable_auth: true ``` # gRPC Source: https://docs.tracecat.com/automations/core-actions/request-actions/grpc ## `core.grpc.request` Call a gRPC method using a runtime-compiled protobuf definition. ### Secrets Optional secrets: * `grpc_mtls`: required values `TLS_CERTIFICATE`, `TLS_PRIVATE_KEY`. * `grpc_ca_cert`: required values `CA_CERTIFICATE`. ### Inputs gRPC method name (e.g., 'Query'). Inline .proto definition. gRPC service name (e.g., 'API'). gRPC server address in host:port format. Use an insecure plaintext channel. Defaults to False (TLS channel). Default: `false`. Request payload as a dict matching the protobuf schema. Default: `null`. Timeout in seconds for the RPC. Defaults to no timeout. Default: `null`. ### Examples **Call a gRPC service** ```yaml theme={null} - ref: grpc_query action: core.grpc.request args: target: grpc.example.com:443 service_name: Alerts method_name: GetAlert proto: | syntax = "proto3"; package alerts; service Alerts { rpc GetAlert (GetAlertRequest) returns (AlertResponse); } message GetAlertRequest { string id = 1; } message AlertResponse { string id = 1; string severity = 2; } payload: id: ${{ TRIGGER.alert_id }} ``` # HTTP Source: https://docs.tracecat.com/automations/core-actions/request-actions/http ## `core.http_request` Perform a HTTP request to a given URL. ### Secrets Optional secrets: * `mtls`: required values `TLS_CERTIFICATE`, `TLS_PRIVATE_KEY`. * `ca_cert`: required values `CA_CERTIFICATE`. ### Inputs HTTP request method Allowed values: `GET`, `POST`, `PUT`, `PATCH`, `DELETE`, `HEAD`, `OPTIONS`. The destination of the HTTP request Basic auth credentials with `username` and `password` keys Default: `null`. Base64 encode the raw response body before returning. Use this for binary downloads to prevent corruption from text decoding. Default: `false`. Files to upload using multipart/form-data. The dictionary key is the form field name. The value can be a simple base64 encoded string (filename defaults to form field name), or a dictionary with 'filename', 'content\_base64', and optional 'content\_type'. Default: `null`. Follow HTTP redirects Default: `false`. Form encoded data in request body (POST, PUT, and PATCH) Default: `null`. HTTP request headers Default: `null`. If specified, these status codes will not be treated as errors. Defaults to None. Default: `null`. Maximum number of redirects Default: `20`. URL query parameters Default: `null`. JSON serializable data in request body (POST, PUT, and PATCH) Default: `null`. Timeout in seconds Default: `10.0`. Verify SSL certificates. Defaults to True, disable at own risk. Default: `true`. ### Examples **Basic request** ```yaml theme={null} - ref: fetch_alert action: core.http_request args: url: https://api.example.com/alerts/${{ TRIGGER.alert_id }} method: GET headers: Authorization: Bearer ${{ SECRETS.alerts.API_TOKEN }} ``` ## `core.http_poll` Perform a HTTP request to a given URL with optional polling. ### Secrets Optional secrets: * `mtls`: required values `TLS_CERTIFICATE`, `TLS_PRIVATE_KEY`. * `ca_cert`: required values `CA_CERTIFICATE`. ### Inputs HTTP request method Allowed values: `GET`, `POST`, `PUT`, `PATCH`, `DELETE`, `HEAD`, `OPTIONS`. The destination of the HTTP request Basic auth credentials with `username` and `password` keys Default: `null`. Follow HTTP redirects Default: `false`. Form encoded data in request body (POST, PUT, and PATCH) Default: `null`. HTTP request headers Default: `null`. Maximum number of redirects Default: `20`. URL query parameters Default: `null`. JSON serializable data in request body (POST, PUT, and PATCH) Default: `null`. Python lambda function when evaluated to True, stops polling. The function receives a dict with `headers`, `data`, and `status_code` fields. Default: `null`. Interval in seconds between polling attempts. If not specified, defaults to polling with exponential wait. Default: `null`. Maximum number of polling attempts. If set to 0, the action will poll indefinitely (until timeout). Default: `10`. Status codes on which the action will retry. Ignored if `poll_condition` is provided. If neither are specified, an error will be raised. Default: `null`. Timeout in seconds Default: `10.0`. Verify SSL certificates. Defaults to True, disable at own risk. Default: `true`. ### Examples **Poll until complete** ```yaml theme={null} - ref: wait_for_export action: core.http_poll args: url: https://api.example.com/exports/${{ TRIGGER.export_id }} method: GET headers: Authorization: Bearer ${{ SECRETS.exports.API_TOKEN }} poll_interval: 5 poll_max_attempts: 24 poll_condition: "lambda response: response['data'].get('status') == 'completed'" ``` ## `core.http_paginate` Paginate through a HTTP response. ### Inputs HTTP request method Allowed values: `GET`, `POST`, `PUT`, `PATCH`, `DELETE`, `HEAD`, `OPTIONS`. Python lambda function that returns the next request as a JSON of `url`, `method`, `headers`, `params`, `payload`, `form_data` to paginate to. The function receives a dict with `headers`, `data`, and `status_code` fields. Python lambda function that determines when pagination should STOP. The function receives a dict with `headers`, `data`, and `status_code` fields. The destination of the HTTP request Basic auth credentials with `username` and `password` keys Default: `null`. Follow HTTP redirects Default: `false`. Form encoded data in request body (POST, PUT, and PATCH) Default: `null`. HTTP request headers Default: `null`. JSONPath expression that evaluates to the items to paginate through. Default: `null`. Maximum number of items to paginate through. Defaults to 1000. Default: `1000`. Maximum number of redirects Default: `20`. URL query parameters Default: `null`. JSON serializable data in request body (POST, PUT, and PATCH) Default: `null`. Timeout in seconds Default: `10.0`. Verify SSL certificates. Defaults to True, disable at own risk. Default: `true`. ### Examples **Follow next page links** ```yaml theme={null} - ref: list_findings action: core.http_paginate args: url: https://api.example.com/findings method: GET headers: Authorization: Bearer ${{ SECRETS.findings.API_TOKEN }} params: limit: 100 items_jsonpath: $.items[*] stop_condition: "lambda response: response['data'].get('next_cursor') is None" next_request: "lambda response: {'url': 'https://api.example.com/findings', 'method': 'GET', 'headers': {'Authorization': 'Bearer ${{ SECRETS.findings.API_TOKEN }}'}, 'params': {'limit': 100, 'cursor': response['data']['next_cursor']}}" ``` # SQL Source: https://docs.tracecat.com/automations/core-actions/request-actions/sql ## `core.sql.execute_query` Execute a parameterized SQL query on an external database. ### Secrets Required secrets: * `sql`: required values `CONNECTION_URL`. ### Inputs SQL query to execute. Use :param\_name syntax for bound parameters. Do NOT use Tracecat expressions in the query string. Bound query parameters as a dictionary (injected with :param\_name syntax). Supply dynamic values here, NOT within the query string. This is required for safe, parameterized SQL queries. Default: `null`. Return a single row instead of a list of rows. Defaults to False, which fetches all rows. Default: `false`. Maximum number of rows to return. Default 200. Prevents accidentally returning huge result sets. Default: `200`. ### Examples **Query an external database** ```yaml theme={null} - ref: recent_logins action: core.sql.execute_query args: query: | SELECT user_email, last_login_at FROM user_logins WHERE last_login_at >= :cutoff ORDER BY last_login_at DESC bound_params: cutoff: ${{ TRIGGER.cutoff }} max_rows: 100 ``` ## `core.duckdb.execute_sql` Execute SQL in an in-process DuckDB engine ### Secrets Optional secrets: * `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`. ### Inputs SQL to execute in an in-process DuckDB connection. ### Examples **Run in-process SQL** ```yaml theme={null} - ref: aggregate_results action: core.duckdb.execute_sql args: sql: | WITH findings(id, severity) AS ( VALUES (1, 'high'), (2, 'low'), (3, 'high') ) SELECT severity, count(*) AS count FROM findings GROUP BY severity ORDER BY count DESC ``` **Read from S3** ```yaml theme={null} # Attach the amazon_s3 secret (static keys or AWS_ROLE_ARN for AssumeRole). - ref: read_s3 action: core.duckdb.execute_sql args: sql: | SELECT * FROM read_parquet('s3://my-bucket/findings/*.parquet') ``` # SSH Source: https://docs.tracecat.com/automations/core-actions/request-actions/ssh ## `core.ssh.execute_command` Execute a command over SSH and return stdout, stderr, and exit status. ### Secrets Required secrets: * `ssh`: required values `PRIVATE_KEY`. ### Inputs Command to execute on the remote host. SSH host to connect to. Expected public host key for the target host in '\ \' format. For non-22 ports, the entry is stored as \[host]:port. SSH username. Password for the SSH user. Default: `null`. SSH port. Defaults to 22. Default: `22`. Timeout in seconds for connection and command execution. Default: `30.0`. ### Examples **Execute a remote command** ```yaml theme={null} - ref: collect_uptime action: core.ssh.execute_command args: host: 10.0.10.15 port: 22 username: tracecat host_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEXAMPLEHOSTKEY" command: uptime timeout_seconds: 20 ``` # Data transforms Source: https://docs.tracecat.com/automations/core-actions/transform-actions/data-transforms ## `core.transform.apply` Apply a Python lambda function to a value. ### Inputs Python lambda function as a string (e.g. `"lambda x: x.get('name')"`). Value to apply the lambda function to. ### Examples **Filter, transform, and compact** ```yaml theme={null} - ref: normalize_hostname action: core.transform.apply args: value: ${{ TRIGGER.hostname }} python_lambda: "lambda value: value.strip().lower()" - ref: keep_open_findings action: core.transform.filter args: items: ${{ TRIGGER.findings }} python_lambda: "lambda finding: finding.get('status') == 'open'" - ref: finding_ids action: core.transform.map args: items: ${{ ACTIONS.keep_open_findings.result }} python_lambda: "lambda finding: finding.get('id')" - ref: compact_ids action: core.transform.drop_nulls args: items: ${{ ACTIONS.finding_ids.result }} ``` ## `core.transform.filter` Filter a collection using a Python lambda function. ### Inputs Items to filter. Filter condition as a Python lambda expression (e.g. `"lambda x: x > 2"`). ### Examples **Filter, transform, and compact** ```yaml theme={null} - ref: normalize_hostname action: core.transform.apply args: value: ${{ TRIGGER.hostname }} python_lambda: "lambda value: value.strip().lower()" - ref: keep_open_findings action: core.transform.filter args: items: ${{ TRIGGER.findings }} python_lambda: "lambda finding: finding.get('status') == 'open'" - ref: finding_ids action: core.transform.map args: items: ${{ ACTIONS.keep_open_findings.result }} python_lambda: "lambda finding: finding.get('id')" - ref: compact_ids action: core.transform.drop_nulls args: items: ${{ ACTIONS.finding_ids.result }} ``` ## `core.transform.map` Map a Python lambda function to each item in a list. ### Inputs Items to map the lambda function to. Python lambda function as a string (e.g. `"lambda x: x.get('name')"`). ### Examples **Filter, transform, and compact** ```yaml theme={null} - ref: normalize_hostname action: core.transform.apply args: value: ${{ TRIGGER.hostname }} python_lambda: "lambda value: value.strip().lower()" - ref: keep_open_findings action: core.transform.filter args: items: ${{ TRIGGER.findings }} python_lambda: "lambda finding: finding.get('status') == 'open'" - ref: finding_ids action: core.transform.map args: items: ${{ ACTIONS.keep_open_findings.result }} python_lambda: "lambda finding: finding.get('id')" - ref: compact_ids action: core.transform.drop_nulls args: items: ${{ ACTIONS.finding_ids.result }} ``` ## `core.transform.drop_nulls` Remove null values from a list. ### Inputs List of items to filter. ### Examples **Filter, transform, and compact** ```yaml theme={null} - ref: normalize_hostname action: core.transform.apply args: value: ${{ TRIGGER.hostname }} python_lambda: "lambda value: value.strip().lower()" - ref: keep_open_findings action: core.transform.filter args: items: ${{ TRIGGER.findings }} python_lambda: "lambda finding: finding.get('status') == 'open'" - ref: finding_ids action: core.transform.map args: items: ${{ ACTIONS.keep_open_findings.result }} python_lambda: "lambda finding: finding.get('id')" - ref: compact_ids action: core.transform.drop_nulls args: items: ${{ ACTIONS.finding_ids.result }} ``` ## `core.transform.is_in` Filters items in a list based on whether they are in a collection. ### Inputs Collection of hashable items to check against. Items to filter. Python lambda applied to each item before checking membership (e.g. `"lambda x: x.get('name')"`). Similar to `key` in the Python `sorted` function. Default: `null`. ### Examples **Keep or exclude matching items** ```yaml theme={null} - ref: keep_known_users action: core.transform.is_in args: items: ${{ TRIGGER.users }} collection: - alice@example.com - bob@example.com python_lambda: "lambda user: user.get('email')" - ref: remove_known_users action: core.transform.not_in args: items: ${{ TRIGGER.users }} collection: - alice@example.com - bob@example.com python_lambda: "lambda user: user.get('email')" ``` ## `core.transform.not_in` Filters items in a list based on whether they are not in a collection. ### Inputs Collection of hashable items to check against. Items to filter. Python lambda applied to each item before checking membership (e.g. `"lambda x: x.get('name')"`). Similar to `key` in the Python `sorted` function. Default: `null`. ### Examples **Keep or exclude matching items** ```yaml theme={null} - ref: keep_known_users action: core.transform.is_in args: items: ${{ TRIGGER.users }} collection: - alice@example.com - bob@example.com python_lambda: "lambda user: user.get('email')" - ref: remove_known_users action: core.transform.not_in args: items: ${{ TRIGGER.users }} collection: - alice@example.com - bob@example.com python_lambda: "lambda user: user.get('email')" ``` ## `core.transform.deduplicate` Deduplicate a JSON object or a list of JSON objects given a list of keys. Returns a list of deduplicated JSON objects. ### Inputs JSON object or list of JSON objects to deduplicate. List of JSONPath keys to deduplicate by. Supports dot notation for nested keys (e.g. `['user.id']`). Time to live for the deduplicated items in seconds. Defaults to 1 hour. Default: `3600`. Whether to persist deduplicated items across calls. If True, deduplicates across calls. If False, deduplicates within the current call only. Default: `true`. ### Examples **Deduplicate by a stable key** ```yaml theme={null} - ref: deduplicate_findings action: core.transform.deduplicate args: items: ${{ TRIGGER.findings }} keys: - finding_id persist: true expire_seconds: 3600 - ref: finding_seen action: core.transform.is_duplicate args: item: ${{ TRIGGER.finding }} keys: - finding_id expire_seconds: 3600 ``` ## `core.transform.is_duplicate` Check if a JSON object was recently seen. ### Inputs JSON object to check. List of JSONPath keys to check. Time to live for the deduplicated items in seconds. Defaults to 1 hour. Default: `3600`. ### Examples **Deduplicate by a stable key** ```yaml theme={null} - ref: deduplicate_findings action: core.transform.deduplicate args: items: ${{ TRIGGER.findings }} keys: - finding_id persist: true expire_seconds: 3600 - ref: finding_seen action: core.transform.is_duplicate args: item: ${{ TRIGGER.finding }} keys: - finding_id expire_seconds: 3600 ``` ## `core.transform.flatten_json` Flatten a JSON object into a single level of fields. ### Inputs JSON object to flatten. ### Examples **Flatten and query JSON** ```yaml theme={null} - ref: flatten_alert action: core.transform.flatten_json args: json: ${{ TRIGGER.alert }} - ref: extract_fields action: core.transform.eval_jsonpaths args: json: ${{ TRIGGER.alert }} jsonpaths: user: $.actor.email source_ip: $.network.source.ip ``` ## FAQ Expressions support Tracecat literals, operators, and `FN.*` helper functions. Python lambda functions are not part of the expression language, so they must be passed as strings to actions such as `core.transform.apply`, `core.transform.filter`, or `core.transform.map`. Use `FN.*` for short inline transforms, and use `core.transform.*` when you need Python-style per-item logic. ```yaml theme={null} - ref: extract_ids action: core.transform.map args: items: ${{ TRIGGER.findings }} python_lambda: "lambda finding: finding.get('id')" ``` Add a small debug reshape step first. This lets you confirm whether you have a list or object, inspect a count, and verify the field path you plan to iterate over. ```yaml theme={null} - ref: inspect_findings action: core.transform.reshape args: value: result_type: ${{ FN.typeof(ACTIONS.fetch_findings.result) }} findings_type: ${{ FN.typeof(ACTIONS.fetch_findings.result.findings) if ACTIONS.fetch_findings.result != None else None }} findings_count: ${{ FN.length(ACTIONS.fetch_findings.result.findings) if ACTIONS.fetch_findings.result != None else 0 }} ``` ## `core.transform.eval_jsonpaths` Eval multiple JSONPath expressions on an object. ### Inputs JSON object to eval JSONPath expressions on. JSONPath expressions to eval. ### Examples **Flatten and query JSON** ```yaml theme={null} - ref: flatten_alert action: core.transform.flatten_json args: json: ${{ TRIGGER.alert }} - ref: extract_fields action: core.transform.eval_jsonpaths args: json: ${{ TRIGGER.alert }} jsonpaths: user: $.actor.email source_ip: $.network.source.ip ``` # Python script Source: https://docs.tracecat.com/automations/core-actions/transform-actions/python-script ## `core.script.run_python` Execute a Python script. ### Inputs Python script to execute. Must contain at least one function. If multiple functions are defined, one must be named 'main'. Returns the output of the function. Whether to allow network access during script execution. Default is False. Note: package installation always has network access. Default: `false`. Optional list of Python package dependencies to install via pip. Packages are cached between executions for performance. Default: `null`. Environment variables to set in the sandbox. Use this to inject secrets or configuration. Default: `null`. Input data passed as function arguments to the main function. Keys must match the parameter names in the function signature. Missing parameters will receive `None`. Default: `null`. Maximum execution time in seconds. Default is 300 seconds (5 minutes). Default: `300`. ### Examples **Enrich a payload** ```yaml theme={null} - ref: normalize_findings action: core.script.run_python args: inputs: findings: ${{ TRIGGER.findings }} script: | def main(findings): return [ { "id": finding["id"], "severity": str(finding["severity"]).lower(), } for finding in findings ] timeout_seconds: 60 ``` # Require Source: https://docs.tracecat.com/automations/core-actions/transform-actions/require ## `core.require` Evaluate a conditional expression and returns the boolean result. ### Inputs Conditional expression(s) to evaluate. All must be true for the result to be true. If `True`, the function will raise an error if the condition is false. If `False`, the function will return `False` instead. Default: `true`. If `True`, all conditions must be true for the result to be true. If `False`, only one condition must be true. Default: `true`. ### Examples **Stop when prerequisites are not met** ```yaml theme={null} - ref: require_inputs action: core.require args: conditions: - ${{ TRIGGER.case_id != None }} - ${{ TRIGGER.severity in ["high", "critical"] }} require_all: true raise_error: true ``` # Reshape Source: https://docs.tracecat.com/automations/core-actions/transform-actions/reshape ## `core.transform.reshape` Define the exact scalar, object, or list output you want from workflow data. `core.transform.reshape` evaluates expressions anywhere in the input value. Use it to extract fields, rename keys, hardcode values, and compose new objects or lists from trigger data and earlier actions. ### Inputs The value to reshape ### Examples **Return one value** ```yaml theme={null} - ref: extract_owner_email action: core.transform.reshape args: value: ${{ ACTIONS.get_alert.result.data.owner.email }} ``` **Build a new object or list** ```yaml theme={null} - ref: build_summary action: core.transform.reshape args: value: alert_id: ${{ TRIGGER.alert_id }} severity: ${{ TRIGGER.severity }} owner: ${{ TRIGGER.owner.email }} labels: - triage - security ``` **Use expressions and functions inline** ```yaml theme={null} - ref: normalize_alert action: core.transform.reshape args: value: id: ${{ TRIGGER.alert_id }} title: ${{ TRIGGER.title || "Untitled alert" }} severity: ${{ FN.lowercase(TRIGGER.severity) }} source_ip_version: ${{ FN.check_ip_version(TRIGGER.source_ip) }} created_at: ${{ FN.to_isoformat(TRIGGER.created_at) }} ``` # Run subflow Source: https://docs.tracecat.com/automations/core-actions/workflow-actions/run-subflow ## `core.workflow.execute` Execute a workflow by alias. ### Inputs Alias of the subflow to execute. Must be provided. Number of subflows to execute in parallel. Default: `32`. Subflow's target execution environment. This is used to isolate secrets across different environments.If not provided, the subflow's default environment is used. Default: `null`. Fail strategy to use when a subflow fails. Default: `"isolated"`. Allowed values: `isolated`, `all`. Execution strategy to use for the subflow. Default: `"batch"`. Allowed values: `parallel`, `batch`, `sequential`. Maximum number of seconds to wait for the subflow to complete. If not provided, the subflow's default timeout is used. Default: `null`. Inputs to pass to the subflow (arbitrary JSON). Default: `null`. Version of the subflow definition, if any. Default: `null`. Wait strategy to use when waiting for subflows to complete. In `wait` mode, this action will wait for all subflows to complete before returning. Any subflow failures will be reported as an error. In `detach` mode, this action will return immediately after the subflows are created. A failing subflow will not affect the parent. Default: `"detach"`. Allowed values: `wait`, `detach`. ### Examples **Run a subflow** ```yaml theme={null} - ref: run_subflow action: core.workflow.execute args: workflow_alias: enrich_case trigger_inputs: case_id: ${{ TRIGGER.case_id }} severity: ${{ TRIGGER.severity }} wait_strategy: wait timeout: 300 ``` ## `core.workflow.get_status` Get the status of a workflow execution. ### Inputs The workflow execution ID to check. ### Examples **Check an execution** ```yaml theme={null} - ref: launch_subflow action: core.workflow.execute args: workflow_alias: collect_evidence trigger_inputs: case_id: ${{ TRIGGER.case_id }} - ref: subflow_status action: core.workflow.get_status depends_on: - launch_subflow args: wf_exec_id: ${{ ACTIONS.launch_subflow.result.wf_exec_id }} ``` # Scatter-gather loops Source: https://docs.tracecat.com/automations/core-actions/workflow-actions/scatter-gather-loops ## `core.transform.scatter` Transform a collection of items into parallel execution streams, where each item is processed independently. ### Inputs The collection to scatter. Each item in the collection will be processed independently in its own execution stream. This should be a JSONPath expression to a collection or a list of items. The interval in seconds between each scatter task. Default: `null`. ### Examples **Fan out and collect results** ```yaml theme={null} - ref: scatter_hosts action: core.transform.scatter args: collection: ${{ TRIGGER.hosts }} - ref: check_host action: core.http_request depends_on: - scatter_hosts args: url: https://scanner.example.com/hosts/${{ ACTIONS.scatter_hosts.result.id }} method: GET - ref: gather_results action: core.transform.gather depends_on: - check_host args: items: ${{ ACTIONS.check_host.result }} drop_nulls: true error_strategy: partition ``` ## `core.transform.gather` Collect the results of a list of execution streams into a single list. ### Inputs The JSONPath expression referencing the item to gather in the current execution stream. Whether to drop null values from the final result. If True, any null values encountered during the gather operation will be omitted from the output list. Default: `false`. Controls how errors are handled when gathering. "partition" puts successful results in `.result` and errors in `.error`. "include" puts errors in `.result` as JSON objects. "drop" removes errors from `.result`. "raise" fails the gather if any branch errors. Default: `"partition"`. Allowed values: `partition`, `include`, `drop`, `raise`. ### Examples **Fan out and collect results** ```yaml theme={null} - ref: scatter_hosts action: core.transform.scatter args: collection: ${{ TRIGGER.hosts }} - ref: check_host action: core.http_request depends_on: - scatter_hosts args: url: https://scanner.example.com/hosts/${{ ACTIONS.scatter_hosts.result.id }} method: GET - ref: gather_results action: core.transform.gather depends_on: - check_host args: items: ${{ ACTIONS.check_host.result }} drop_nulls: true error_strategy: partition ``` # While loops Source: https://docs.tracecat.com/automations/core-actions/workflow-actions/while-loops ## `core.loop.start` Open a do-while control-flow region. ### Inputs This action does not take input fields. ### Examples **Repeat until a condition is met** ```yaml theme={null} - ref: loop_start action: core.loop.start - ref: check_status action: core.http_request depends_on: - loop_start args: url: https://api.example.com/jobs/${{ TRIGGER.job_id }} method: GET - ref: loop_end action: core.loop.end depends_on: - check_status args: condition: ${{ ACTIONS.check_status.result.data.status != "completed" }} max_iterations: 20 ``` ## `core.loop.end` Close a do-while control-flow region and evaluate whether execution should loop back to the matching `core.loop.start`. ### Inputs Expression evaluated after the loop body; truthy values continue looping. Maximum number of loop iterations before failing. Default: `100`. ### Examples **Repeat until a condition is met** ```yaml theme={null} - ref: loop_start action: core.loop.start - ref: check_status action: core.http_request depends_on: - loop_start args: url: https://api.example.com/jobs/${{ TRIGGER.job_id }} method: GET - ref: loop_end action: core.loop.end depends_on: - check_status args: condition: ${{ ACTIONS.check_status.result.data.status != "completed" }} max_iterations: 20 ``` # Expressions Source: https://docs.tracecat.com/automations/core-concepts/expressions Syntax reference for Tracecat expressions: contexts, operators, functions, and JSONPath access patterns used inside workflow and agent definitions. ## Overview Tracecat expressions let you build values from trigger data, action results, secrets, variables, and functions. Expressions use `${{ ... }}`. ## Where expressions are used You can use expressions in: * Action inputs * `run_if` * `for_each` * Action `environment` * Workflow environment * Output schema Use `var.` in action inputs for actions that run with `for_each`. ## Expression contexts Use these references inside expressions: * `TRIGGER.` * `ACTIONS..result` * `SECRETS..` * `VARS..` * `ENV.` * `var.` * `FN.(...)` ## Operators Expressions support literals and operators. ### Literals * String literals such as `"high"` and `'prod'` * Numeric literals such as `1` and `3.14` * Boolean literals such as `True` and `False` * Null literals such as `None` * List literals such as `["a", "b"]` * Object literals with string keys such as `{"severity": "high"}` ### Operators * Logical operators: `||` and `&&` * Comparison operators such as `==`, `!=`, `<`, `<=`, `>`, `>=` * Arithmetic operators such as `+`, `-`, `*`, `/`, `%` * Ternary expressions such as `${{ "p1" if TRIGGER.severity == "high" else "p3" }}` Python-style `or` / `and` and SQL-style `OR` / `AND` are not supported. ## Examples Basic trigger reference: ```yaml Expression theme={null} text: "Alert ${{ TRIGGER.alert_id }}" ``` ```json Result theme={null} { "text": "Alert al-123" } ``` Action result reference: ```yaml Expression theme={null} value: ${{ ACTIONS.fetch_alert.result }} ``` ```json Result theme={null} { "value": { "id": "al-123", "status": "open" } } ``` Secret reference: ```yaml Expression theme={null} token: ${{ SECRETS.github.GITHUB_TOKEN }} ``` ```json Result theme={null} { "token": "ghp_xxxxx" } ``` Variable reference: ```yaml Expression theme={null} team: ${{ VARS.routing.team }} ``` ```json Result theme={null} { "team": "secops" } ``` Conditional execution: ```yaml Expression theme={null} run_if: ${{ FN.is_equal(TRIGGER.severity, "high") }} ``` ```json Result theme={null} { "run_if": true } ``` Iteration: ```yaml Expression theme={null} for_each: ${{ for var.alert in TRIGGER.alerts }} ``` ```json Result theme={null} [ { "var.alert": { "id": "al-1", "severity": "high" } }, { "var.alert": { "id": "al-2", "severity": "low" } } ] ``` Using `var.` in action inputs: ```yaml Expression theme={null} title: ${{ var.alert.title }} severity: ${{ var.alert.severity }} ``` ```json Result theme={null} { "title": "Suspicious login", "severity": "high" } ``` Ternary: ```yaml Expression theme={null} priority: ${{ "p1" if TRIGGER.severity == "high" else "p3" }} ``` ```json Result theme={null} { "priority": "p1" } ``` Function call: ```yaml Expression theme={null} created_at: ${{ FN.to_datetime(TRIGGER.created_at) }} ``` ```json Result theme={null} { "created_at": "2026-03-18T09:00:00" } ``` Nested list literal: ```yaml Expression theme={null} value: ${{ [1, [2, 3], {"severity": "high", "flags": [True, False, None]}] }} ``` ```json Result theme={null} { "value": [ 1, [2, 3], { "severity": "high", "flags": [true, false, null] } ] } ``` Nested object literal: ```yaml Expression theme={null} value: ${{ {"alert": {"id": "al-123", "tags": ["auth", "critical"]}, "ok": True, "meta": None} }} ``` ```json Result theme={null} { "value": { "alert": { "id": "al-123", "tags": ["auth", "critical"] }, "ok": true, "meta": null } } ``` ## FAQ Some actions only return data in certain conditions. For example, a hash enrichment might find no matches in your threat intel source. When a field does not exist, the expression resolves to `None` — no error is raised. Use `run_if` with a `!= None` check to skip downstream actions when the data is missing, or use a ternary to supply a fallback value. ```yaml Skip an action when the result is missing theme={null} - ref: check_hash action: tools.virustotal.get_file_report args: hash: ${{ TRIGGER.file_hash }} - ref: escalate_alert action: tools.slack.post_message depends_on: - check_hash run_if: ${{ ACTIONS.check_hash.result != None && ACTIONS.check_hash.result.malicious_count != None }} args: channel: ${{ SECRETS.slack.SECURITY_CHANNEL }} text: "Hash ${{ TRIGGER.file_hash }} flagged by ${{ ACTIONS.check_hash.result.malicious_count }} vendors" ``` ```yaml Supply a fallback value theme={null} - ref: build_summary action: core.transform.reshape depends_on: - check_hash args: value: verdict: ${{ ACTIONS.check_hash.result.verdict if ACTIONS.check_hash.result != None else "unknown" }} is_known_bad: ${{ ACTIONS.check_hash.result.malicious_count > 0 if ACTIONS.check_hash.result.malicious_count != None else False }} ``` ## Related pages * See [Workflow definition](/automations/core-concepts/workflow-definition) for where expressions appear in workflow YAML. * See [JSONPath](/automations/core-concepts/jsonpath) for field access, arrays, and filters. * See [Functions](/automations/core-concepts/functions) for the full function reference. # Functions Source: https://docs.tracecat.com/automations/core-concepts/functions Inline utility functions for Tracecat expressions: transform strings, dates, numbers, lists, and JSON inside workflow and agent definitions. ## Overview Tracecat expressions can call built-in functions with the `FN.(...)` syntax. Function results support bracket indexing such as `FN.range(0, 3)[0]`. Function results do not support JSONPath wildcards or filters such as `FN.range(0, 3)[*]`. Use in-line functions for one-line data transforms in action inputs. For more complex logic, use a Python script or a custom UDF instead. ## Examples Build a prompt or short string: ```yaml Expression theme={null} prompt: ${{ FN.format("Investigate alert {0} with severity {1}", TRIGGER.alert_id, TRIGGER.severity) }} ``` ```json Result theme={null} { "prompt": "Investigate alert al-123 with severity high" } ``` Time manipulation for alert search windows: ```yaml Expression theme={null} start_time: ${{ FN.to_isoformat(FN.now() - FN.minutes(15)) }} end_time: ${{ FN.to_isoformat(FN.now()) }} ``` ```json Result theme={null} { "start_time": "2026-03-18T12:45:00", "end_time": "2026-03-18T13:00:00" } ``` ## Related pages * See the [Functions cheatsheet](/cheatsheets/functions) for the full function reference and more examples. * See [Expressions](/automations/core-concepts/expressions) for expression syntax and contexts. # JSONPath Source: https://docs.tracecat.com/automations/core-concepts/jsonpath Path access reference for Tracecat expressions: navigate trigger payloads, action results, secrets, and variables with JSONPath syntax. ## Overview JSONPath is used inside expression contexts such as `TRIGGER` and `ACTIONS..result` to access nested fields and arrays. ## Field access Use dot notation for nested fields. ```yaml Expression theme={null} theme: ${{ TRIGGER.data.settings.theme }} status: ${{ ACTIONS.fetch_alert.result.status }} ``` ```json Result theme={null} { "theme": "dark", "status": "open" } ``` Use quoted field names when the field contains special characters. ```yaml Expression theme={null} value: ${{ TRIGGER.data."alert.sample.data" }} dash_value: ${{ TRIGGER.data."field-with-dashes" }} ``` ```json Result theme={null} { "value": "sample-1", "dash_value": "ok" } ``` ## Array access Use brackets to access array items. ```yaml Expression theme={null} first_item: ${{ TRIGGER.items[0] }} last_item: ${{ TRIGGER.items[-1] }} first_name: ${{ ACTIONS.lookup_users.result.users[0].name }} ``` ```json Result theme={null} { "first_item": {"id": "a1"}, "last_item": {"id": "a3"}, "first_name": "Alice" } ``` ## Wildcards Use `[*]` to select all items in an array. ```yaml Expression theme={null} ids: ${{ TRIGGER.items[*].id }} names: ${{ ACTIONS.lookup_users.result.users[*].name }} ``` ```json Result theme={null} { "ids": ["a1", "a2", "a3"], "names": ["Alice", "Bob", "Carol"] } ``` Wildcard expressions return a list. ## Filters Use filters to select matching items. ```yaml Expression theme={null} active_users: ${{ ACTIONS.lookup_users.result.users[?(@.active == true)] }} high_scores: ${{ ACTIONS.lookup_users.result.users[?(@.score >= 90)] }} matching_alerts: ${{ TRIGGER.alerts[?(@.severity == "high")] }} ``` ```json Result theme={null} { "active_users": [{"name": "Alice", "active": true}], "high_scores": [{"name": "Alice", "score": 96}], "matching_alerts": [{"id": "al-1", "severity": "high"}] } ``` Filter expressions return a list. ## Missing fields Accessing a field that does not exist returns `None`. No error is raised. ```yaml Expression theme={null} value: ${{ ACTIONS.check_hash.result.id }} ``` ```json Result (field does not exist) theme={null} { "value": null } ``` Guard against `None` with a null check before dereferencing deeper fields. ```yaml theme={null} run_if: ${{ ACTIONS.check_hash.result != None && ACTIONS.check_hash.result.id != None }} ``` ## Related pages * See the [JSONPath cheatsheet](/cheatsheets/jsonpath) for detailed filter patterns, return behavior, and more examples. * See [Expressions](/automations/core-concepts/expressions) for expression syntax and contexts. * See [Functions](/automations/core-concepts/functions) for helper functions you can use alongside JSONPath access. # Secrets Source: https://docs.tracecat.com/automations/core-concepts/secrets Create, scope, and reference Tracecat secrets in workflows and agents: store API keys safely and inject them into actions through expressions. ## Overview Secrets store sensitive values. Create them in `/credentials`. Create secret ## Using secrets in expressions Access a secret in expressions with: ```yaml theme={null} ${{ SECRETS.. }} ``` ## Secret types Tracecat supports these workspace secret types: | Type | Value | Description | | -------------- | --------- | ---------------------------------------- | | Custom | `custom` | Arbitrary key-value credentials | | SSH key | `ssh_key` | A single SSH private key | | mTLS | `mtls` | A TLS client certificate and private key | | CA certificate | `ca_cert` | A CA certificate bundle | ### Custom credentials Custom credentials store arbitrary key-value pairs. Any keys can be used. ### Structured secret types SSH key, mTLS, and CA certificate secrets use fixed key names. The credentials UI renders a specialized form for each type (e.g. a PEM textarea for SSH keys instead of generic key-value inputs). | Type | Required keys | | -------------- | ------------------------------------ | | SSH key | `PRIVATE_KEY` | | mTLS | `TLS_CERTIFICATE`, `TLS_PRIVATE_KEY` | | CA certificate | `CA_CERTIFICATE` | Structured secret types cannot have `optional_keys`. The key set is fixed by the type. ## SQL action credentials `core.sql.execute_query` uses a secret named `sql` with one required key: `CONNECTION_URL`. Set `CONNECTION_URL` as a SQLAlchemy database URL: ```text theme={null} postgresql+psycopg://user:pass@db.example.com:5432/app ``` Common engine examples: * PostgreSQL (psycopg3): `postgresql+psycopg://user:pass@db.example.com:5432/app` * MySQL: `mysql+pymysql://user:pass@db.example.com:3306/app` * ClickHouse: `clickhouse+http://user:pass@clickhouse.example.com:8123/default` See SQLAlchemy Database URLs for supported dialect and driver formats: [https://docs.sqlalchemy.org/20/core/engines.html#database-urls](https://docs.sqlalchemy.org/20/core/engines.html#database-urls) ## AWS credentials ### Protected secret names `aws` and `amazon_s3` are **protected** secret names. When a secret with either name contains `AWS_ROLE_ARN`, Tracecat automatically performs STS `AssumeRole` on the host before sandbox entry and injects temporary session credentials. This applies to any registry action (built-in or custom) that declares a secret with one of these names. `tools.aws_boto3` actions use the `aws` secret. `tools.amazon_s3` actions use the `amazon_s3` secret. Both follow the same key schema. ### Supported keys * `AWS_ROLE_ARN` — recommended; Tracecat assumes the role on the host * `AWS_ROLE_SESSION_NAME` — optional audit session label * `AWS_ACCESS_KEY_ID` * `AWS_SECRET_ACCESS_KEY` * `AWS_SESSION_TOKEN` * `AWS_REGION` ### Credential resolution order 1. `AWS_ROLE_ARN` (STS AssumeRole with auto-injected `TRACECAT_AWS_EXTERNAL_ID`) 2. `AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY` + `AWS_SESSION_TOKEN` 3. `AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY` ## Secret environments Every secret belongs to a Workflow environment. * Default source: the workflow default environment in [Workflows](/automations/workflows). * Override: per action in [Actions](/automations/actions) control flow. * Fallback: `default`. Examples: * Different CrowdStrike tenants for `prod`, `staging`, or `lab` * Multiple Slack apps for separate workspaces or business units * Separate sandbox and production API credentials for the same vendor ## Access secrets in agents Agents can use secret expressions in tool arguments and integration configuration. Secret values are resolved during tool execution and are not sent to the LLM provider. ```text theme={null} When you call Slack tools, use `${{ SECRETS.slack.SLACK_BOT_TOKEN }}`. When you call Jira tools, use `${{ SECRETS.jira.JIRA_API_TOKEN }}`. Do not print secret values in the final answer. ``` ## Custom registry actions Authors of [Python UDFs](/custom-actions/python-udf) and [YAML templates](/custom-actions/yaml-template) declare required secrets in the registry (including OAuth and structured secret types). The same `${{ SECRETS... }}` syntax applies; see [Use OAuth tokens in expressions](/automations/integrations/oauth-integrations#use-oauth-tokens-in-expressions) on the OAuth page for token paths, `RegistryOAuthSecret` and YAML `type: oauth`, and Custom OAuth `provider_id` rules. ## Related pages * See [Pre-built credentials](/automations/integrations/prebuilt-credentials) for provider-specific credential templates for built-in integrations. * See [OAuth](/automations/integrations/oauth-integrations) for integrations that authenticate with OAuth flows. * See [MCP](/automations/integrations/mcp-integrations) for MCP integrations and secure environment-based settings. * See [Expressions](/automations/core-concepts/expressions) for how expressions work across triggers, actions, secrets, and variables. # Variables Source: https://docs.tracecat.com/automations/core-concepts/variables Create and reference reusable Tracecat workspace variables in workflows and agents: share configuration and constants across automations without duplicating values. ## Overview Variables store reusable non-secret values. ## Using variables in expressions Access a variable in expressions with: ```yaml theme={null} ${{ VARS.. }} ``` ## Variable fields Each variable has these fields: * Name: a lowercase snake case name such as `jira` or `api_config` * Values: one or more key-value pairs * Environment: the Workflow environment where the variable applies ## When to use variables Use variables for non-sensitive values such as: * Base URLs * Project IDs * Queue names * Routing rules * Tenant-specific defaults Use a [secret](/automations/core-concepts/secrets) for sensitive values. ## Variable environments Every variable belongs to a Workflow environment. * Default source: the workflow default environment in [Workflows](/automations/workflows). * Override: per action in [Actions](/automations/actions) control flow. * Fallback: `default`. ## Access variables in agents Agents can use variable expressions in tool arguments and integration configuration. Values are resolved during tool execution and are not fetched directly by the LLM provider. ```text theme={null} When you call Jira tools, use `${{ VARS.jira.base_url }}` as the base URL and `${{ VARS.jira.project_key }}` as the default project key. ``` ## Related pages * See [Secrets](/automations/core-concepts/secrets) for sensitive values such as API keys, passwords, and certificates. * See [Expressions](/automations/core-concepts/expressions) for how expressions work across triggers, actions, secrets, and variables. # Workflow definition Source: https://docs.tracecat.com/automations/core-concepts/workflow-definition YAML reference for Tracecat workflow definitions: triggers, actions, inputs, outputs, control flow, and schema fields used to author and version workflows. This page was written for advanced builders who want to review and edit workflows in code. ## Overview Workflows in Tracecat are defined as YAML workflow definitions. ## Workflow schema The workflow body uses these top-level fields: ```yaml theme={null} title: description: entrypoint: config: triggers: error_handler: actions: returns: ``` A minimal workflow looks like this: ```yaml theme={null} title: "Minimal workflow" description: "Return a static value" entrypoint: expects: {} actions: - ref: build_result action: core.transform.reshape args: value: status: ok returns: ${{ ACTIONS.build_result.result }} ``` ## Top-level fields Workflow name. Workflow description. Input schema. Use `expects` to define trigger inputs in the workflow definition. Workflow settings. Supported fields are `environment` and `timeout`. Optional trigger definitions. Trigger types are `webhook` and `schedule`. Workflow alias to run when the workflow fails. Workflow actions. Output schema. Use `returns` to define the workflow output in the workflow definition. Example input schema: ```yaml theme={null} entrypoint: expects: alert_id: type: str description: The alert to investigate severity: type: enum["low", "medium", "high"] default: medium ``` Example output schema: ```yaml theme={null} returns: finding_count: ${{ FN.length(ACTIONS.gather_results.result) }} findings: ${{ ACTIONS.gather_results.result }} ``` ## Actions schema Unique action identifier. It must be unique within the workflow and match Tracecat's slug format. Fully qualified action name such as `core.http_request`, `core.transform.reshape`, `core.transform.scatter`, `core.loop.end`, or `tools.slack.post_message`. Action inputs. The valid keys depend on the action type. Dependencies for this action. Use `upstream_ref` for a success edge, `upstream_ref.success` for an explicit success edge, and `upstream_ref.error` for an error edge. Any other suffix is invalid. Conditional expression. If it evaluates to a falsy value, the action is skipped. Run the action once per item in a collection. Inside the action, access the current item through `var.`. Example: `for_each: ${{ for var.alert in TRIGGER.alerts }}`. Retry configuration with `max_attempts` and `timeout`. Delay in seconds before the action starts. Join behavior for downstream actions. Use `all` to wait for all upstream branches, or `any` to allow a downstream join to complete once any upstream branch completes. Per-action override for the secrets environment. Redacts this action's result in workflow execution views and execution API responses. Tracecat keeps object and array structure but replaces each individual value, so JSONPath references remain visible. Downstream actions still receive the original result. Marks an action as interactive. `interaction` cannot be combined with `for_each`. Example action: ```yaml theme={null} - ref: fetch_alert action: core.http_request args: url: "https://api.example.com/alerts/${{ TRIGGER.alert_id }}" method: GET headers: Authorization: "Bearer ${{ SECRETS.alerting.API_TOKEN }}" retry_policy: max_attempts: 3 timeout: 60 ``` ## Expressions Expressions use `${{ ... }}`. Use these references inside expressions: * `TRIGGER.` * `ACTIONS..result` * `SECRETS..` * `VARS..` * `ENV.` * `var.` * `FN.(...)` See [Expressions](/automations/core-concepts/expressions) for syntax, operators, and literals. See [JSONPath](/automations/core-concepts/jsonpath) for field access and array access. See [Functions](/automations/core-concepts/functions) for the full function list. ## Control-flow primitives ### Conditional execution with `run_if` ```yaml theme={null} title: "Conditional workflow" description: "Only notify on high severity" entrypoint: expects: severity: type: str actions: - ref: build_message action: core.transform.reshape args: value: "Severity is ${{ TRIGGER.severity }}" - ref: notify action: tools.slack.post_message depends_on: - build_message run_if: ${{ FN.is_equal(TRIGGER.severity, "high") }} args: channel: ${{ SECRETS.slack.SLACK_CHANNEL }} text: ${{ ACTIONS.build_message.result }} ``` ### Scatter and gather Use `core.transform.scatter` to fan out a collection into parallel streams, then `core.transform.gather` to collect results back into a list. ```yaml theme={null} title: "Scatter gather workflow" description: "Fetch details for each item" entrypoint: expects: items: type: list[dict[str, Any]] actions: - ref: scatter_items action: core.transform.scatter args: collection: ${{ TRIGGER.items }} - ref: fetch_item action: core.http_request depends_on: - scatter_items args: url: "https://api.example.com/items/${{ ACTIONS.scatter_items.result.id }}" method: GET - ref: gather_results action: core.transform.gather depends_on: - fetch_item args: items: ${{ ACTIONS.fetch_item.result }} drop_nulls: true error_strategy: partition returns: ${{ ACTIONS.gather_results.result }} ``` Within a scatter region, each downstream action reads the current item through `ACTIONS..result`. ### Do-while loops Use `core.loop.start` to open a loop region and `core.loop.end` to decide whether to continue. ```yaml theme={null} title: "Loop workflow" description: "Retry until the third iteration" entrypoint: expects: {} actions: - ref: loop_start action: core.loop.start - ref: body action: core.transform.reshape depends_on: - loop_start args: value: iteration: ${{ ACTIONS.loop_start.result.iteration }} - ref: loop_end action: core.loop.end depends_on: - body args: condition: ${{ ACTIONS.loop_start.result.iteration < 2 }} max_iterations: 10 - ref: after_loop action: core.transform.reshape depends_on: - loop_end args: value: ${{ ACTIONS.loop_end.result.continue }} returns: ${{ ACTIONS.after_loop.result }} ``` Loop-specific behavior: * `core.loop.start` exposes `ACTIONS..result.iteration` * `core.loop.end` requires `condition` * `max_iterations` defaults to `100` ### Subflows Use `core.workflow.execute` to run a subflow. ```yaml theme={null} title: "Subflow launcher" description: "Execute a subflow for each alert" entrypoint: expects: alerts: type: list[dict[str, Any]] actions: - ref: run_subflow action: core.workflow.execute for_each: ${{ for var.alert in TRIGGER.alerts }} args: workflow_id: wf-fee9abc1cc88417bbccb73433646e2c6 trigger_inputs: alert: ${{ var.alert }} returns: null ``` The subflow target is usually provided through `workflow_id`. Trigger data is passed through `trigger_inputs`. ## Validation rules These are the main workflow rules: * All action refs must be unique. * Every dependency in `depends_on` must reference a real action. * Cycles in the action graph are invalid. * `interaction` cannot be combined with `for_each`. * Outer scopes cannot reference actions inside a nested scatter or loop scope. * Inner scopes can reference actions in parent scopes. * `core.transform.gather` must close the scatter scope it depends on. * `core.loop.end` must close the loop scope it depends on. ## Workflow definition schema Workflow definitions may also use this outer schema: ```yaml theme={null} definition: title: "Imported workflow" description: "This is the executable workflow DSL" entrypoint: expects: {} actions: - ref: a action: core.transform.reshape args: value: ok returns: ${{ ACTIONS.a.result }} layout: trigger: x: 0 y: 0 viewport: x: 0 y: 0 zoom: 1 actions: - ref: a x: 0 y: 160 schedules: - cron: "0 * * * *" status: online webhook: methods: - POST status: online case_trigger: status: offline event_types: [] tag_filters: [] ``` # MCP servers Source: https://docs.tracecat.com/automations/integrations/mcp-integrations Connect remote and stdio MCP servers to Tracecat agents: register tools, scope authentication, and call third-party MCP tools from agent runs. ## Overview Tracecat supports two MCP integration types: * Remote MCP over URL (`HTTP` or `SSE`) * Local MCP over `stdio` Agents attach MCP integrations from the preset builder. MCP options ## Remote MCP Use remote MCP when the server is exposed over a URL. Authentication modes: * No Authentication * Custom * OAuth Remote MCP authentication ### OAuth for remote MCP For remote MCP with OAuth, link the MCP integration to an existing OAuth integration. Tracecat refreshes the token and sets the `Authorization` header automatically. For a custom remote MCP server, first create a custom OAuth provider in [OAuth](/automations/integrations/oauth-integrations), then attach it to the MCP integration. ### Custom headers for remote MCP `Custom` authentication stores request headers as JSON. ```json theme={null} { "Authorization": "Bearer token123", "X-API-Key": "abc123" } ``` Remote MCP custom header JSON does not resolve `${{ SECRETS.* }}` or `${{ VARS.* }}`. Header values are sent as literal strings. ## Stdio MCP Use `stdio` MCP when Tracecat should launch a local command such as `npx`, `uvx`, or a custom binary. `stdio` environment variables support Tracecat expressions. ```json theme={null} { "GITHUB_TOKEN": "${{ SECRETS.github.TOKEN }}", "GITHUB_HOST": "${{ VARS.github.host }}" } ``` Tracecat resolves those expressions from the workflow default environment unless overridden in action control flow. ## Secrets and variables in MCP configuration Expression support differs by MCP integration type: * `stdio` environment variables support `${{ SECRETS.* }}` and `${{ VARS.* }}`. * Remote MCP OAuth mode does not need secret expressions for the bearer token because Tracecat injects the OAuth token automatically. * Remote MCP custom header JSON does not currently resolve `${{ SECRETS.* }}` or `${{ VARS.* }}`. ## Related pages * See [OAuth](/automations/integrations/oauth-integrations) for custom OAuth providers and OAuth token expressions. * See [Secrets](/automations/core-concepts/secrets) for environment-scoped secret resolution. * See [Variables](/automations/core-concepts/variables) for non-secret values used in `stdio` environment variables. # OAuth Source: https://docs.tracecat.com/automations/integrations/oauth-integrations Connect OAuth providers to Tracecat and reference managed OAuth tokens in expressions: configure scopes, refresh credentials, and call APIs from actions and agents. ## Overview Tracecat supports built-in OAuth integrations and custom OAuth providers. OAuth integrations expose tokens through secret expressions. OAuth integrations ## Grant types OAuth grant types: * Delegated access (`authorization_code`): Tracecat stores a user token after a user completes the OAuth login flow. * Client credentials (`client_credentials`): Tracecat stores a service token for server-to-server access. ## Configure a provider Built-in OAuth integrations are listed on the Integrations page. For custom OAuth, use Add integration → OAuth provider (or Add custom OAuth provider under Custom OAuth). Most providers require these fields: * Client ID * Client secret * Authorization endpoint * Token endpoint * Scopes After you save a custom provider, connect it (complete the OAuth flow) when using delegated access so Tracecat can issue tokens. ## Use OAuth tokens in expressions Use the same `${{ SECRETS... }}` syntax as workflow actions. Custom secrets (API keys, SSH, mTLS, CA bundles, and so on): ```yaml theme={null} ${{ SECRETS.. }} ``` OAuth tokens live under `_oauth`. The key is the provider ID in uppercase plus `_USER_TOKEN` or `_SERVICE_TOKEN`: * `authorization_code`: `${{ SECRETS._oauth._USER_TOKEN }}` * `client_credentials`: `${{ SECRETS._oauth._SERVICE_TOKEN }}` ```yaml theme={null} ${{ SECRETS.slack_oauth.SLACK_USER_TOKEN }} ${{ SECRETS.google_docs_oauth.GOOGLE_DOCS_SERVICE_TOKEN }} ``` Optional fallback when either grant type is allowed: ```yaml theme={null} ${{ SECRETS.microsoft_sentinel_oauth.MICROSOFT_SENTINEL_USER_TOKEN || SECRETS.microsoft_sentinel_oauth.MICROSOFT_SENTINEL_SERVICE_TOKEN }} ``` ## Python UDFs Declare credentials in `@registry.register(..., secrets=[...])`. * `RegistrySecret`: static keys; set `secret_type` to `ssh_key`, `mtls`, or `ca_cert` when needed ([secret types](/automations/core-concepts/secrets)). Optional: `optional`, `optional_keys`. * `RegistryOAuthSecret`: declares a dependency on an existing OAuth integration. Pass the `provider_id` and `grant_type` that match the integration in your workspace (a mismatch — for example declaring `authorization_code` when the integration uses `client_credentials` — will not resolve). Read values with `secrets.get("")` (key only, e.g. `GOOGLE_DRIVE_USER_TOKEN`), not a `SECRETS.` path. ```python theme={null} from tracecat_registry import RegistryOAuthSecret, RegistrySecret, registry, secrets api = RegistrySecret(name="exa", keys=["EXA_API_KEY"]) oauth = RegistryOAuthSecret( provider_id="google_drive", grant_type="authorization_code", ) ``` ## YAML Under `definition`, set a `secrets` list (same validator as Python). Custom (optional `secret_type` for structured secrets): ```yaml theme={null} definition: secrets: - name: exa keys: ["EXA_API_KEY"] - name: ansible keys: ["PRIVATE_KEY"] secret_type: ssh_key ``` OAuth: ```yaml theme={null} definition: secrets: - type: oauth provider_id: microsoft_teams grant_type: authorization_code ``` The `provider_id` and `grant_type` must match an integration already configured in your workspace. Use `${{ SECRETS._oauth. }}` in `args`. Set `optional: true` on an OAuth entry when it is not always required. ## Example providers See [`integrations/google_drive.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/google_drive.py) and [`integrations/slack_sdk.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/slack_sdk.py) for UDFs that use OAuth credentials. See [`tracecat_registry/core/ssh.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/core/ssh.py) for an `ssh_key` secret example. For YAML templates, see [`microsoft_teams/send_message.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/microsoft_teams/send_message.yml) (`authorization_code`), [`google_docs/create_document.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/google_docs/create_document.yml) (`client_credentials`), and [`microsoft_sentinel/.../get_alert_rule_template.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/microsoft_sentinel/alert_rules/get_alert_rule_template.yml) (optional dual grant). See [`templates/tools/exa/search.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/exa/search.yml) for a simple API key template. For the full list of built-in provider IDs, see [`tracecat/integrations/providers/__init__.py`](https://github.com/TracecatHQ/tracecat/blob/main/tracecat/integrations/providers/__init__.py). ## OAuth and actions Registry actions reference OAuth integrations but do not create them. Configure a built-in or custom provider in Integrations first, then declare `RegistryOAuthSecret` (Python) or `type: oauth` (YAML) so the action requires that integration at runtime. Syntax and examples are in [Use OAuth tokens in expressions](#use-oauth-tokens-in-expressions) above. ## OAuth and MCP Remote MCP integrations can use an existing OAuth integration. For custom remote MCP servers: 1. Create a custom OAuth provider. 2. Connect that provider. 3. Create an MCP integration and attach the connected OAuth integration. ## FAQ When you save a custom provider, Tracecat derives a provider ID from the display name or the ID you enter (slugified). If that value does not already start with `custom_`, the server prepends `custom_` so it does not collide with [built-in providers](https://github.com/TracecatHQ/tracecat/blob/main/tracecat/integrations/providers/__init__.py). If the ID is already taken, a numeric suffix is added. No. `RegistryOAuthSecret` and YAML `type: oauth` entries declare that the action *requires* an existing OAuth integration — they do not register one. Create the integration from [Configure a provider](#configure-a-provider) (or [contribute a built-in provider](#how-do-i-contribute-a-built-in-oauth-provider)). Once it exists, your action can reference its tokens via `${{ SECRETS._oauth... }}`. Out-of-the-box providers are implemented in the Tracecat app and get stable IDs (for example `slack`, `google_drive`) without the UI `custom_` rule. 1. Subclass `AuthorizationCodeOAuthProvider` or `ClientCredentialsOAuthProvider` under [`tracecat/integrations/providers/`](https://github.com/TracecatHQ/tracecat/tree/main/tracecat/integrations/providers). See [`slack/oauth.py`](https://github.com/TracecatHQ/tracecat/blob/main/tracecat/integrations/providers/slack/oauth.py) for a full example. 2. Register the class in [`_PROVIDER_CLASSES`](https://github.com/TracecatHQ/tracecat/blob/main/tracecat/integrations/providers/__init__.py). 3. Keep the [registry package](https://github.com/TracecatHQ/tracecat/tree/main/packages/tracecat-registry) aligned: same `provider_id` and `grant_type` in `RegistryOAuthSecret` (Python) and `type: oauth` entries (YAML) so actions resolve the same integration as the UI. ## Related pages * See [Prebuilt credentials](/automations/integrations/prebuilt-credentials) for static credentials such as API keys and bot tokens. * See [Secrets](/automations/core-concepts/secrets) for how secret expressions are resolved at runtime. * See [Python UDFs](/custom-actions/python-udf) and [YAML templates](/custom-actions/yaml-template) for custom registry actions. * See [MCP servers](/automations/integrations/mcp-integrations) for remote and `stdio` MCP setup. # Prebuilt credentials Source: https://docs.tracecat.com/automations/integrations/prebuilt-credentials Configure prebuilt credentials for Tracecat's built-in integrations: define secret schemas, scope values per workspace, and reuse them across actions and agents. ## Overview Pre-built credentials pre-fill the secret name and keys for built-in integrations. Pre-built credentials ## How pre-built credentials work Built-in integrations expect fixed secret names and keys. For example, Slack SDK actions use `slack` and `SLACK_BOT_TOKEN`. `${{ SECRETS.slack.SLACK_BOT_TOKEN }}` resolves from the workflow default environment unless overridden in action control flow. ## Use environments Store the same credential name in different Workflow environments: * `slack` in `default` for one Slack app * `slack` in `staging` for a second Slack app * `slack` in `customer_acme` for a customer-specific Slack app Then set the Workflow environment in [Workflows](/automations/workflows#environments) or override it on a specific action in [Actions](/automations/actions#environment): ```yaml theme={null} ${{ SECRETS.slack.SLACK_BOT_TOKEN }} ``` ## Configure a credential In `/Credentials`, click `Configure` for the credential. Tracecat pre-fills the keys. Configure Slack credential ## FAQ Check these in order: * Use prebuilt credentials for fixed secret names and keys such as `${{ SECRETS.slack.SLACK_BOT_TOKEN }}`. * Use OAuth integrations when the provider issues managed tokens such as `${{ SECRETS.microsoft_teams_oauth.MICROSOFT_TEAMS_USER_TOKEN }}`. * Use custom secrets when an action expects your own secret name and keys. * Make sure the secret exists in the same environment that the workflow or action is using. * Make sure the expression path matches the configured secret name and key exactly. For example, this action reads the `slack` credential from the `customer_acme` environment, not from `default`: ```yaml theme={null} - ref: notify_customer action: tools.slack.post_message environment: customer_acme args: channel: ${{ SECRETS.slack.ALERTS_CHANNEL }} text: "New finding: ${{ TRIGGER.finding_id }}" ``` If `slack` only exists in `default`, the action will not resolve it while running in `customer_acme`. ## Related pages * See [Secrets](/automations/core-concepts/secrets) for the core secret model and secret expression syntax. * See [OAuth](/automations/integrations/oauth-integrations) for integrations that issue managed OAuth tokens instead of static keys, and for the same `${{ SECRETS... }}` patterns in custom registry actions. * See [MCP servers](/automations/integrations/mcp-integrations) for MCP-specific integration setup and secret-backed `stdio` configuration. # Tables Source: https://docs.tracecat.com/automations/tables Store and manage structured data inside Tracecat: define tables, query rows from workflows and agents, and link records to cases and workflow runs. ## Tables Table Tables let you store structured data in your workspace. You can use them from the UI or from `core.table.*` actions in a workflow definition. Use tables when you want to: * Keep durable records across workflow runs * Look up known values such as users, hosts, or indicators * Search and export structured data for investigation or reporting * Reuse the same dataset across multiple workflows ## Columns Each table has a schema that defines its columns. Choose column types based on the data you want to store and query. When you define columns in the UI or in `core.table.create_table`, use the same uppercase `type` values exposed in the custom tables picker: You can create tables with the following column types: * TEXT * INTEGER * NUMERIC * BOOLEAN * DATE * TIMESTAMPTZ * JSONB * SELECT * MULTI\_SELECT Use `TEXT`, `INTEGER`, `NUMERIC`, and `BOOLEAN` for simple fields. Use `DATE` or `TIMESTAMPTZ` for time-based values, `JSONB` for nested structured data, and `SELECT` or `MULTI_SELECT` when the value must come from a fixed list. Case custom fields use the same storage type family: `TEXT`, `INTEGER`, `NUMERIC`, `BOOLEAN`, `DATE`, `TIMESTAMPTZ`, `JSONB`, `SELECT`, and `MULTI_SELECT`. In the case field picker, raw `JSONB` is currently surfaced through the `URL` kind, and `Long text` is layered on top of `TEXT`. ## Rows Rows hold the actual records in a table. You can insert, update, delete, look up, and search rows as your workflows process new events. This works well for data such as: * Asset inventories * User allowlists * Enrichment results * Investigation evidence * External system references If you already know the field and value you want, use `core.table.lookup`. If you need broader filtering or text search, use `core.table.search_rows`. For example, use `core.table.lookup` when you know the exact value: ```yaml theme={null} - ref: lookup_asset action: core.table.lookup args: table: asset_inventory column: hostname value: ${{ TRIGGER.hostname }} ``` For example, use `core.table.search_rows` when you want to search across rows: ```yaml theme={null} - ref: search_assets action: core.table.search_rows args: table: asset_inventory search_term: production limit: 25 ``` ## Index and upsert You'll often need to deduplicate data or require all values in a column to be unique. You can do that by creating an index and then using `core.table.insert_row` with `upsert: true`. Create unique index For example: * One row per hostname * One row per email address * One row per alert ID * One row per hash value A unique index enforces that rule, and `core.table.insert_row` with `upsert: true` updates the existing row instead of creating a duplicate. ## Table actions Use `core.table.*` actions when you want your workflows to work with tables directly. * [Tables](/automations/core-actions/memory-actions/tables) to create tables, inspect metadata, insert rows, search rows, and export data * Use `core.table.insert_row` with `upsert: true` when you want to update an existing row that matches a unique index `core.table.create_table` takes `columns` as a JSON array of column objects. This is the same schema you use for tables that you later link to cases. * `name`: Required string. Use letters, numbers, and underscores, and start with a letter or underscore. * `type`: Required uppercase string. Use `TEXT`, `INTEGER`, `NUMERIC`, `BOOLEAN`, `DATE`, `TIMESTAMPTZ`, `JSONB`, `SELECT`, or `MULTI_SELECT`. * `nullable`: Optional boolean. Defaults to `true`. * `default`: Optional value. It must match the column type. * `options`: Optional array of strings. Required for `SELECT` and `MULTI_SELECT`, and invalid for other types. For example: ```yaml theme={null} - ref: ensure_inventory_table action: core.table.create_table args: name: asset_inventory columns: - name: hostname type: TEXT - name: owner type: TEXT raise_on_duplicate: false - ref: upsert_asset action: core.table.insert_row args: table: asset_inventory upsert: true row_data: hostname: ${{ TRIGGER.hostname }} owner: ${{ TRIGGER.owner }} - ref: lookup_asset action: core.table.lookup args: table: asset_inventory column: hostname value: ${{ TRIGGER.hostname }} ``` For example, this upserts one row per alert ID: ```yaml theme={null} - ref: upsert_alert action: core.table.insert_row args: table: alerts upsert: true row_data: alert_id: ${{ TRIGGER.alert_id }} status: ${{ TRIGGER.status }} severity: ${{ TRIGGER.severity }} ``` # Tracecat MCP Source: https://docs.tracecat.com/automations/tracecat-mcp Drive Tracecat from your own agent harness over MCP: build, edit, and run workflows and cases through Claude, Cursor, ChatGPT, or any MCP client. Tracecat works best with agentic coding tools (Claude Code, Cursor, Codex, OpenCode). Agents connected to Tracecat MCP gain the ability to build and orchestrate core Tracecat resources: * Agents * Workflows * Tables (local and remote) * Integrations (HTTP, gRPC, SQL) * Scripts (Python, docker run) * Cases (local and remote) Tracecat MCP turns any coding agent into a security automation architect and engineer. ## Setup If you are **self-hosted**, replace `https://platform.tracecat.com` with your `PUBLIC_APP_URL` (e.g. `http://localhost` or `https://tracecat.example.com`). Authentication uses a built-in OIDC provider—your agent is redirected to sign in through the browser on first connection. For clients or environments that cannot complete a browser sign-in, authenticate with a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens) instead. Sign in with OAuth: ```bash theme={null} claude mcp add -t http tracecat https://platform.tracecat.com/mcp claude /mcp ``` Or authenticate with a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens). Set `TRACECAT_MCP_PAT` in your environment and reference it with **single quotes** so the variable (not the token) is written to the saved config: ```bash theme={null} claude mcp add --transport http tracecat https://platform.tracecat.com/mcp \ --header 'Authorization: Bearer ${TRACECAT_MCP_PAT}' ``` Sign in with OAuth: ```bash theme={null} codex mcp add tracecat --url https://platform.tracecat.com/mcp codex mcp login tracecat ``` Or authenticate with a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens). Set `TRACECAT_MCP_PAT` in your environment, then reference it by name: ```bash theme={null} codex mcp add tracecat --url https://platform.tracecat.com/mcp \ --bearer-token-env-var TRACECAT_MCP_PAT ``` ```bash theme={null} copilot /mcp add # Server Name: tracecat # Server Type: HTTP # URL: https://platform.tracecat.com/mcp # Tools: * ``` Follow [GitHub Copilot MCP setup](https://docs.github.com/en/copilot/how-tos/copilot-cli/customize-copilot/add-mcp-servers) for the latest CLI prompts. Or add this server to `~/.copilot/mcp-config.json`: ```json theme={null} { "mcpServers": { "tracecat": { "type": "http", "url": "https://platform.tracecat.com/mcp", "tools": ["*"] } } } ``` To use a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens) instead of OAuth, add an `Authorization` header (`${TRACECAT_MCP_PAT}` is read from your environment): ```json theme={null} "headers": { "Authorization": "Bearer ${TRACECAT_MCP_PAT}" } ``` On Tracecat Cloud, click [Add Tracecat to Cursor](https://cursor.com/en-US/install-mcp?name=tracecat\&config=eyJ1cmwiOiJodHRwczovL3BsYXRmb3JtLnRyYWNlY2F0LmNvbS9tY3AifQ) to add it in one click. Otherwise configure `.cursor/mcp.json` manually: ```json theme={null} { "mcpServers": { "tracecat": { "url": "https://platform.tracecat.com/mcp" } } } ``` To use a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens) instead of OAuth, add an `Authorization` header (Cursor resolves `${env:TRACECAT_MCP_PAT}` from your environment): ```json theme={null} "headers": { "Authorization": "Bearer ${env:TRACECAT_MCP_PAT}" } ``` ## Personal access tokens OAuth is the default. For clients or environments that cannot complete a browser sign-in (CI, headless runners, shared dev containers), authenticate with a workspace-scoped personal access token (PAT) instead. PATs work the same on self-hosted and Tracecat Cloud. 1. In your workspace, go to **Settings → MCP** and create a token. Set a name and expiration. 2. Copy the token when it is shown. It is only displayed once and cannot be retrieved again. 3. Pass it as a bearer header from your MCP client — see the **PAT** option in each [Setup](#setup) tab above for Claude Code, Codex, Copilot, and Cursor. Treat the PAT like a secret. It grants MCP access scoped to the workspace it was created in. Always send it in the `Authorization` header—never in the URL or a query string, where it leaks into server, proxy, and browser logs. Keep it out of command output and application logs, and supply it through an environment variable or secrets vault rather than hardcoding it in a config file. Revoke it from **Settings → MCP** if it is exposed, and prefer short expirations. ## Starter prompts Recreate a security automation based on a blog post. Review the following examples and ask me if I have a specific one in mind, or if I'd like to implement one of these: * Slack's Distributed Security Alerting ([https://slack.engineering/distributed-security-alerting/](https://slack.engineering/distributed-security-alerting/)) * AWS Incident Response Playbooks ([https://github.com/aws-samples/aws-incident-response-playbooks](https://github.com/aws-samples/aws-incident-response-playbooks)) * GitLab SIRT Incident Response ([https://handbook.gitlab.com/handbook/security/security-operations/sirt/sec-incident-response/](https://handbook.gitlab.com/handbook/security/security-operations/sirt/sec-incident-response/)) * Reddit's Threat Detection ([https://www.reddit.com/r/RedditEng/comments/1riyeam/how\_reddit\_does\_threat\_detection/](https://www.reddit.com/r/RedditEng/comments/1riyeam/how_reddit_does_threat_detection/)) Once we've selected a post: 1. Analyze the post to identify the core workflow logic, required data tables, and integration points. 2. Design and implement the necessary Tracecat workflows and tables. 3. Question any assumptions in the original post that might not apply to a modern cloud-native environment. 4. Ask clarifying questions about my specific environment, such as preferred communication channels or existing security stack. Audit my existing Tracecat workflows, tables, and cases. Goal: 1. Suggest improvements for efficiency, reliability, and security. 2. Identify missing components, with a specific focus on SLAs, reporting, and observability. 3. Question assumptions about my current data retention and alerting thresholds. 4. Ask clarifying questions about my team's response requirements and reporting stakeholders. Build a security automation for automated alert triage and response. Tasks: 1. Create a workflow triggered by a webhook that receives inbound security alerts. 2. Ask me if I have a SIEM or central log repository (like Splunk or Sentinel) that should be the primary alert source. 3. Implement an AI analysis step using `ai.action` or `ai.agent` to interpret the alert context. 4. Ask which enrichment integrations (such as VirusTotal or urlscan.io) I'd like to include for reputation checks. 5. Ensure the workflow creates a case for any alert that meets a specific risk threshold. 6. Question assumptions about alert fidelity and whether automated actions should be taken without human review. 7. Ask clarifying questions about my data schemas, expected alert volume, and specific response SLAs. Build an automated response for user-reported phishing emails. Tasks: 1. Design a workflow that triggers when a user submits a suspicious email to our phishing reporting mailbox. 2. Use a script or AI step to extract all URLs, domains, and attachments from the email body. 3. Perform reputation checks and sandboxing using my available security tools (e.g., URLScan, Joe Sandbox, or CrowdStrike). 4. Ask which email service (Microsoft 365 or Google Workspace) I'd like to integrate with for automated deletion or quarantine. 5. Create a case to notify the SOC if the email is confirmed malicious. 6. Question assumptions about whether automated deletion should happen for "suspicious" but not "confirmed" hits. 7. Ask clarifying questions about our internal whitelist of trusted senders and domains. ## MCP tools List all workspaces accessible to the authenticated user. Returns paginated workspace summaries including workspace id/name and the owning org\_id/org\_slug. Multi-org users may receive workspaces from more than one organization in a single response. Create a new workflow in a workspace. Get metadata for a specific workflow. Edit a draft workflow using RFC 6902 JSON Patch. Update workflow metadata and optional inline YAML. List workflows in a workspace. List workflow folders and workflows under a path. Create a workflow folder by absolute path. Rename a workflow folder by absolute path. Move a workflow folder under a new parent path. Delete a workflow folder by absolute path. Move workflows into or out of a folder. This tool is best-effort and non-atomic. If one workflow fails to move, the remaining workflow moves still proceed. Search or browse available actions and return compact context metadata. Supports three usage modes: -> **Search**: provide `query` to search by name/description across all `namespaces`. Example: list\_actions(workspace\_id, query="send message") -> **Browse by `namespace`**: provide `namespace` without `query` to list all actions in a `namespace`. Example: list\_actions(workspace\_id, namespace="core") -> **Browse all**: omit both to list all available actions. Common `namespaces`: `core`, `tools`, `ai`. Sync the organization's custom action registry from its remote git repository. Pulls the latest code from the custom registry repo registered in the caller's organization, builds a versioned tarball, and makes the synced actions available to agents and workflows. Use this after pushing changes to the custom integrations repo, or to roll forward/back to a specific commit. Existing published workflows must be republished to pick up newly synced action versions. Get full schema and configuration context for a single action. Use this after discovering an action via `list_actions` to get the complete parameter schema needed to write the `args:` block in a workflow definition. Example action names: "core.http\_request", "core.script.run\_python", "core.transform.reshape". Get compact workflow authoring context for selected actions. Returns everything needed to write a workflow definition: action schemas, available secrets, and workspace variables. Use this before calling `create_workflow` or `update_workflow`. Two input modes (provide one or neither): -> **By name**: pass `actions` with an `action_names` list. -> **By search**: pass `query` to search for actions by name/description Validate a workflow's draft state. Checks that the workflow DSL is structurally sound and that arguments are valid. Prepare a staged template YAML upload for remote `/mcp` clients. Validate a template action YAML file. Validates YAML parsing, template schema correctness, step action references, argument schemas, and expression references. Publish (commit) a workflow, creating a new versioned definition. This validates the workflow, freezes registry dependencies, and creates a new workflow definition version. Run a workflow from its draft state or a published definition. By default runs the current draft (unpublished edits) so changes can be tested before publishing. Set `use_draft=False` to run a published version instead. List recent executions for a workflow. Use this to see run history, check which runs succeeded or failed, and find execution IDs for deeper inspection with `get_workflow_execution`. Get status and details of a specific workflow execution. Returns execution metadata (status, timing) and a compact event timeline showing each action's status, timing, and any errors. Use this to debug failed runs or check the progress of running workflows. Get webhook configuration for a workflow. Update webhook configuration for a workflow. Get case trigger configuration for a workflow. Update an existing case trigger for a workflow. List workflow tag definitions in a workspace. Returns a JSON array of tag objects with `id`, `name`, `ref`, and `color`. Create a workflow tag definition. Update a workflow tag definition. Delete a workflow tag definition. List tags attached to a workflow. Returns a JSON array of tag objects with `id`, `name`, `ref`, and `color`. Attach an existing workflow tag definition to a workflow. Remove a workflow tag association from a workflow. List cases in a workspace with default sorting. Search cases with filtering and sorting. Get a specific case with full details including fields, tags, and description. Create a new case. Update a case. Only provided fields are changed. List all comments for a case. List comment threads for a case. Each thread contains the root comment and its replies. Create a new comment on a case. Provide `parent_id` to reply to an existing comment. Update an existing comment on a case. Delete a comment from a case. List all tasks for a case. Get a specific case task by ID. Create a new task on a case. Update a case task. Only provided fields are changed. Run the workflow associated with a case task. Fetches the task's `workflow_id` and `default_trigger_values`, merges them with `case_id` and `task_id` context (plus any caller-supplied overrides), then executes the latest published version of the workflow. List activity events for a case. Events are system-generated audit entries that track every change to a case — status changes, priority changes, assignee changes, comments, tasks, tags, field changes, etc. List case tag definitions in a workspace. Returns a JSON array of tag objects with `id`, `name`, `ref`, and `color`. Create a case tag definition. Update a case tag definition. Delete a case tag definition. List tags attached to a case. Returns a JSON array of tag objects with `id`, `name`, `ref`, and `color`. Attach a case tag to a case. Remove a case tag association from a case. List case field definitions in a workspace. Returns a JSON array of field objects with `id`, `type`, `description`, `nullable`, `default`, `reserved`, `options`, and optional `kind`. Create a case field definition. Supports optional create-only `kind`: `LONG_TEXT` requires `type="TEXT"` and `URL` requires `type="JSONB"`. Update a case field definition. List case dropdown definitions in a workspace. Requires the case add-ons entitlement. Returns a paginated JSON array of dropdown objects with `id`, `name`, `ref`, `icon_name`, `is_ordered`, `required_on_closure`, `position`, and embedded `options`. Create a case dropdown definition with optional initial options. Requires the case add-ons entitlement. Update a case dropdown definition. Only provided fields are changed. Requires the case add-ons entitlement. Delete a case dropdown definition along with all its options and per-case values. Requires the case add-ons entitlement. Add an option to a case dropdown definition. Requires the case add-ons entitlement. Update an option within a case dropdown definition. Only provided fields are changed. Requires the case add-ons entitlement. Delete an option from a case dropdown definition. Requires the case add-ons entitlement. Set or clear a dropdown value on a case. Provide exactly one of `definition_id` or `definition_ref`, and at most one of `option_id` or `option_ref`; omit both option arguments to clear the value. Requires the case add-ons entitlement. List workspace tables. Create a table with optional columns. Get table definition and index metadata. Update table metadata. Insert a table row. Insert multiple table rows. Update a table row. Update multiple table rows with the same values. Search rows in a table. Export table data as a staged download URL. Create a unique index on a table column. Only one unique index per table is allowed. Drop the unique index on a table column. List workspace variables. Get a workspace variable. List secret metadata without secret values. Get secret metadata by name without secret values. List workspace integrations useful for workflow and preset authoring. Get models, integrations, `output_type` guidance, and other preset authoring context. Create an agent preset in the selected workspace. Use `skills` to attach published skill versions. Each binding requires `skill_id` and `skill_version_id` from `list_skills` and `publish_skill`. Update an existing agent preset in the selected workspace. Use `skills` to replace attached published skill-version bindings. Each binding requires `skill_id` and `skill_version_id`. Omit `skills` to leave bindings unchanged, or pass an empty list to detach all skills. List agent folders and presets under a path. Create an agent folder by absolute path. Rename an agent folder by absolute path. Move an agent folder under a new parent path. Delete an agent folder by absolute path. Move agent presets into or out of a folder by preset slug. List workspace skills with IDs, names, and current published versions. Use this before updating, publishing, or attaching skills to agent presets. Upload a local skill directory into Tracecat as a workspace skill. This creates a new logical skill. Use `update_skill` when replacing an existing skill draft to avoid duplicate skill rows with the same name. Agents should read the local directory themselves, preserve relative paths, include the root `SKILL.md` file, and pass every file in `files` using `content_base64`. Replace an existing skill draft with a local skill directory. This does not publish the draft. Call `publish_skill` after the update if the skill should be attachable to agent presets. Publish a skill draft into an immutable skill version. Only published skill versions can be attached to agent presets. List saved agent preset slugs and names. Use `get_agent_preset` for the full preset definition. Get the full configuration for a saved agent preset by slug. Run an agent preset with a prompt and return text or approval status. Creates an ephemeral session, triggers the agent workflow, and waits for the response. The agent has access to all tools configured on the preset. # Case triggers Source: https://docs.tracecat.com/automations/triggers/case-triggers Start Tracecat workflows from case events: react to case creation, status changes, and field updates to drive automated triage and response. ## Overview Case triggers start a workflow when selected case events happen. Case trigger ## Trigger payload Case trigger data is available under `${{ TRIGGER }}`. Fields: * `${{ TRIGGER.case_id }}`: case ID. * `${{ TRIGGER.event }}`: event details. * `${{ TRIGGER.tags }}`: case tags. * `${{ TRIGGER.workspace_id }}`: workspace ID. Example payload: ```json theme={null} { "case_id": "case_01abc", "event": { "id": "evt_01abc", "type": "comment_created", "data": { "comment_id": "cmt_01abc" }, "created_at": "2026-03-19T14:22:00+00:00", "user_id": "usr_01abc", "wf_exec_id": null }, "tags": [ { "id": "tag_01abc", "ref": "triage", "name": "Triage", "color": null } ], "workspace_id": "ws_01abc" } ``` ## Case events One or more case events must be selected before the trigger is enabled. Supported event families include: * Case events such as create, update, close, reopen, and view. * Comment events such as comment and reply activity. * Field changes such as status, priority, severity, assignee, and payload changes. * Tag events such as tag add and remove. * Task events such as task create, delete, and workflow or assignee changes. * Attachment events such as add and remove. * Dropdown changes. ## Tag allowlist Restrict runs to cases with matching tags. If the allowlist is empty, no tag filtering is applied. Matching uses the case's current tags. ## Important behavior Workflow-originated case events are ignored to avoid loops. # Comment triggers Source: https://docs.tracecat.com/automations/triggers/comment-triggers Run Tracecat workflows from case comments and replies: parse comment text, route directives to actions and agents, and bridge analyst chat into automation. ## Overview You can start a workflow from a case comment or reply by selecting it in the comment composer. Comment trigger ## Trigger payload Comment trigger data is available under `${{ TRIGGER }}`. Fields: * `${{ TRIGGER.case_id }}`: case ID. * `${{ TRIGGER.comment_id }}`: comment ID. * `${{ TRIGGER.parent_id }}`: parent comment ID. * `${{ TRIGGER.text }}`: comment text. * `${{ TRIGGER.triggered_by }}`: actor details. * `${{ TRIGGER.event }}`: event details. * `${{ TRIGGER.tags }}`: case tags. Example payload: ```json theme={null} { "case_id": "case_01abc", "comment_id": "cmt_01abc", "parent_id": null, "text": "Escalating to the IAM workflow.", "workspace_id": "ws_01abc", "triggered_by": { "type": "user", "user_id": "usr_01abc", "service_id": null }, "event": { "id": "evt_01abc", "type": "comment_created", "created_at": "2026-03-19T14:22:00+00:00", "user_id": "usr_01abc" }, "tags": [ { "id": "tag_01abc", "ref": "triage", "name": "Triage", "color": null } ] } ``` # Error workflows Source: https://docs.tracecat.com/automations/triggers/error-workflows Run a Tracecat workflow whenever another workflow fails: forward error context, alert on-call, and centralize incident-handling logic across automations. ## Overview Error workflows run when another workflow fails with an application error. Failed workflow ## Trigger payload The failed run is passed into the error workflow under `${{ TRIGGER }}`. Fields: * `${{ TRIGGER.message }}`: the top-level failure message. * `${{ TRIGGER.orig_wf_id }}`: the failed workflow ID. * `${{ TRIGGER.orig_wf_exec_id }}`: the failed workflow execution ID. * `${{ TRIGGER.orig_wf_exec_url }}`: the failed workflow execution URL, if available. * `${{ TRIGGER.orig_wf_title }}`: the failed workflow title. * `${{ TRIGGER.trigger_type }}`: the original trigger type. * `${{ TRIGGER.errors }}`: structured action error details, if available. Example payload: ```json theme={null} { "message": "Action failed", "handler_wf_id": "wf_4itKqkgCZrLhgYiq5L211X", "orig_wf_id": "wf_3mYp8JkL2nQr7sTu9vWx0Z", "orig_wf_exec_id": "wf_3mYp8JkL2nQr7sTu9vWx0Z/exec_7aBcDeFgHiJkLmNoPqRsTu", "orig_wf_exec_url": "https://platform.tracecat.com/workspaces/ws_2xYzAbCdEfGhJkLmNoPqRs/workflows/wf_3mYp8JkL2nQr7sTu9vWx0Z/executions/exec_7aBcDeFgHiJkLmNoPqRsTu", "orig_wf_title": "Investigate alert", "trigger_type": "webhook", "errors": [ { "ref": "fetch_alert", "message": "Request returned 500", "type": "HTTPError" } ] } ``` ## Configure an error workflow Set `Error workflow` in the workflow settings panel. Use a workflow ID or alias. Error workflow ## Publish behavior The workflow must be published for the committed error workflow setting to apply to published runs and schedules. # Schedules Source: https://docs.tracecat.com/automations/triggers/schedules Run Tracecat workflows on a time-based cadence: configure cron schedules, fixed intervals, and trigger payloads for recurring automations. ## Overview Schedules run a workflow on a time-based cadence. The workflow must be saved before a schedule can be created. Schedule trigger ## Schedule types Schedule types: * Interval schedules use `every`. * Cron schedules use `cron`. Cron uses standard 5-field or 6-field expressions. ## Schedule fields * Status: `online` or `offline`. * Start time: optional. * End time: optional. * Timeout: optional, and `0` means no timeout. * Offset: interval-only, using an ISO 8601 duration. ## When to use schedules Use schedules for: * Polling an external system on a fixed cadence. * Running cleanup or maintenance workflows on a timer. * Syncing data or refreshing enrichments throughout the day. # Task triggers Source: https://docs.tracecat.com/automations/triggers/task-triggers Run Tracecat workflows from case tasks: trigger automations as tasks are created, assigned, completed, or updated to keep response work moving. ## Overview You can start a workflow from a case task. Set the workflow on the task, then start it from the task UI. If the workflow has an Input schema, the dialog asks for inputs. Otherwise, Tracecat shows generated case inputs. Task trigger ## Trigger payload Task trigger data is available under `${{ TRIGGER }}`. Fields: * `${{ TRIGGER.case_id }}`: case ID. * `${{ TRIGGER.task_id }}`: task ID. Example payload: ```json theme={null} { "case_id": "case_01abc", "task_id": "task_01abc" } ``` # Webhooks Source: https://docs.tracecat.com/automations/triggers/webhooks Trigger Tracecat workflows from external systems with webhooks: configure secret URLs, parse JSON or form payloads, and validate inbound requests. ## Overview Webhooks start a workflow from an external system. The URL includes the webhook secret. `POST` is the primary method. `GET` also works for verification flows. The workflow must be published before the webhook runs. Webhook trigger ## Using webhook payloads The request body becomes `TRIGGER`, for example `${{ TRIGGER.alert_id }}`. ## Supported request formats Parsing: * Empty body: no trigger payload is created. * JSON by default: the body is parsed as JSON and becomes `TRIGGER`. * Form payloads with `application/x-www-form-urlencoded`: the body is parsed as a dictionary. Form field names become keys on `TRIGGER`. * NDJSON payloads with `application/x-ndjson`, `application/jsonlines`, and `application/jsonl`: Tracecat starts one workflow run per JSON line. `TRIGGER` is that line, not the full request body. ## Securing webhooks ### Allowed HTTP methods Allowed methods can be `GET`, `POST`, or both. Requests that use a method outside the allowed list are rejected. ### API key authentication Webhook API keys are optional. If configured, the sender must include `x-tracecat-api-key`. The UI supports generate, rotate, revoke, and delete. A revoked key blocks requests until a new key is generated or API key protection is removed. ### IP allowlist Requests can be restricted to specific IPs or CIDR ranges. The allowlist is IPv4-only. ## Response Default response: ```json theme={null} { "message": "Workflow execution created", "wf_id": "wf_3mYp8JkL2nQr7sTu9vWx0Z", "wf_exec_id": "wf_3mYp8JkL2nQr7sTu9vWx0Z/exec_7aBcDeFgHiJkLmNoPqRsTu" } ``` Query parameters: * `echo=true`: add the original request body to the response under `payload`. * `empty_echo=true`: return an empty `200` with no body. Implies `echo=true`. * `vendor=okta`: handle Okta verification challenges. See [Okta verification](#okta-verification). ## Synchronous execution with /wait Use `POST /webhooks/{workflow_id}/{secret}/wait` to run a workflow and receive its `return` value in the response. The request blocks until the workflow finishes. The workflow must be published. The request body becomes `TRIGGER` exactly as with the default webhook. This endpoint is designed for workflows-as-APIs: the caller treats the workflow like a synchronous HTTP handler. ### Response schema The response is an envelope with a `kind` discriminator: ```json theme={null} { "kind": "value", "value": { "status": "ok" } } ``` ```json theme={null} { "kind": "download_file", "download_url": "https://...", "expires_in_seconds": 10, "content_type": "application/json", "size_bytes": 262144 } ``` ### Kinds * `value`: inline result. The body has `value` set to the workflow's `return` value. * `download_file`: externalized result. The body has a presigned `download_url`, plus `expires_in_seconds`, `content_type`, and `size_bytes`. * `download_export`: materialized collection result. Same fields as `download_file`; `content_type` is always `application/json`. Results over `TRACECAT__RESULT_EXTERNALIZATION_THRESHOLD_BYTES` (default 128 KiB) are stored in object storage and returned as a short-lived presigned URL (default 10-second expiry). This keeps the webhook response small and predictable, so synchronous callers never stream megabytes of workflow state through a single HTTP response. ### Query parameters * `unwrap=true`: return the workflow's `return` value directly as the response body, with no envelope. Requires the result to fit inline. If the result was externalized (kind `download_file` or `download_export`), `/wait?unwrap=true` returns `413 Payload Too Large` with the download envelope under `detail`, so the caller can still fetch the data. Example: ```bash theme={null} curl -X POST "https:///webhooks///wait?unwrap=true" \ -H "Content-Type: application/json" \ -d '{"alert_id": "A-001"}' # 200 OK # {"status": "ok"} ``` If the workflow returns a result larger than the externalization threshold: ```json theme={null} { "detail": { "kind": "download_file", "download_url": "https://...", "expires_in_seconds": 10, "content_type": "application/json", "size_bytes": 262144 } } ``` ## Slack event subscriptions Slack event subscription verification uses `?echo=true`. ## Slack modal close and fast acknowledgements Slack interactive flows that need a fast empty acknowledgement use `?echo=true&empty_echo=true`. ## Okta verification Okta verification requests use `vendor=okta`. Tracecat reads `x-okta-verification-challenge` and returns: ```json theme={null} { "verification": "" } ``` # Workflows Source: https://docs.tracecat.com/automations/workflows Build, run, and manage Tracecat workflows: connect triggers and actions, version definitions, and orchestrate automations across cases and agents. ## Creating workflows View and create workflows in the Tracecat UI under the `/workflows` page. Create new workflow ## Run workflows manually You can run a workflow manually by clicking the `Run` button in the top right corner of the workflow builder. Run workflow manually ## Triggers Workflows can be triggered by: * [Webhooks](/automations/triggers/webhooks) * [Schedules](/automations/triggers/schedules) * [Subflow run action](/automations/core-actions/workflow-actions/run-subflow) * [Case triggers](/automations/triggers/case-triggers) Enterprise * [Task triggers](/automations/triggers/task-triggers) Enterprise * [Comment triggers](/automations/triggers/comment-triggers) Enterprise ## Trigger inputs You can specify trigger inputs in the workflow builder. These inputs are passed to the workflow as `${{ TRIGGER }}` expressions. ## View workflow runs There are three views for workflow runs: * Events panel: most recent run in the left part of the workflow builder * Runs view: all runs for a specific workflow * Enterprise History view: all runs across all workflows
Workflow events panel
Workflow runs view
Workflow runs history ## Tag workflow Right click on a workflow in the workflows table then hover over the "Tags" menu item. Tag workflow ## Draft workflows Draft workflows are workflows that are currently being edited. You can run draft workflows manually by clicking the `Run` button in the top right corner of the workflow builder. ## Published workflows To deploy a workflow, you must publish it. Webhooks, schedules, subflows, and other workflow triggers always run the latest published workflow version. Publish workflow ## Workflow settings Click on the workflow canvas to open the workflow settings panel. Workflow settings ### Workflow alias Workflow aliases are used to reference the workflow in subflows and error workflows. Keep aliases short, descriptive, and snake\_case. You must define a workflow alias in order to trigger it as a subflow or error workflow. ### Error workflows You can specify an error workflow to run when a workflow fails. Information about the failed workflow run is passed to the error workflow under the `${{ TRIGGER }}` expression. See [Error workflows](/automations/triggers/error-workflows) for more information. ### Input schema You can specify an input schema to validate the trigger inputs to the workflow. Define the input schema as YAML or JSON-compatible YAML, where each top-level key is an input name. Each input supports these fields: * `type` is a Tracecat type expression such as `str`, `int`, `bool`, `float`, `datetime`, `duration`, `list[int]`, `dict[str, Any]`, `str | None`, or `enum["low", "high"]` * `description` is an optional description of the input * `default` is an optional default value; if you set it, the input becomes optional For example: ```yaml theme={null} my_param: type: str description: This is a string default: My default value my_list: type: list[int] description: This is a list of integers without a default value my_union: type: str | int | None description: This is a union of a string, an integer, and None ``` ### Output schema Workflows return `null` by default. You can specify a return value for the workflow as an output schema. Output schemas support all Tracecat expressions. For example, assume a workflow has three actions `whoami`, `location`, and `contact`. The actions return the following results: * `whoami`: `{ "name": "John", "age": 30 }` * `location`: `{ "city": "New York", "country": "USA" }` * `contact`: `{ "email": "john@example.com", "phone": "1234567890" }` The output schema can be defined as: ```php theme={null} name: ${{ ACTIONS.whoami.result.name }} city: ${{ ACTIONS.location.result.city }} email: ${{ ACTIONS.contact.result.email }} ``` ### Environments You can specify a default environment to use for the workflow. Actions without an environment override will use the default environment to pull secrets and variables from. ## Export / import workflows Enterprise users should use Tracecat's Git sync feature to push and pull their workflow definitions directly from a remote Git repository. Open Source users can export and import workflows directly from the Tracecat UI. Exported workflows are called workflow definitions and are saved as YAML files. Right click on a workflow in the `/workflows` page to export the draft or published workflow definition: Workflow export / import Exported workflows can be imported via the "Create new" button in the `/workflows` page: Workflow import ## Cancel / terminate / reset runs The Temporal UI exposes all your workflow runs. Do not expose it to the public internet unless you have OIDC SSO enabled. Open Source Open up the Temporal UI to view and control all workflow runs. Expose port `8081` in the `temporal_ui` service in the `docker-compose.yml` file and run `docker compose up`. Then access the Temporal UI at `http://localhost:8081`. Set the following Terraform variables: * `disable_temporal_ui` to `false` * `temporal_auth_provider_url` to your identity provider's URL * `temporal_auth_client_id` to the OIDC client ID * `temporal_auth_client_secret` to the OIDC client secret Then run `terraform apply`. Access the Temporal UI at `http:///temporal-admin`. Enterprise You can view, cancel, terminate, and reset all workflow runs directly from the Tracecat UI under the `/runs` page. Reset terminate cancel runs ## Copy actions to clipboard Hover over any action in the events panel or runs view. You'll see two icons: Link and Copy next to the action key-value. The link icon copies the JSONPath reference to the action result. For example, `${{ ACTIONS.first_action.result }}`. Copy action reference The copy icon copies the value of the action result itself. Copy action result When an action uses `mask_output`, the workflow execution UI keeps object and array structure but shows `[REDACTED]` for each individual value. You can still copy JSONPath references from the displayed shape, and downstream actions still receive the original result. ## Workflow definition All workflows are stored, exported, and versioned as YAML-based workflow definitions. See [Workflow definition](/automations/core-concepts/workflow-definition) for the full specification. # Functions Source: https://docs.tracecat.com/cheatsheets/functions Quick reference for every Tracecat expression function and operator, with signatures and examples for transforming data inside workflows and agents. ## Examples Build a prompt or short string: ```yaml Expression theme={null} prompt: ${{ FN.format("Investigate alert {0} with severity {1}", TRIGGER.alert_id, TRIGGER.severity) }} ``` ```json Result theme={null} { "prompt": "Investigate alert al-123 with severity high" } ``` Time manipulation for alert search windows: ```yaml Expression theme={null} start_time: ${{ FN.to_isoformat(FN.now() - FN.minutes(15)) }} end_time: ${{ FN.to_isoformat(FN.now()) }} ``` ```json Result theme={null} { "start_time": "2026-03-18T12:45:00", "end_time": "2026-03-18T13:00:00" } ``` Deserialize or serialize JSON: ```yaml Expression theme={null} parsed: ${{ FN.deserialize_json(TRIGGER.raw_json) }} serialized: ${{ FN.serialize_json({"status": "ok", "count": 3}) }} ``` ```json Result theme={null} { "parsed": { "status": "open", "count": 3 }, "serialized": "{\"status\":\"ok\",\"count\":3}" } ``` Format rows into a Markdown table: ```yaml Expression theme={null} table: ${{ FN.to_markdown_table(ACTIONS.list_findings.result) }} ``` ```json Result theme={null} { "table": "| id | severity |\n| --- | --- |\n| f-1 | high |\n| f-2 | medium |" } ``` Count or reshape a small value: ```yaml Expression theme={null} count: ${{ FN.length(ACTIONS.gather_results.result) }} unique_tags: ${{ FN.unique(TRIGGER.tags) }} ``` ```json Result theme={null} { "count": 3, "unique_tags": ["auth", "critical"] } ``` This page is generated from `tracecat/expressions/functions.py`. ## Function reference `FN.add(a: float | int, b: float | int) -> float | int` Add two numbers together. `FN.and(a: bool, b: bool) -> bool` Logical AND operation. `FN.at(sequence: Sequence[Any], index: int) -> Any` Return the element at the given index. `FN.capitalize(x: str) -> str` Capitalize a string. `FN.check_ip_version(ip: str) -> int` Get IP address version (4 or 6). `FN.compact(x: list[Any]) -> list[Any]` Drop null values from a list. Similar to compact function in Terraform. `FN.concat(*items: str) -> str` Concatenate multiple strings. `FN.contains(item: Any, container: Sequence[Any]) -> bool` Check if item exists in a sequence. Aliases: `FN.is_in` `FN.contains_any_of(a: Sequence[Any], b: Sequence[Any]) -> bool` Check if any of the elements of the first sequence exist in the second sequence. `FN.contains_none_of(a: Sequence[Any], b: Sequence[Any]) -> bool` Check if all of of the elements of the first sequence don't exist in the second sequence. `FN.datetime(year: int, month: int, day: int, hour: int = 0, minute: int = 0, second: int = 0) -> datetime` Create datetime from year, month, day, hour, minute, and second. `FN.days(x: int) -> timedelta` Create timedelta with specified days. `FN.days_between(start: datetime | str, end: datetime | str) -> float` Days between two datetimes. `FN.deserialize_json(obj, /)` Deserialize JSON to Python objects. `FN.deserialize_ndjson(x: str) -> list[dict[str, Any]]` Parse newline-delimited JSON string into list of objects. `FN.deserialize_yaml(x: str) -> Any` Deserialize YAML string to object. `FN.difference(a: Sequence[Any], b: Sequence[Any]) -> list[Any]` Return a list of elements that are in the first sequence but not in the second. `FN.div(a: float | int, b: float | int) -> float` Divide first number by second number. `FN.does_not_contain(item: Any, container: Sequence[Any]) -> bool` Check if item does not exist in a sequence. Aliases: `FN.is_not_in`, `FN.not_in` `FN.drop_nulls(items: list[Any]) -> list[Any]` Remove all null or empty string values from a list. `FN.endswith(x: str, suffix: str) -> bool` Check if a string ends with a specified suffix. `FN.extract_asns(text: str) -> list[str]` Extract Autonomous System Numbers, e.g. AS1234, from a string. `FN.extract_cves(text: str) -> list[str]` Extract CVE IDs, such as CVE-2021-34527, from a string. `FN.extract_domains(text: str, include_defanged: bool = False) -> list[str]` Extract domain names from a string. `FN.extract_emails(text: str, normalize: bool = False) -> list[str]` Extract unique emails from a string. When `normalize` is True, lowercases the email and strips the subaddress (the `+...` part before `@`). `FN.extract_ip(text: str, include_defanged: bool = False) -> list[str]` Extract unique IPv4 and IPv6 addresses from a string. `FN.extract_ipv4(text: str, include_defanged: bool = False) -> list[str]` Extract unique IPv4 addresses from a string. `FN.extract_ipv6(text: str, include_defanged: bool = False) -> list[str]` Extract unique IPv6 addresses from a string. Includes defanged variants as an option. `FN.extract_mac(text: str) -> list[str]` Extract MAC addresses from a string. `FN.extract_md5(text: str) -> list[str]` Extract MD5 hashes from a string. `FN.extract_sha1(text: str) -> list[str]` Extract SHA1 hashes from a string. `FN.extract_sha256(text: str) -> list[str]` Extract SHA256 hashes from a string. `FN.extract_sha512(text: str) -> list[str]` Extract SHA512 hashes from a string. `FN.extract_urls(text: str, http_only: bool = False, include_defanged: bool = False) -> list[str]` Extract URLs from text, optionally including defanged ones. `FN.flatten(iterables: Sequence[Sequence[Any]]) -> list[Any]` Flatten nested sequences into a single list. `FN.flatten_dict(x: str | dict[str, Any] | list[Any], max_depth: int = 100) -> dict[str, Any]` Return object with single level of keys (as jsonpath) and values. `FN.format(template: str, *values: Any) -> str` Format a string with the given arguments. `FN.format_datetime(x: datetime | str, format: str) -> str` Format datetime into specified format (e.g. '%Y-%m-%d %H:%M:%S'). `FN.from_base64(x: str) -> str` Decode base64 string to string. `FN.from_base64url(x: str) -> str` Decode URL-safe base64 string to string. `FN.from_timestamp(x: float | int | str, unit: str = s) -> datetime` Convert timestamp in milliseconds ('ms') or seconds ('s') to datetime. `FN.get_day(x: datetime | str) -> int` Get day of month (1-31) from datetime. `FN.get_day_of_week(x: datetime | str, format: "Literal[number, full, short]" = number) -> int | str` Extract day of week from datetime. Returns 0-6 (Mon-Sun) or day name if format is "full" or "short". `FN.get_hour(x: datetime | str) -> int` Get hour (0-23) from datetime. `FN.get_interaction() -> dict[str, str] | None` Get the interaction context from the current action in the workflow execution. `FN.get_minute(x: datetime | str) -> int` Get minute (0-59) from datetime. `FN.get_month(x: datetime | str, format: "Literal[number, full, short]" = number) -> int | str` Extract month from datetime. Returns 1-12 or month name if format is "full" or "short". `FN.get_second(x: datetime | str) -> int` Get second (0-59) from datetime. `FN.get_year(x: datetime | str) -> int` Get year from datetime. `FN.greater_than(a: Any, b: Any) -> bool` Check if a is greater than b. `FN.greater_than_or_equal(a: Any, b: Any) -> bool` Check if a is greater than or equal to b. `FN.hash_md5(x: str | bytes) -> str` Generate MD5 hash of input string or bytes. `FN.hash_sha1(x: str | bytes) -> str` Generate SHA1 hash of input string or bytes. `FN.hash_sha256(x: str | bytes) -> str` Generate SHA256 hash of input string or bytes. `FN.hash_sha512(x: str | bytes) -> str` Generate SHA512 hash of input string or bytes. `FN.hours(x: int) -> timedelta` Create timedelta with specified hours. `FN.hours_between(start: datetime | str, end: datetime | str) -> float` Hours between two datetimes. `FN.intersection(a: Sequence[Any], b: Sequence[Any]) -> list[Any]` Return a list containing the intersection of elements from two sequences. `FN.ipv4_in_subnet(ipv4: str, subnet: str) -> bool` Check if IPv4 address is in the given subnet. `FN.ipv4_is_public(ipv4: str) -> bool` Check if IPv4 address is public/global. `FN.ipv6_in_subnet(ipv6: str, subnet: str) -> bool` Check if IPv6 address is in the given subnet. `FN.ipv6_is_public(ipv6: str) -> bool` Check if IPv6 address is public/global. `FN.is_empty(x: Sequence[Any]) -> bool` Check if sequence has length 0. `FN.is_equal(a: Any, b: Any) -> bool` Check if a is equal to b. `FN.is_in(item: Any, container: Sequence[Any]) -> bool` Check if item exists in a sequence. Aliases: `FN.contains` `FN.is_json(x: str) -> bool` Check if a string is valid JSON. `FN.is_not_empty(x: Sequence[Any]) -> bool` Check if sequence has length greater than 0. Aliases: `FN.not_empty` `FN.is_not_equal(a: Any, b: Any) -> bool` Check if a is not equal to b. Aliases: `FN.not_equal` `FN.is_not_in(item: Any, container: Sequence[Any]) -> bool` Check if item does not exist in a sequence. Aliases: `FN.does_not_contain`, `FN.not_in` `FN.is_not_null(x: Any) -> bool` Check if value is not None. Aliases: `FN.not_null` `FN.is_null(x: Any) -> bool` Check if value is None. `FN.is_working_hours(x: datetime | str, start: str, end: str, include_weekends: bool = False, timezone: str | None = None) -> bool` Check if datetime is between two times (HH:MM or HH:MM:SS strings). `FN.iter_product(*iterables: Sequence[Any]) -> list[tuple[Any, ...]]` Generate cartesian product of sequences. `FN.join(items: Sequence[str], sep: str) -> str` Join sequence of strings with separator. `FN.length(obj, /)` Return the number of items in a container. `FN.less_than(a: Any, b: Any) -> bool` Check if a is less than b. `FN.less_than_or_equal(a: Any, b: Any) -> bool` Check if a is less than or equal to b. `FN.lookup(d: dict[Any, Any], k: Any) -> Any` Safely get value from an object. `FN.lowercase(x: str) -> str` Convert string to lowercase. `FN.map_keys(x: dict[str, Any], keys: dict[str, str]) -> dict[str, Any]` Map keys in an object to new keys. `FN.max(a: Any, b: Any) -> Any` Return the maximum of two values. `FN.merge(x: list[dict[Any, Any]]) -> dict[Any, Any]` Merge list of objects. Similar to merge function in Terraform. `FN.min(a: Any, b: Any) -> Any` Return the minimum of two values. `FN.minutes(x: int) -> timedelta` Create timedelta with specified minutes. `FN.minutes_between(start: datetime | str, end: datetime | str) -> float` Minutes between two datetimes. `FN.mod(a: float | int, b: float | int) -> float | int` Calculate modulo (remainder) of first number divided by second. `FN.mul(a: float | int, b: float | int) -> float | int` Multiply two numbers together. `FN.normalize_email(email: str) -> str` Convert sub-addressed email to a normalized email address. `FN.not(x: bool) -> bool` Logical NOT operation. `FN.not_empty(x: Sequence[Any]) -> bool` Check if sequence has length greater than 0. Aliases: `FN.is_not_empty` `FN.not_equal(a: Any, b: Any) -> bool` Check if a is not equal to b. Aliases: `FN.is_not_equal` `FN.not_in(item: Any, container: Sequence[Any]) -> bool` Check if item does not exist in a sequence. Aliases: `FN.does_not_contain`, `FN.is_not_in` `FN.not_null(x: Any) -> bool` Check if value is not None. Aliases: `FN.is_not_null` `FN.now(as_isoformat: bool = False, timespec: str = auto) -> datetime | str` Return workflow logical time (local, naive) or current time if outside workflow. `FN.or(a: bool, b: bool) -> bool` Logical OR operation. `FN.parse_csv(x: str) -> list[dict[str, Any]]` Parse CSV string into list of objects. `FN.parse_datetime(x: str, format: str) -> datetime` Parse string to datetime using specified format. `FN.parse_time(x: str) -> time` Parse HH:MM:SS or HH:MM formatted string to a time object. `FN.pow(a: float | int, b: float | int) -> float | int` Raise first number to the power of second number. `FN.prefix(x: str | list[str], prefix: str) -> str | list[str]` Add a prefix to a string or list of strings. `FN.prettify_json(x: Any) -> str` Convert object to formatted JSON string. `FN.range(start: int, end: int, step: int = 1) -> list[int]` Create a range of integers from start to end (exclusive), with a step size. `FN.regex_extract(pattern: str, text: str) -> str | None` Extract the first captured group from text; fallback to full match if none. `FN.regex_match(pattern: str, text: str) -> bool` Check if text matches regex pattern. `FN.regex_not_match(pattern: str, text: str) -> bool` Check if text does not match regex pattern. `FN.replace(x: str, old: str, new: str) -> str` Replace all occurrences of old substring with new substring. `FN.seconds(x: int) -> timedelta` Create timedelta with specified seconds. `FN.seconds_between(start: datetime | str, end: datetime | str) -> float` Seconds between two datetimes. `FN.serialize(x: Any) -> str` Serialize a JSON-compatible value to string. `FN.serialize_json(x: Any) -> str` Convert object to JSON string. `FN.serialize_yaml(x: Any) -> str` Serialize object to YAML string. `FN.set_timezone(x: datetime | str, timezone: str) -> datetime` Convert datetime to different timezone. Timezone must be a valid IANA timezone name (e.g., "America/New\_York"). `FN.slice(x: str, start_index: int, length: int) -> str` Extract a substring from start\_index with given length. `FN.slugify(x: str) -> str` Slugify a string. `FN.split(x: str, sep: str) -> list[str]` Split a string into a list of strings by a seperator. `FN.startswith(x: str, suffix: str) -> bool` Check if a string starts wit a specified suffix. `FN.strip(x: str, chars: str) -> str` Removes all leading and trailing characters. `FN.sub(a: float | int, b: float | int) -> float | int` Subtract second number from first number. `FN.suffix(x: str | list[str], suffix: str) -> str | list[str]` Add a suffix to a string or list of strings. `FN.sum(iterable: Iterable[float | int], start: float | int = 0) -> float | int` Return the sum of a 'start' value (default: 0) plus an iterable of numbers. `FN.symmetric_difference(a: Sequence[Any], b: Sequence[Any]) -> list[Any]` Return a list of elements that are in either sequence but not in both. `FN.tabulate(x: list[dict[str, typing.Any]], format: Literal[markdown, html, csv, xml]) -> str` Format list of objects into `markdown`, `html`, `csv`, or `xml` `FN.titleize(x: str) -> str` Convert a string to titlecase. `FN.to_base64(x: str) -> str` Encode string to base64. `FN.to_base64url(x: str) -> str` Encode string to URL-safe base64. `FN.to_datetime(x: Any, timezone: str | None = None) -> datetime` Convert to timezone-aware datetime object from timestamp (in seconds), ISO 8601 string or existing datetime. `FN.to_isoformat(x: datetime | str, timespec: str = auto) -> str` Convert datetime to ISO format string. `FN.to_keys(x: dict[Any, Any]) -> list[Any]` Extract keys from an object. `FN.to_markdown_list(x: list[str], ordered: bool = False) -> str` Format list of strings into Markdown list. `FN.to_markdown_table(x: list[dict[str, typing.Any]]) -> str` Format list of dictionaries into Markdown table. `FN.to_markdown_tasks(x: list[str]) -> str` Format list of strings into Markdown tasks. `FN.to_time(x: datetime | str) -> time` Convert datetime to time. `FN.to_timestamp(x: datetime | str, unit: str = s) -> int` Convert datetime to timestamp in milliseconds ('ms') or seconds ('s'). `FN.to_values(x: dict[Any, Any]) -> list[Any]` Extract values from an object. `FN.today() -> date` Return workflow logical time date (local) or current date if outside workflow. `FN.union(a: Sequence[Any], b: Sequence[Any]) -> list[Any]` Return a list containing the union of elements from two sequences. `FN.unique(items: Sequence[Any]) -> list[Any]` List of hashable items (e.g. strings, numbers) to remove duplicates from. `FN.unset_timezone(x: datetime | str) -> datetime` Remove timezone information from datetime without changing the time. `FN.uppercase(x: str) -> str` Convert string to uppercase. `FN.url_decode(x: str) -> str` Converts percent-encoded characters back into their original form. `FN.url_encode(x: str) -> str` Converts URL-unsafe characters into percent-encoded characters. `FN.utcnow(as_isoformat: bool = False, timespec: str = auto) -> datetime | str` Return workflow logical time (UTC, aware) or current UTC time if outside workflow. `FN.uuid4() -> str` Generate a random UUID string. `FN.wall_clock(as_isoformat: bool = False, timespec: str = auto) -> datetime | str` Return actual current wall clock time (local, naive). `FN.weeks(x: int) -> timedelta` Create timedelta with spcified weeks `FN.weeks_between(start: datetime | str, end: datetime | str) -> float` Weeks between two datetimes or dates. `FN.windows_filetime(x: datetime | str) -> int` Convert datetime to Windows filetime. `FN.zip(*iterables: Sequence[Any]) -> list[tuple[Any, ...]]` Zip multiple sequences together. `FN.zip_map(x: list[str], y: list[str]) -> dict[str, str]` Zip two arrays into list of key-value pairs, then convert into mapping. ## Operator equivalents Equivalent function names: `FN.or` Equivalent function names: `FN.and` Equivalent function names: `FN.is_equal` Equivalent function names: `FN.is_not_equal`, `FN.not_equal` Equivalent function names: `FN.less_than` Equivalent function names: `FN.less_than_or_equal` Equivalent function names: `FN.greater_than` Equivalent function names: `FN.greater_than_or_equal` Equivalent function names: `FN.add` Equivalent function names: `FN.sub` Equivalent function names: `FN.mul` Equivalent function names: `FN.div` Equivalent function names: `FN.mod` Equivalent function names: `FN.contains`, `FN.is_in` Equivalent function names: `FN.does_not_contain`, `FN.is_not_in`, `FN.not_in` # JSONPath Source: https://docs.tracecat.com/cheatsheets/jsonpath Quick reference for JSONPath syntax, filters, and access patterns used in Tracecat expressions to read fields from triggers, actions, secrets, and variables. ## Filter patterns Equality: ```yaml Expression theme={null} high_alerts: ${{ TRIGGER.alerts[?(@.severity == "high")] }} open_findings: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")] }} ``` ```json Result theme={null} { "high_alerts": [{"id": "al-1", "severity": "high"}], "open_findings": [{"id": "f-1", "status": "open"}] } ``` Inequality: ```yaml Expression theme={null} secondary_roles: ${{ ACTIONS.parse_event.result.included[?(@.attributes.incident_role.data.attributes.slug != "primary-role")] }} ``` ```json Result theme={null} { "secondary_roles": [ { "attributes": { "incident_role": { "data": { "attributes": { "slug": "secondary-role" } } } } } ] } ``` Numeric comparison: ```yaml Expression theme={null} critical_scores: ${{ ACTIONS.lookup_users.result.users[?(@.score >= 90)] }} recent_events: ${{ TRIGGER.events[?(@.count > 10)] }} ``` ```json Result theme={null} { "critical_scores": [{"name": "Alice", "score": 96}], "recent_events": [{"id": "evt-1", "count": 14}] } ``` Truthy field check: ```yaml Expression theme={null} users_with_email: ${{ ACTIONS.lookup_users.result.users[?(@.email)] }} alerts_with_owner: ${{ TRIGGER.alerts[?(@.owner)] }} ``` ```json Result theme={null} { "users_with_email": [{"name": "Alice", "email": "alice@example.com"}], "alerts_with_owner": [{"id": "al-1", "owner": "secops"}] } ``` String matching by exact value: ```yaml Expression theme={null} prod_hosts: ${{ ACTIONS.inventory.result.hosts[?(@.environment == "prod")] }} linux_hosts: ${{ ACTIONS.inventory.result.hosts[?(@.os == "linux")] }} ``` ```json Result theme={null} { "prod_hosts": [{"hostname": "api-1", "environment": "prod"}], "linux_hosts": [{"hostname": "api-1", "os": "linux"}, {"hostname": "worker-1", "os": "linux"}] } ``` Nested field checks: ```yaml Expression theme={null} owned_devices: ${{ TRIGGER.assets[?(@.owner.name == "SecOps")] }} resolved_cases: ${{ ACTIONS.search_cases.result.items[?(@.status.name == "resolved")] }} ``` ```json Result theme={null} { "owned_devices": [{"id": "dev-1", "owner": {"name": "SecOps"}}], "resolved_cases": [{"id": "case-2", "status": {"name": "resolved"}}] } ``` Filter and project a nested field: ```yaml Expression theme={null} role_slugs: ${{ ACTIONS.parse_event.result.included[?(@.attributes.incident_role.data.attributes.slug)].attributes.incident_role.data.attributes.slug }} ``` ```json Result theme={null} { "role_slugs": ["primary-role", "secondary-role"] } ``` Filter and return one field from matching rows: ```yaml Expression theme={null} open_ids: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")].id }} ``` ```json Result theme={null} { "open_ids": ["f-1", "f-3"] } ``` ## Return behavior * Single matches return a scalar. * Wildcards return a list. * Filters return a list. * Non-existent fields return `None` (no error is raised). Examples: ```yaml Expression theme={null} name: ${{ TRIGGER.user.name }} ``` ```json Result theme={null} { "name": "Alice" } ``` ```yaml Expression theme={null} names: ${{ TRIGGER.users[*].name }} ``` ```json Result theme={null} { "names": ["Alice", "Bob", "Carol"] } ``` ## Examples Trigger data: ```yaml Expression theme={null} email: ${{ TRIGGER.user.email }} ``` ```json Result theme={null} { "email": "alice@example.com" } ``` Action result: ```yaml Expression theme={null} ticket_id: ${{ ACTIONS.create_ticket.result.id }} ``` ```json Result theme={null} { "ticket_id": "T-123" } ``` Array item: ```yaml Expression theme={null} first_tag: ${{ ACTIONS.lookup_tags.result.tags[0] }} ``` ```json Result theme={null} { "first_tag": "malware" } ``` Wildcard: ```yaml Expression theme={null} tag_names: ${{ ACTIONS.lookup_tags.result.tags[*] }} ``` ```json Result theme={null} { "tag_names": ["malware", "phishing", "credential-access"] } ``` Filter: ```yaml Expression theme={null} open_findings: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")] }} ``` ```json Result theme={null} { "open_findings": [{"id": "f-1", "status": "open"}, {"id": "f-3", "status": "open"}] } ``` Filter and project: ```yaml Expression theme={null} open_titles: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")].title }} ``` ```json Result theme={null} { "open_titles": ["Suspicious login", "Impossible travel"] } ``` ## Related pages * See [JSONPath](/automations/core-concepts/jsonpath) for core concepts and syntax. * See [Expressions](/automations/core-concepts/expressions) for expression syntax and contexts. * See [Functions](/automations/core-concepts/functions) for helper functions you can use alongside JSONPath access. # Custom registry Source: https://docs.tracecat.com/custom-actions/custom-registry Sync custom Python and YAML actions into Tracecat through your own registry: version, share, and reuse organization-specific automations across workspaces. You can build your own actions and use them in agents and workflows through Tracecat's custom registry feature. ## Why use a custom registry * Version control your code separate from Tracecat * Reuse your custom actions in multiple agents and workflows * Easily update your custom actions across all agents and workflows ## Permissions Custom registry is an organization-level feature and syncs across all workspaces. You must have the "Organization Admin" role to add and manage the custom registry. ## Installation Clone the [custom registry starter kit](https://github.com/TracecatHQ/custom-integrations-starter-kit) from GitHub. Clone GitHub template Go to "/actions" page in the workspace -> "Add registry" button -> "Custom registry" in organization settings. Configure the remote repository URL, package name, and allowed Git domains. The package name is the name of the Python package (e.g. the parent folder named `custom_actions` in the starter kit) in the repo. Custom registry settings Click "Sync from remote" button to sync the registry. Sync from remote ## Revert changes Syncing defaults to the latest commit in the remote repository. You can change the commit to sync to using the "Change commit" button. Change commit ## How custom registry works When you sync a registry, Tracecat: * Pulls the latest code from the remote repository * Converts the package and its dependencies into a tarball using `uv` * Uploads the tarball to S3-compatible object storage * Tarballs are stored in the bucket specified in the `TRACECAT__BLOB_STORAGE_BUCKET_REGISTRY` environment variable Published workflows run actions synced at the time of publication. When triggered, the Tracecat executor pulls the pinned version of the platform registry and custom registry tarballs from S3. You must republish a workflow to use the latest platform and custom actions. Even if there were no changes to the workflow itself. ## FAQ Yes. Tracecat works with Gitlab and GitHub Enterprise. Yes. The package name from the starter kit is `custom_actions`. To rename it, you'll need to rename the: * `custom_actions` folder to `my_new_package_name` * Project name in `pyproject.toml` to `my_new_package_name` Note: Python package names must be snake\_case. Yes. You can rename the git repo. It does not need to have the same name as the Python package. You must specify new dependencies in the `dependencies` section of the `pyproject.toml` file. Yes. For local Docker deployments, you can hot reload custom actions into Tracecat with a local registry. See [local development](/custom-actions/local-development) for more details. # Local development Source: https://docs.tracecat.com/custom-actions/local-development Hot-reload custom Python and YAML actions while developing locally against Tracecat: iterate on registry code with fast feedback loops and live workflow runs. You can test custom actions locally without syncing on every change. Local registry should only be used for development. Production deployments should use remote [custom registry](/custom-actions/custom-registry) sync. ## Why local development * Faster feedback loop * No need to sync on every change * No need to republish a workflow to use the latest platform and custom actions ## How to enable local development In your `.env` file, set the following environment variables: 1. `TRACECAT__LOCAL_REPOSITORY_ENABLED` to `true` 2. `TRACECAT__LOCAL_REPOSITORY_PATH` to the path of your local repository e.g. `~/repos/my-local-registry` 3. `PYTHONPATH` to `/app/local_registry:` ```bash theme={null} TRACECAT__LOCAL_REPOSITORY_ENABLED=true TRACECAT__LOCAL_REPOSITORY_PATH=~/dev/org/internal-registry PYTHONPATH=/app/local_registry: ``` # Python UDFs Source: https://docs.tracecat.com/custom-actions/python-udf Build custom Python actions for Tracecat: declare inputs and outputs, package dependencies, and expose user-defined functions to workflows and agents. Tracecat makes it easy to turn your Python scripts into actions for agents and workflows. All you need is: * A single Python decorator, `@registry.register` * `from typing import Annotated` * `from typing_extensions import Doc` ## Quick start 1. Add a Python file to your custom registry package. 2. Register one async function with `@registry.register(...)`. 3. Define typed inputs, read secrets with `secrets.get(...)`, and return JSON-serializable data. ```python theme={null} from typing import Annotated from typing_extensions import Doc from tracecat_registry import registry, RegistrySecret, secrets # (Optional) Define secrets used in the function secret_name = RegistrySecret( name="secret_name", keys=["SECRET_NAME"], optional_keys=["OPTIONAL_SECRET_NAME"], ) # Register the function as a Tracecat UDF @registry.register( default_title="Say goodbye secretly", description="This is a function that says goodbye", display_group="Greetings", namespace="integrations.greetings", # (Optional) Define secrets used in the function secrets=[secret_name], ) async def say_goodbye_secretly( name: Annotated[str, Doc("The name to say goodbye to")], ): secret = secrets.get("SECRET_NAME") # We're returning the secret for demonstration only. # Do not do this in your own functions! return {"message": f"Goodbye, {name}! Secret: {secret}"} ``` ## What to define * Use `tools.` for the namespace. * Set `default_title`, `description`, `display_group`, `doc_url`, and `namespace` in `@registry.register(...)`. * Define action inputs with type hints and `Field(..., description=...)`. * Define required credentials with `RegistrySecret(...)` and pass them in `secrets=[...]`. * Read secret values with `secrets.get(...)`. * Return plain dicts, lists, strings, numbers, or booleans. ## Declaring secret types By default, secrets are `custom` (arbitrary key-value). If your action requires an SSH key, mTLS certificate, or CA certificate, set `secret_type` so the credentials UI renders the correct form. | `secret_type` | Required `keys` | Description | | ------------- | ---------------------------------------- | --------------------------------- | | `"custom"` | Any | Generic key-value pairs (default) | | `"ssh_key"` | `["PRIVATE_KEY"]` | SSH private key (PEM) | | `"mtls"` | `["TLS_CERTIFICATE", "TLS_PRIVATE_KEY"]` | mTLS client certificate and key | | `"ca_cert"` | `["CA_CERTIFICATE"]` | CA certificate bundle | ### Examples ```python theme={null} # SSH key secret — renders an SSH private key textarea in the UI ssh_secret = RegistrySecret( name="ansible", keys=["PRIVATE_KEY"], secret_type="ssh_key", ) # mTLS secret — renders certificate + key textareas mtls_secret = RegistrySecret( name="mtls", keys=["TLS_CERTIFICATE", "TLS_PRIVATE_KEY"], secret_type="mtls", optional=True, ) # CA certificate secret — renders a certificate textarea ca_cert_secret = RegistrySecret( name="ca_cert", keys=["CA_CERTIFICATE"], secret_type="ca_cert", optional=True, ) # Custom secret (default) — renders key-value inputs api_secret = RegistrySecret( name="slack", keys=["SLACK_BOT_TOKEN"], ) ``` `secret_type` uses snake\_case everywhere — Python declarations, the API, and the UI all use the same values (`ssh_key`, `ca_cert`, `mtls`, `custom`). Use the same `${{ SECRETS... }}` syntax as workflow actions. Custom secrets (API keys, SSH, mTLS, CA bundles, and so on): ```yaml theme={null} ${{ SECRETS.. }} ``` OAuth tokens live under `_oauth`. The key is the provider ID in uppercase plus `_USER_TOKEN` or `_SERVICE_TOKEN`: * `authorization_code`: `${{ SECRETS._oauth._USER_TOKEN }}` * `client_credentials`: `${{ SECRETS._oauth._SERVICE_TOKEN }}` ```yaml theme={null} ${{ SECRETS.slack_oauth.SLACK_USER_TOKEN }} ${{ SECRETS.google_docs_oauth.GOOGLE_DOCS_SERVICE_TOKEN }} ``` Optional fallback when either grant type is allowed: ```yaml theme={null} ${{ SECRETS.microsoft_sentinel_oauth.MICROSOFT_SENTINEL_USER_TOKEN || SECRETS.microsoft_sentinel_oauth.MICROSOFT_SENTINEL_SERVICE_TOKEN }} ``` ## Python UDFs Declare credentials in `@registry.register(..., secrets=[...])`. * `RegistrySecret`: static keys; set `secret_type` to `ssh_key`, `mtls`, or `ca_cert` when needed ([secret types](/automations/core-concepts/secrets)). Optional: `optional`, `optional_keys`. * `RegistryOAuthSecret`: declares a dependency on an existing OAuth integration. Pass the `provider_id` and `grant_type` that match the integration in your workspace (a mismatch — for example declaring `authorization_code` when the integration uses `client_credentials` — will not resolve). Read values with `secrets.get("")` (key only, e.g. `GOOGLE_DRIVE_USER_TOKEN`), not a `SECRETS.` path. ```python theme={null} from tracecat_registry import RegistryOAuthSecret, RegistrySecret, registry, secrets api = RegistrySecret(name="exa", keys=["EXA_API_KEY"]) oauth = RegistryOAuthSecret( provider_id="google_drive", grant_type="authorization_code", ) ``` ## YAML Under `definition`, set a `secrets` list (same validator as Python). Custom (optional `secret_type` for structured secrets): ```yaml theme={null} definition: secrets: - name: exa keys: ["EXA_API_KEY"] - name: ansible keys: ["PRIVATE_KEY"] secret_type: ssh_key ``` OAuth: ```yaml theme={null} definition: secrets: - type: oauth provider_id: microsoft_teams grant_type: authorization_code ``` The `provider_id` and `grant_type` must match an integration already configured in your workspace. Use `${{ SECRETS._oauth. }}` in `args`. Set `optional: true` on an OAuth entry when it is not always required. ## Example providers See [`integrations/google_drive.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/google_drive.py) and [`integrations/slack_sdk.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/slack_sdk.py) for UDFs that use OAuth credentials. See [`tracecat_registry/core/ssh.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/core/ssh.py) for an `ssh_key` secret example. For YAML templates, see [`microsoft_teams/send_message.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/microsoft_teams/send_message.yml) (`authorization_code`), [`google_docs/create_document.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/google_docs/create_document.yml) (`client_credentials`), and [`microsoft_sentinel/.../get_alert_rule_template.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/microsoft_sentinel/alert_rules/get_alert_rule_template.yml) (optional dual grant). See [`templates/tools/exa/search.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/exa/search.yml) for a simple API key template. For the full list of built-in provider IDs, see [`tracecat/integrations/providers/__init__.py`](https://github.com/TracecatHQ/tracecat/blob/main/tracecat/integrations/providers/__init__.py). ## Example actions You can browse all open-source integrations in Tracecat in [tools actions](https://github.com/TracecatHQ/tracecat/tree/main/packages/tracecat-registry/tracecat_registry/integrations). Use [template actions](https://github.com/TracecatHQ/tracecat/tree/main/packages/tracecat-registry/tracecat_registry/templates/tools) to see how actions are composed, and use [core actions](https://github.com/TracecatHQ/tracecat/tree/main/packages/tracecat-registry/tracecat_registry/core) to inspect built-in implementations. For concrete examples, browse the [Slack](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/slack_sdk.py), [AWS Boto3](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/aws_boto3.py), and [FalconPy](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/crowdstrike_falconpy.py) integrations. # YAML templates Source: https://docs.tracecat.com/custom-actions/yaml-template Build custom YAML template actions for Tracecat: compose existing actions and expressions into reusable, versioned building blocks for workflows and agents. Use a YAML action template to compose existing actions into a reusable action. ## Template shape Create a `.yml` file in your registry templates directory. Define inputs in `expects`, run actions in `steps`, and return the final value from `returns`. ```yaml theme={null} type: action definition: title: Post message description: Post a message to a Slack channel. display_group: Slack namespace: tools.slack name: post_message expects: channel: type: str description: The Slack channel ID. text: type: str description: The message text. steps: - ref: post_message action: tools.slack_sdk.call_method args: sdk_method: chat_postMessage params: channel: ${{ inputs.channel }} text: ${{ inputs.text }} returns: ${{ steps.post_message.result }} ``` * Start every file with `type: action`. * Use `tools.` for the namespace. * Set `title`, `description`, `display_group`, `namespace`, and `name` in `definition`. * Define inputs in `expects`. * Build the action in `steps`. * Return the final value from `returns`. ## Expressions Use `${{ }}` for expressions. Use `inputs` to read the inputs you defined in `expects`. Use `steps` to read the result of an earlier step. After a step runs, its output is available at `steps..result`. ```yaml Read an input theme={null} args: channel: ${{ inputs.channel }} text: ${{ inputs.text }} ``` ```yaml Read an earlier step result theme={null} returns: ${{ steps.post_message.result }} ``` ```yaml Build one step from another theme={null} steps: - ref: lookup_user action: tools.slack.users.lookup_user_by_email args: email: ${{ inputs.email }} - ref: post_message action: tools.slack.chat.post_message args: channel: ${{ steps.lookup_user.result.id }} text: Hello ``` You can use: * `inputs` * `steps` * `SECRETS` * `VARS` * `FN.*` ## Secrets Declare what each template needs under `definition.secrets` (API keys, structured types, or OAuth). That list drives which credentials must exist for the action when the workflow runs. Use the same `${{ SECRETS... }}` paths in `args` as in any other expression. Use the same `${{ SECRETS... }}` syntax as workflow actions. Custom secrets (API keys, SSH, mTLS, CA bundles, and so on): ```yaml theme={null} ${{ SECRETS.. }} ``` OAuth tokens live under `_oauth`. The key is the provider ID in uppercase plus `_USER_TOKEN` or `_SERVICE_TOKEN`: * `authorization_code`: `${{ SECRETS._oauth._USER_TOKEN }}` * `client_credentials`: `${{ SECRETS._oauth._SERVICE_TOKEN }}` ```yaml theme={null} ${{ SECRETS.slack_oauth.SLACK_USER_TOKEN }} ${{ SECRETS.google_docs_oauth.GOOGLE_DOCS_SERVICE_TOKEN }} ``` Optional fallback when either grant type is allowed: ```yaml theme={null} ${{ SECRETS.microsoft_sentinel_oauth.MICROSOFT_SENTINEL_USER_TOKEN || SECRETS.microsoft_sentinel_oauth.MICROSOFT_SENTINEL_SERVICE_TOKEN }} ``` ## Python UDFs Declare credentials in `@registry.register(..., secrets=[...])`. * `RegistrySecret`: static keys; set `secret_type` to `ssh_key`, `mtls`, or `ca_cert` when needed ([secret types](/automations/core-concepts/secrets)). Optional: `optional`, `optional_keys`. * `RegistryOAuthSecret`: declares a dependency on an existing OAuth integration. Pass the `provider_id` and `grant_type` that match the integration in your workspace (a mismatch — for example declaring `authorization_code` when the integration uses `client_credentials` — will not resolve). Read values with `secrets.get("")` (key only, e.g. `GOOGLE_DRIVE_USER_TOKEN`), not a `SECRETS.` path. ```python theme={null} from tracecat_registry import RegistryOAuthSecret, RegistrySecret, registry, secrets api = RegistrySecret(name="exa", keys=["EXA_API_KEY"]) oauth = RegistryOAuthSecret( provider_id="google_drive", grant_type="authorization_code", ) ``` ## YAML Under `definition`, set a `secrets` list (same validator as Python). Custom (optional `secret_type` for structured secrets): ```yaml theme={null} definition: secrets: - name: exa keys: ["EXA_API_KEY"] - name: ansible keys: ["PRIVATE_KEY"] secret_type: ssh_key ``` OAuth: ```yaml theme={null} definition: secrets: - type: oauth provider_id: microsoft_teams grant_type: authorization_code ``` The `provider_id` and `grant_type` must match an integration already configured in your workspace. Use `${{ SECRETS._oauth. }}` in `args`. Set `optional: true` on an OAuth entry when it is not always required. ## Example providers See [`integrations/google_drive.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/google_drive.py) and [`integrations/slack_sdk.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/slack_sdk.py) for UDFs that use OAuth credentials. See [`tracecat_registry/core/ssh.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/core/ssh.py) for an `ssh_key` secret example. For YAML templates, see [`microsoft_teams/send_message.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/microsoft_teams/send_message.yml) (`authorization_code`), [`google_docs/create_document.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/google_docs/create_document.yml) (`client_credentials`), and [`microsoft_sentinel/.../get_alert_rule_template.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/microsoft_sentinel/alert_rules/get_alert_rule_template.yml) (optional dual grant). See [`templates/tools/exa/search.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/exa/search.yml) for a simple API key template. For the full list of built-in provider IDs, see [`tracecat/integrations/providers/__init__.py`](https://github.com/TracecatHQ/tracecat/blob/main/tracecat/integrations/providers/__init__.py). ## Limitations * Template steps only support `ref`, `action`, and `args`. * Template steps run in order. * Template steps do not support `run_if`, `for_each`, `join_strategy`, `start_delay`, `timeout`, or `max_attempts`. * Templates can call tools actions, other templates, and `core.script.run_python`. Other platform actions are not supported inside templates. * If a later step fails, you do not get a final result with earlier step outputs. Keep templates short. In practice, do not build templates with more than 2 steps. ## Example templates All integrations in Tracecat are open source. Browse [template actions](https://github.com/TracecatHQ/tracecat/tree/main/packages/tracecat-registry/tracecat_registry/templates/tools) for more examples. For concrete examples, browse the [Slack templates](https://github.com/TracecatHQ/tracecat/tree/main/packages/tracecat-registry/tracecat_registry/templates/tools/slack) and [CrowdStrike templates](https://github.com/TracecatHQ/tracecat/tree/main/packages/tracecat-registry/tracecat_registry/templates/tools/crowdstrike). # Getting started Source: https://docs.tracecat.com/overview/getting-started Self-host your own instance or join Tracecat Community Cloud. The easiest way to get started is to connect your agent harness (Claude Code, Cursor, OpenAI Codex) to Tracecat. ## Self-host Docker Compose is the easiest way to self-host. Check out the full guide [here](/self-hosting/docker-compose) or follow the quickstart below. ```bash theme={null} # Setup environment variables and secrets curl -o env.sh https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/env.sh curl -o .env.example https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/.env.example chmod +x env.sh && ./env.sh # Download Caddyfile curl -o Caddyfile https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/Caddyfile # Download Docker Compose file curl -o docker-compose.yml https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/docker-compose.yml # Start Tracecat docker compose up -d ``` ## Connect MCP Connecting your agent to Tracecat Cloud automatically creates an account for you. You can also sign up manually via [https://platform.tracecat.com](https://platform.tracecat.com). If you are **self-hosted**, replace `https://platform.tracecat.com` with your `PUBLIC_APP_URL` (e.g. `http://localhost` or `https://tracecat.example.com`). Authentication uses a built-in OIDC provider—your agent is redirected to sign in through the browser on first connection. For clients or environments that cannot complete a browser sign-in, authenticate with a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens) instead. Sign in with OAuth: ```bash theme={null} claude mcp add -t http tracecat https://platform.tracecat.com/mcp claude /mcp ``` Or authenticate with a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens). Set `TRACECAT_MCP_PAT` in your environment and reference it with **single quotes** so the variable (not the token) is written to the saved config: ```bash theme={null} claude mcp add --transport http tracecat https://platform.tracecat.com/mcp \ --header 'Authorization: Bearer ${TRACECAT_MCP_PAT}' ``` Sign in with OAuth: ```bash theme={null} codex mcp add tracecat --url https://platform.tracecat.com/mcp codex mcp login tracecat ``` Or authenticate with a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens). Set `TRACECAT_MCP_PAT` in your environment, then reference it by name: ```bash theme={null} codex mcp add tracecat --url https://platform.tracecat.com/mcp \ --bearer-token-env-var TRACECAT_MCP_PAT ``` ```bash theme={null} copilot /mcp add # Server Name: tracecat # Server Type: HTTP # URL: https://platform.tracecat.com/mcp # Tools: * ``` Follow [GitHub Copilot MCP setup](https://docs.github.com/en/copilot/how-tos/copilot-cli/customize-copilot/add-mcp-servers) for the latest CLI prompts. Or add this server to `~/.copilot/mcp-config.json`: ```json theme={null} { "mcpServers": { "tracecat": { "type": "http", "url": "https://platform.tracecat.com/mcp", "tools": ["*"] } } } ``` To use a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens) instead of OAuth, add an `Authorization` header (`${TRACECAT_MCP_PAT}` is read from your environment): ```json theme={null} "headers": { "Authorization": "Bearer ${TRACECAT_MCP_PAT}" } ``` On Tracecat Cloud, click [Add Tracecat to Cursor](https://cursor.com/en-US/install-mcp?name=tracecat\&config=eyJ1cmwiOiJodHRwczovL3BsYXRmb3JtLnRyYWNlY2F0LmNvbS9tY3AifQ) to add it in one click. Otherwise configure `.cursor/mcp.json` manually: ```json theme={null} { "mcpServers": { "tracecat": { "url": "https://platform.tracecat.com/mcp" } } } ``` To use a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens) instead of OAuth, add an `Authorization` header (Cursor resolves `${env:TRACECAT_MCP_PAT}` from your environment): ```json theme={null} "headers": { "Authorization": "Bearer ${env:TRACECAT_MCP_PAT}" } ``` # Welcome to Tracecat Source: https://docs.tracecat.com/overview/introduction Tracecat is the AI automation platform for security teams and agents. ## Automating security work The AI-native security automation platform. Turn prompts into workflows, triggers, and tables via Tracecat MCP. Build custom AI agents that call tools and MCP (stdio, remote) servers. Resolve work items with agents and workflows. Build your own custom actions and sync them into Tracecat via git. Host your own sandboxed MCP server in Tracecat. Host your Tracecat in your own infrastructure. ## Securing agents at scale Enterprise Edition Protect your organization's agent rollout with the same security features as Tracecat automation. Connect local agents to any tool, MCP server, workflow, or agent in Tracecat. Monitor agent tool calls and activity across all connected agents (Claude Code, Cursor, OpenAI Codex). Detect and block malicious tool calls with pre-built and custom rules. Approve or reject agent tools calls from within Tracecat UI, Slack, or Microsoft Teams. # Architecture Source: https://docs.tracecat.com/self-hosting/architecture Architecture overview for self-hosted Tracecat: services, networking, authentication boundaries, and dependencies between API, executor, worker, LiteLLM, and frontend. ## Services The Docker Compose stack runs 16 containers. Only `caddy` is exposed externally; all other ports are internal to the Docker network. | Service | Port | Description | | :--------------------- | :----------------- | :-------------------------------------------- | | `caddy` | 80 (configurable) | Reverse proxy and TLS termination | | `api` | 8000 | REST API and webhook receiver | | `ui` | 3000 | Next.js frontend | | `worker` | — | Workflow orchestrator | | `executor` | — | Action executor with optional sandbox | | `agent-worker` | — | AI agent orchestrator | | `agent-executor` | — | AI agent action executor | | `litellm` | 4000 | Managed LiteLLM gateway for AI model requests | | `mcp` | 8099 | MCP server for IDE integrations | | `postgres_db` | 5432 | Application database (PostgreSQL 16) | | `temporal` | 7233 | Workflow engine | | `temporal_postgres_db` | 5432 | Temporal database (PostgreSQL 13) | | `temporal_ui` | 8081 (not exposed) | Temporal web UI | | `minio` | 9000, 9001 | S3-compatible object storage | | `redis` | 6379 | Cache and message broker | | `migrations` | — | One-shot database migration runner | ## Networking ### Caddy routing Caddy is the single entry point for all external traffic. It forwards requests based on path: | Path | Destination | Purpose | | :------------------------------------------------------------------------------------------- | :----------- | :------------------ | | `/api*` | `api:8000` | REST API | | `/mcp*` | `mcp:8099` | MCP server | | `/.well-known/oauth-*`, `/authorize*`, `/token`, `/register`, `/consent*`, `/auth/callback*` | `mcp:8099` | MCP OAuth flow | | `/s3/*` | `minio:9000` | Presigned URL proxy | | `/*` | `ui:3000` | Frontend (default) | ### Data flow The browser connects to Caddy, which proxies to the API or UI. The UI server also calls the API directly via `INTERNAL_API_URL` for server-side rendering. External systems send webhooks to `/api/webhooks/...`, which Caddy forwards to the API service. The API submits workflow runs to the Temporal server on port 7233. Workers pull tasks from Temporal's task queue and dispatch actions to executors. Executors run individual action steps, optionally inside an nsjail sandbox. Agent workers and agent executors follow the same Temporal-based pattern for AI agent workflows. ### LiteLLM request path The `litellm` container runs Tracecat's managed LiteLLM gateway on port 4000. It is an internal service, not a public API endpoint. When an agent workflow reaches a model call, `agent-executor` sends the request to `http://litellm:4000` by default. The LiteLLM gateway validates the request, resolves the selected model provider, injects the provider credentials, and forwards the request upstream. This keeps provider credentials out of the sandboxed agent process while giving all managed model requests one internal routing point. Custom provider configurations can bypass the managed gateway when passthrough mode is enabled. Otherwise, root agents and subagents use the internal LiteLLM gateway. ### Docker networks Four networks isolate traffic between service groups: | Network | Scope | Services | | :------------ | :------- | :----------------------------------------------------------------------------------------------------------------------------- | | `core` | default | caddy, api, ui, worker, executor, agent-worker, agent-executor, litellm, mcp, redis, minio, temporal, temporal\_ui, migrations | | `core-db` | internal | api, worker, executor, agent-worker, agent-executor, litellm, mcp, migrations, postgres\_db | | `temporal` | default | temporal, temporal\_ui, worker, executor, agent-worker, agent-executor, mcp | | `temporal-db` | internal | temporal, temporal\_postgres\_db | Networks marked `internal` cannot reach the internet, preventing direct external access to databases. ## OIDC Set `TRACECAT__AUTH_TYPES=oidc` in your `.env` file and configure these variables: * `OIDC_ISSUER` — your identity provider's issuer URL * `OIDC_CLIENT_ID` — client ID from your identity provider * `OIDC_CLIENT_SECRET` — client secret from your identity provider Set the callback URI in your identity provider to `/auth/oauth/callback`. See [OIDC configuration](/authentication/oidc) for provider-specific setup instructions. ## SAML Set `TRACECAT__AUTH_TYPES=saml` in your `.env` file and configure `SAML_IDP_METADATA_URL` with your identity provider's metadata URL. Supported identity providers: Okta, Microsoft Entra ID, Authentik, and Keycloak. See [SAML configuration](/authentication/saml) for provider-specific setup instructions. ## FAQ Yes. Update `TRACECAT__DB_URI` to point to your managed PostgreSQL instance and `REDIS_URL` for Redis. For Temporal, update the Temporal PostgreSQL credentials in your `.env` file. See [Security](/self-hosting/security) for production credential recommendations. Caddy auto-provisions TLS certificates from Let's Encrypt when `BASE_DOMAIN` is set to a real domain. Set `PUBLIC_APP_URL` to use `https://` and expose ports 80 and 443 on the Caddy container. See [Configure SSL for production](/self-hosting/docker-compose#how-do-i-configure-ssl-for-production) for step-by-step instructions. Yes. Tracecat has been tested with Amazon S3, MinIO, SeaweedFS, and RustFS. Point your IDE's MCP configuration to `/mcp`. Authentication uses a built-in OIDC provider — your agent will be redirected to sign in through the browser on first connection. See [Tracecat MCP](/automations/tracecat-mcp#setup) for IDE-specific setup instructions. # AWS ECS Fargate Source: https://docs.tracecat.com/self-hosting/aws-fargate Deploy self-hosted Tracecat to AWS ECS Fargate using Terraform: provision RDS, networking, secrets, and Temporal alongside Tracecat services in your own AWS account. This stack exposes Tracecat to the public internet. We've set the `auth_types` Terraform variable to `saml` by default. You must configure SAML before your first login or change `auth_types` to another method. See [Security](/self-hosting/security) for additional production hardening recommendations. ## Prerequisites * [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) * AWS credentials configured for your target account and role * A public [Route53 hosted zone](https://aws.amazon.com/route53/) (domain and hosted zone ID) * `openssl` and AWS CLI (if using the helper secret script) ## Clone the repository Clone the Tracecat repository and navigate to the Fargate deployment directory. ```bash theme={null} git clone https://github.com/TracecatHQ/tracecat.git cd tracecat/deployments/fargate ``` ## Create core secrets You can create these in AWS Secrets Manager manually or use the helper script: ```bash theme={null} export AWS_DEFAULT_REGION= ./scripts/create-aws-secrets.sh ``` Save the resulting secret ARNs. You'll need them for Terraform variables. ## Configure authentication secrets (optional) Depending on your chosen `auth_types` (e.g. `saml`, `oidc`, `oauth`), provide the necessary secret ARNs as Terraform variables. For example, for SAML: * `saml_idp_metadata_url_arn` ## Initialize and deploy Initialize Terraform and apply the configuration. ```bash theme={null} terraform init export TF_VAR_aws_region= export TF_VAR_domain_name= export TF_VAR_hosted_zone_id= export TF_VAR_tracecat_db_encryption_key_arn= export TF_VAR_tracecat_service_key_arn= export TF_VAR_tracecat_signing_secret_arn= export TF_VAR_user_auth_secret_arn= # Optional but recommended export TF_VAR_tracecat_image_tag=1.0.0-beta.50 terraform apply ``` Provisioning takes about 10-20 minutes due to RDS and ECS startup. ## Access Tracecat Once deployed, access your instance at: * UI: `https://` * API docs: `https:///api/docs` * MCP: `https:///mcp` ## Updating Tracecat To update an existing Tracecat deployment on Fargate: 1. Pull the latest Fargate stack from the Tracecat repository to ensure you have the most recent infrastructure changes. 2. Change the `TF_VAR_tracecat_image_tag` variable to the desired image tag compatible with the stack, or remove the variable to default to the latest image tag. 3. Run `terraform apply` to apply the updates. ```bash theme={null} cd tracecat/deployments/fargate git pull origin main # Set variables as before, then update the image tag export TF_VAR_tracecat_image_tag=1.0.0-beta.50 terraform apply ``` ## Temporal DB SSL enforcement For the bundled Fargate `temporalio/auto-setup` deployment, `temporal_db_force_ssl` defaults to `false`: ```bash theme={null} export TF_VAR_temporal_db_force_ssl=false terraform apply ``` This setting applies only to the bundled Temporal RDS instance. It requires a DB reboot when changed and permits non-TLS connections to the Temporal database for compatibility with the current Fargate Temporal auto-setup flow. If you are using Temporal Cloud or another external Temporal cluster, set `disable_temporal_autosetup=true` and point `temporal_cluster_url` at your external cluster. In that setup, `temporal_db_force_ssl` is typically unused because the bundled Temporal RDS instance is not created. If you run your own external Temporal PostgreSQL and want SSL-only enforcement there, set `TF_VAR_temporal_db_force_ssl=true`. ## FAQ Fargate does not support the permissions model required by `nsjail`. Tracecat uses a fallback executor without `nsjail` isolation on Fargate. If you need the highest isolation for untrusted code execution (like custom registry actions or `core.script.run_python`), deploy Tracecat on Kubernetes using the [Helm chart](https://github.com/TracecatHQ/tracecat/tree/main/deployments/k8s/helm), where `nsjail` is enabled by default. The Terraform stack deploys: * Public ALB, Route53 records, and ACM certificates * ECS cluster with Service Connect * RDS instances (core database and optional Temporal database) * ElastiCache Redis * S3 buckets for attachments, registry, and workflow artifacts * VPC endpoints for S3 and Secrets Manager Migrations run in an init container during the API task startup. The API container only starts if migrations succeed. If migrations fail, the deployment pauses and dependent services (`worker`, `executor`) will not update. # Docker Compose Source: https://docs.tracecat.com/self-hosting/docker-compose Deploy self-hosted Tracecat using Docker Compose: bring up the API, executor, worker, frontend, Postgres, and Temporal stack on a single host in minutes. Docker Compose deployments default to basic email / password authentication. Production deployments should use [OIDC](/authentication/oidc) or [SAML](/authentication/saml) SSO. See [Security](/self-hosting/security) for additional production hardening recommendations. Tracecat SAML SSO always requires signed assertions and signed responses. ## Prerequisites * [Docker](https://docs.docker.com/engine/install/) version 26.0.0+ * [Docker Compose](https://docs.docker.com/compose/install/) version 2.29.0+ * [openssl](https://www.openssl.org/source/) ## Core secrets The `env.sh` script (next step) generates these automatically. If you need to generate them manually: ## Download configuration files ```bash theme={null} # 1. Download the env.sh installation script curl -o env.sh https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/env.sh # 2. Download the .env.example template file (env.sh needs this to generate your .env file) curl -o .env.example https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/.env.example # 3. Make the env.sh script executable and run it chmod +x env.sh && ./env.sh ``` After running `env.sh`, you'll be prompted to input the following: * Set `PUBLIC_APP_URL`. Defaults to `localhost`. * Require PostgreSQL SSL mode? Defaults to `n`. * Required field: Enter email address for the first user (superadmin). ## Download Caddyfile Tracecat uses Caddy as a reverse proxy. You'll need to download the following `Caddyfile` to configure this service. ```bash theme={null} curl -o Caddyfile https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/Caddyfile ``` ## Download Docker Compose file ```bash theme={null} curl -o docker-compose.yml https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/docker-compose.yml ``` ## Start Tracecat Run the command below to start Tracecat and all related services. Make sure your `docker-compose.yml` and generated `.env` files are in the same directory. ```bash theme={null} docker compose up ``` ## Access Tracecat Once deployed, access your instance at: * UI: `http://localhost:${PUBLIC_APP_PORT}` * API docs: `http://localhost:${PUBLIC_APP_PORT}/api/docs` * MCP: `http://localhost:${PUBLIC_APP_PORT}/mcp` ## Updating Tracecat Be careful when updating Tracecat. Do not accidentally overwrite or lose your existing `TRACECAT__SERVICE_KEY`, `TRACECAT__SIGNING_SECRET`, `TRACECAT__DB_ENCRYPTION_KEY`, and `USER_AUTH_SECRET` secrets. Losing these secrets will break your credentials and webhooks. ```bash theme={null} # 1. Download the latest env migration script and env template curl -o env-migration.sh https://raw.githubusercontent.com/TracecatHQ/tracecat//env-migration.sh curl -o .env.example https://raw.githubusercontent.com/TracecatHQ/tracecat//.env.example # 2. Make the migration script executable and update your existing .env chmod +x env-migration.sh && ./env-migration.sh # 3. Download the latest Docker Compose file curl -o docker-compose.yml https://raw.githubusercontent.com/TracecatHQ/tracecat//docker-compose.yml # 4. Download the latest Caddyfile curl -o Caddyfile https://raw.githubusercontent.com/TracecatHQ/tracecat//Caddyfile # 5. Restart Tracecat with the updated configuration docker compose up -d ``` The migration script creates a backup of your existing `.env` before rewriting it. After the stack starts, verify that your containers are healthy and that you can sign in successfully. ## Scaling Docker Compose runs all services on a single host. These are recommended minimums for different workload sizes. | Resource | Small | Standard | Production | | :-------------------- | :-------- | :-------- | :---------- | | CPU | 8 cores | 16 cores | 32+ cores | | RAM | 16 GB | 32 GB | 64+ GB | | Storage | 20 GB SSD | 50 GB SSD | 100+ GB SSD | | Docker | 26.0.0+ | 26.0.0+ | 26.0.0+ | | Workflow starts/sec | \~5 | \~15 | \~40 | | Concurrent seats | 1-10 | 10-50 | 50+ | | Concurrent agents/sec | 1-2 | 5-10 | 10+ | * Small: Development, testing, small teams (1-10 users) * Standard: Mid-size teams (10-50 users), moderate workflow execution * Production: Large teams (50+ users), high throughput Memory is typically the constraining factor. Workflow throughput is lower than dedicated Kubernetes deployments where services have guaranteed resources and can scale independently. For production workloads that exceed single-host capacity, consider [converting to Docker Swarm](#convert-to-docker-swarm) or deploying on Kubernetes. ## Convert to Docker Swarm Docker Swarm lets you scale individual services with resource limits and replicas across one or more nodes. ### Service resource recommendations | Service | CPU (cores) | Memory | Replicas | | :--------------------- | ----------: | ------: | -------: | | caddy | 0.25 | 256 Mi | 1 | | api | 2 | 4 Gi | 2 | | worker | 2 | 2 Gi | 4 | | executor | 4 | 8 Gi | 4 | | agent-worker | 2 | 2 Gi | 2 | | agent-executor | 4 | 16 Gi | 2 | | ui | 0.5 | 1 Gi | 2 | | mcp | 1 | 1 Gi | 1 | | postgres\_db | 2 | 4 Gi | 1 | | temporal | 4 | 8 Gi | 1 | | temporal\_postgres\_db | 2 | 4 Gi | 1 | | redis | 0.5 | 1 Gi | 1 | | minio | 0.5 | 1 Gi | 1 | | Total | \~25 | \~52 Gi | 23 | Stateful services (`postgres_db`, `temporal_postgres_db`, `minio`, `redis`) must remain at 1 replica. Scaling these requires external managed services (e.g., RDS, ElastiCache) or specialized clustering. ### Deploy with Docker Swarm 1. Initialize Swarm: ```bash theme={null} docker swarm init ``` 2. Add `deploy` configuration to each service in your `docker-compose.yml`. For example, for the `api` service: ```yaml theme={null} services: api: # ... existing configuration ... deploy: replicas: 2 resources: limits: cpus: "2" memory: 4G reservations: cpus: "2" memory: 4G ``` 3. Deploy the stack: ```bash theme={null} docker stack deploy -c docker-compose.yml tracecat ``` 4. Verify services are running: ```bash theme={null} docker stack services tracecat ``` ## FAQ For an overview of all services and networking, see [Architecture](/self-hosting/architecture). Yes but don't forget to set `PUBLIC_APP_URL` to `127.0.0.1` instead of `localhost` in your `.env` file. Yes but you'll need to set `PUBLIC_APP_URL` to the WSL IP address instead of `localhost`. Run `ip addr` to find your WSL IP address (usually 172.x.x.x). This suggests that the Tracecat UI is healthy but is unable to communicate with the Tracecat API. * Check that the `api` service is healthy * Check that this is not a CORS issue (see next FAQ) * Check that you changed `PUBLIC_APP_URL` and `PUBLIC_APP_PORT` to the correct address * Check the Chrome developer console for any errors You must configure `PUBLIC_APP_URL` and `PUBLIC_API_URL` to the same domain that your browser is accessing the Tracecat UI from. Tracecat strictly enforces CORS to prevent XSS attacks. This error occurs when your browser cannot connect to Tracecat API via `PUBLIC_APP_URL`. Please check the following: * Do not set `PUBLIC_APP_URL` to `0.0.0.0`. Browsers cannot connect to this address. Use `localhost`, `127.0.0.1`, or your machine's actual IP address instead. * WSL users: Do not use `127.0.0.1`. Run `ip addr` to find your WSL IP address (usually `172.x.x.x`) and use that instead. * If your frontend is running on a different machine than the API, set `NEXT_PUBLIC_API_URL` to an address your browser can reach. * Run `docker compose ps` to verify all services are running. * Check the temporal service is healthy. Worker connectivity issues can sometimes affect login. * View container logs: `docker compose logs api` and `docker compose logs temporal`. * Check firewall and port forwarding if using a reverse proxy. For example, if you've deployed Tracecat into a VM and exposed it to your browser as `https://my-tracecat-instance.com`, you must set: * `PUBLIC_APP_URL` to `https://my-tracecat-instance.com` * `PUBLIC_API_URL` to `https://my-tracecat-instance.com/api` Set both values to the exact browser-reachable URLs for your deployment, including the scheme: * Local example: * `PUBLIC_APP_URL=http://localhost:8000` * `PUBLIC_API_URL=http://localhost:8000/api` * Reverse proxy or public domain example: * `PUBLIC_APP_URL=https://tracecat.example.com` * `PUBLIC_API_URL=https://tracecat.example.com/api` Use full URLs once. Do not prepend `http://` or `https://` twice, and do not use addresses that only work inside Docker such as `0.0.0.0` or internal container hostnames. If sign-in still fails: * Verify that the domain in your browser exactly matches `PUBLIC_APP_URL`. * Verify that `PUBLIC_API_URL` is the same origin plus `/api`. * Run `docker compose ps` and check that `api`, `worker`, and `temporal` are healthy. * Review `docker compose logs api` for startup, auth, or CORS errors. Undersized Temporal clusters cause `No hosts available` errors and workflow execution failures. Ensure the Temporal server has at least 4 CPU cores and 8 GB of memory. Temporal also requires a well-provisioned PostgreSQL backend for adequate query throughput. The bundled `temporal_postgres_db` container is suitable for development and small deployments only. For production workloads, use a managed PostgreSQL instance (e.g., Amazon Aurora Serverless) for better QPS and reliability. Tracecat ships with [Caddy](https://caddyserver.com/) as a reverse proxy. Caddy automatically provisions and renews TLS certificates from Let's Encrypt when configured with a domain name. In your `.env` file, set `BASE_DOMAIN` to your domain and update the public URLs to use HTTPS: ```bash theme={null} BASE_DOMAIN=tracecat.example.com PUBLIC_APP_URL=https://tracecat.example.com PUBLIC_API_URL=https://tracecat.example.com/api ``` Update the `caddy` service ports in your `docker-compose.yml`: ```yaml theme={null} services: caddy: ports: - "80:80" - "443:443" ``` Port 80 must remain open for the ACME HTTP-01 challenge. Port 443 serves HTTPS traffic. ```bash theme={null} docker compose up -d ``` Caddy will automatically obtain and renew certificates on startup. # Environment variables Source: https://docs.tracecat.com/self-hosting/environment-variables Reference for every self-hosted Tracecat environment variable: configure auth, storage, secrets, integrations, and runtime behavior across services. ## Required secrets | Secret | Purpose | | :---------------------------- | :---------------------------------------------------------------------------------------------------- | | `TRACECAT__DB_ENCRYPTION_KEY` | Fernet key for at-rest encryption in PostgreSQL. Losing it makes encrypted credentials unrecoverable. | | `TRACECAT__SERVICE_KEY` | HMAC key for service-to-service JWT signing. | | `TRACECAT__SIGNING_SECRET` | Signs webhook URLs and HMAC operations. Changing it invalidates existing webhook URLs. | | `USER_AUTH_SECRET` | Signs OAuth state parameters and password-reset tokens. | Generate all four with `openssl`: ```bash theme={null} # TRACECAT__SERVICE_KEY openssl rand -hex 32 # TRACECAT__SIGNING_SECRET openssl rand -hex 32 # USER_AUTH_SECRET openssl rand -hex 32 # TRACECAT__DB_ENCRYPTION_KEY (Fernet-compatible base64) openssl rand 32 | base64 | tr -d '\n' | tr '+/' '-_' ``` ## Example `.env` ```bash theme={null} PUBLIC_APP_URL=https://tracecat.yourdomain.com PUBLIC_API_URL=https://tracecat.yourdomain.com/api TRACECAT__APP_ENV=production TRACECAT__DB_ENCRYPTION_KEY= TRACECAT__SERVICE_KEY= TRACECAT__SIGNING_SECRET= USER_AUTH_SECRET= TRACECAT__AUTH_SUPERADMIN_EMAIL=admin@yourdomain.com TRACECAT__DB_SSLMODE=require TRACECAT__POSTGRES_USER=postgres TRACECAT__POSTGRES_PASSWORD= ``` See [`.env.example`](https://github.com/TracecatHQ/tracecat/blob/main/.env.example) for all options. ## Variables ### Network | Variable | Default | Description | | :----------------- | :------------------------------------ | :------------------------------------------------------------------------------ | | `PUBLIC_APP_PORT` | `80` | Port the reverse proxy listens on. | | `PUBLIC_APP_URL` | `http://localhost:${PUBLIC_APP_PORT}` | Public URL users visit to reach the Tracecat UI. | | `PUBLIC_API_URL` | `${PUBLIC_APP_URL}/api` | Public URL for the Tracecat API, used by the browser and for webhook callbacks. | | `INTERNAL_API_URL` | `http://api:8000` | Internal URL that other services use to reach the API container. | ### Application | Variable | Default | Description | | :------------------------- | :---------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------- | | `TRACECAT__APP_ENV` | `development` | One of `development`, `staging`, or `production`. Controls logging detail and debug behavior. | | `TRACECAT__API_URL` | `${INTERNAL_API_URL}` | API URL used by backend services. Normally matches `INTERNAL_API_URL`. | | `TRACECAT__API_ROOT_PATH` | `/api` | Path prefix the API registers behind the reverse proxy. | | `TRACECAT__PUBLIC_APP_URL` | `${PUBLIC_APP_URL}` | Public frontend URL used for links in emails and notifications. | | `TRACECAT__PUBLIC_API_URL` | `${PUBLIC_API_URL}` | Public API URL used for incoming webhooks. If you expose webhooks through a tunnel (e.g. ngrok), set this to the tunnel URL. | | `TRACECAT__ALLOW_ORIGINS` | `http://localhost:3000,${PUBLIC_APP_URL}` | Comma-separated list of allowed CORS origins. | ### PostgreSQL | Variable | Default | Description | | :---------------------------- | :--------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------- | | `TRACECAT__POSTGRES_USER` | `postgres` | PostgreSQL username. | | `TRACECAT__POSTGRES_PASSWORD` | `postgres` | PostgreSQL password. Change this in production. | | `TRACECAT__DB_URI` | `postgresql+psycopg://${TRACECAT__POSTGRES_USER}:${TRACECAT__POSTGRES_PASSWORD}@postgres_db:5432/postgres` | Full database connection URI. Override this when using an external database. | | `TRACECAT__DB_SSLMODE` | `disable` | PostgreSQL SSL mode. Set to `require` or `verify-full` for remote databases. | ### Authentication | Variable | Default | Description | | :----------------------------------- | :------ | :------------------------------------------------------------------------------------------------------------ | | `TRACECAT__AUTH_SUPERADMIN_EMAIL` | | Email of the first user to promote to superadmin on initial startup. | | `TRACECAT__AUTH_TYPES` | `basic` | Comma-separated list of enabled auth methods: `basic`, `oidc`, `saml`. | | `TRACECAT__AUTH_ALLOWED_DOMAINS` | | Comma-separated email domains allowed to register (e.g. `example.com,example.org`). Leave blank to allow all. | | `TRACECAT__AUTH_MIN_PASSWORD_LENGTH` | `12` | Minimum password length for basic auth. | ### OIDC / OAuth | Variable | Default | Description | | :------------------- | :--------------------- | :---------------------------------------------------- | | `OIDC_ISSUER` | | OIDC issuer URL (e.g. `https://accounts.google.com`). | | `OIDC_CLIENT_ID` | | OAuth client ID from your identity provider. | | `OIDC_CLIENT_SECRET` | | OAuth client secret from your identity provider. | | `OIDC_SCOPES` | `openid profile email` | Space-separated OAuth scopes to request. | ### SAML | Variable | Default | Description | | :------------------------- | :------ | :------------------------------------------------------------------------------------------ | | `SAML_IDP_METADATA_URL` | | URL to your SAML IdP metadata XML. | | `SAML_ACCEPTED_TIME_DIFF` | `3` | Maximum clock skew in seconds accepted when validating SAML assertions. | | `SAML_ALLOW_UNSOLICITED` | `false` | Whether to allow unsolicited SAML responses. | | `SAML_VERIFY_SSL_ENTITY` | `true` | Whether to verify SSL certificates for general SAML entity operations. | | `SAML_VERIFY_SSL_METADATA` | `true` | Whether to verify SSL certificates when fetching SAML metadata. | | `SAML_CA_CERTS` | | Optional base64-encoded CA bundle for validating self-signed IdP metadata TLS certificates. | ### Temporal | Variable | Default | Description | | :---------------------------- | :-------------------- | :---------------------------------------------------------------- | | `TEMPORAL__CLUSTER_URL` | `temporal:7233` | Temporal cluster gRPC endpoint. | | `TEMPORAL__CLUSTER_QUEUE` | `tracecat-task-queue` | Temporal task queue name. | | `TEMPORAL__CLUSTER_NAMESPACE` | `default` | Temporal namespace. | | `TEMPORAL__API_KEY` | | API key for Temporal Cloud. Leave empty for self-hosted Temporal. | ### Executor | Variable | Default | Description | | :------------------------------------------------- | :------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `TRACECAT__EXECUTOR_BACKEND` | `direct` | Execution strategy for actions. `direct` runs a subprocess per action, `pool` uses warm nsjail workers (requires nsjail), `ephemeral` spawns a cold nsjail subprocess per action for full isolation, `auto` selects `pool` if nsjail is available and falls back to `direct`, `test` runs in-process for tests only. | | `TRACECAT__DISABLE_NSJAIL` | `true` | Disable nsjail sandboxing. Set to `false` only if nsjail is installed. | | `TRACECAT__RESULT_EXTERNALIZATION_ENABLED` | `true` | Store large action results in blob storage instead of Temporal history. | | `TRACECAT__COLLECTION_MANIFESTS_ENABLED` | `true` | Store large collections as chunked manifests in blob storage. | | `TRACECAT__RESULT_EXTERNALIZATION_THRESHOLD_BYTES` | `128000` | Byte threshold above which payloads are externalized to blob storage. | | `TRACECAT__WORKFLOW_ARTIFACT_RETENTION_DAYS` | `30` | Retention period in days for workflow artifacts. Objects older than this are automatically deleted via S3 lifecycle rules. Set to `0` to disable. | ### Blob storage | Variable | Default | Description | | :------------------------------------------ | :--------------------- | :-------------------------------- | | `TRACECAT__BLOB_STORAGE_BUCKET_WORKFLOW` | `tracecat-workflow` | S3 bucket for workflow artifacts. | | `TRACECAT__BLOB_STORAGE_BUCKET_ATTACHMENTS` | `tracecat-attachments` | S3 bucket for case attachments. | | `TRACECAT__BLOB_STORAGE_BUCKET_REGISTRY` | `tracecat-registry` | S3 bucket for registry packages. | ### MinIO | Variable | Default | Description | | :-------------------- | :--------- | :-------------------------------------------------------------- | | `MINIO_ROOT_USER` | `minio` | MinIO root username. Only used with the bundled MinIO instance. | | `MINIO_ROOT_PASSWORD` | `password` | MinIO root password. Change this in production. | ### Redis | Variable | Default | Description | | :----------- | :------------------------------------ | :------------------------------------------------------------------------------ | | `REDIS_HOST` | `redis` | Redis hostname. | | `REDIS_PORT` | `6379` | Redis port. | | `REDIS_URL` | `redis://${REDIS_HOST}:${REDIS_PORT}` | Full Redis connection URL. Override this when using an external Redis instance. | # Kubernetes Source: https://docs.tracecat.com/self-hosting/kubernetes Deploy self-hosted Tracecat to Kubernetes with the OCI Helm chart: install Tracecat services and Temporal on EKS, GKE, or any conformant cluster. The Tracecat Helm chart is distributed as a private OCI artifact hosted in AWS ECR. Please contact [customer success](https://cal.com/team/tracecat) for access for evaluations or internal enterprise use. ## Prerequisites * Kubernetes 1.27+ * Helm 3.12+ (with OCI support) * `kubectl` configured for your target cluster * Access to the Tracecat OCI Helm chart (see above) * External PostgreSQL instance (e.g., Amazon RDS, Cloud SQL) * External Redis instance (e.g., Amazon ElastiCache, Memorystore) * S3-compatible object storage (e.g., Amazon S3, MinIO) * `openssl` (for generating secrets) ## Core secrets Tracecat requires four cryptographic secrets. ## Secrets management The Helm chart supports three strategies for providing secrets to Tracecat pods. The chart creates `ExternalSecret` resources that sync from AWS Secrets Manager into Kubernetes secrets via a `ClusterSecretStore`. You need [External Secrets Operator](https://external-secrets.io) installed and a `ClusterSecretStore` configured with IRSA. ```yaml theme={null} externalSecrets: enabled: true clusterSecretStoreRef: "my-cluster-secret-store" coreSecrets: enabled: true secretArn: "arn:aws:secretsmanager:us-west-2:123456789012:secret:tracecat/core" postgres: enabled: true secretArn: "arn:aws:secretsmanager:us-west-2:123456789012:secret:tracecat/postgres" redis: enabled: true secretArn: "arn:aws:secretsmanager:us-west-2:123456789012:secret:tracecat/redis" ``` Expected secret formats in AWS Secrets Manager: | Secret | Format | | :--------- | :--------------------------------------------------------------------------------------------------------- | | Core | JSON: `{ "dbEncryptionKey": "...", "serviceKey": "...", "signingSecret": "...", "userAuthSecret": "..." }` | | PostgreSQL | JSON: `{ "username": "...", "password": "..." }` | | Redis | Raw URL string, e.g. `rediss://:password@host:6379` | | Temporal | Raw API key string | The chart refreshes secrets every `1m` by default. Override with `externalSecrets.refreshInterval`. Reference a secret you created with `kubectl` or your GitOps pipeline. ```bash theme={null} kubectl create secret generic tracecat-secrets \ --namespace tracecat \ --from-literal=dbEncryptionKey="$(openssl rand 32 | base64 | tr -d '\n' | tr '+/' '-_')" \ --from-literal=serviceKey="$(openssl rand -hex 32)" \ --from-literal=signingSecret="$(openssl rand -hex 32)" \ --from-literal=userAuthSecret="$(openssl rand -hex 32)" ``` Then set `secrets.existingSecret` in your values: ```yaml theme={null} secrets: existingSecret: "tracecat-secrets" ``` You also need separate secrets for PostgreSQL and Redis, referenced by `externalPostgres.auth.existingSecret` and `externalRedis.auth.existingSecret`. Only use this approach if secret values are encrypted in your repository and injected at deploy time through a pipeline like ArgoCD with sealed secrets or SOPS. Storing plaintext secrets in version control is not safe. ```yaml theme={null} secrets: create: tracecat: enabled: true dbEncryptionKey: "${DB_ENCRYPTION_KEY}" serviceKey: "${SERVICE_KEY}" signingSecret: "${SIGNING_SECRET}" userAuthSecret: "${USER_AUTH_SECRET}" postgres: enabled: true username: "${DB_USERNAME}" password: "${DB_PASSWORD}" redis: enabled: true url: "${REDIS_URL}" ``` The chart renders these as Helm pre-install hooks so they exist before the migrations job runs. ## External services The Helm chart does not bundle databases. You must provide connection details for PostgreSQL, Redis, S3, and Temporal. ### PostgreSQL ```yaml theme={null} externalPostgres: host: "your-rds-instance.us-west-2.rds.amazonaws.com" port: 5432 database: tracecat sslMode: "require" auth: existingSecret: "tracecat-postgres-credentials" # keys: username, password tls: verifyCA: true caCert: | -----BEGIN CERTIFICATE----- ...RDS CA bundle... -----END CERTIFICATE----- ``` For Amazon RDS, download the global CA bundle from the [AWS trust store](https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem). ### Redis ```yaml theme={null} externalRedis: auth: existingSecret: "tracecat-redis-credentials" # key: url ``` The `url` key should be a full Redis connection string, e.g. `rediss://:password@host:6379`. Use `rediss://` (double s) for TLS. ### S3 ```yaml theme={null} externalS3: endpoint: "" # leave empty for AWS S3 region: "us-west-2" auth: existingSecret: "tracecat-s3-credentials" # keys: accessKeyId, secretAccessKey ``` When using IRSA for S3 access, omit `auth.existingSecret` and annotate the service account instead (see [Service accounts](#service-accounts)). ### Temporal The chart includes a Temporal subchart. Point it at your external PostgreSQL instance for persistence. ```yaml theme={null} temporal: enabled: true server: config: persistence: datastores: default: sql: connectAddr: "your-rds-host:5432" user: "temporal" existingSecret: "tracecat-postgres-credentials" visibility: sql: connectAddr: "your-rds-host:5432" user: "temporal" existingSecret: "tracecat-postgres-credentials" ``` The Temporal schema setup job runs automatically and creates the `temporal` and `temporal_visibility` databases if they do not exist. Disable the bundled subchart and point to your Temporal Cloud namespace. ```yaml theme={null} temporal: enabled: false externalTemporal: enabled: true clusterUrl: "your-namespace.tmprl.cloud:7233" clusterNamespace: "your-namespace" auth: existingSecret: "tracecat-temporal-credentials" # key: apiKey ``` ## Service accounts The chart creates a shared `tracecat-app` service account for most workloads (API, worker, migrations). Optionally create dedicated service accounts for executor, agent-executor, and litellm. ### IRSA (EKS) Annotate service accounts with an IAM role ARN for AWS API access (S3, Secrets Manager, Bedrock). ```yaml theme={null} serviceAccount: create: true annotations: eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/tracecat-app" executor: serviceAccount: create: true name: "tracecat-executor" annotations: eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/tracecat-executor" ``` Dedicated executor service accounts let you scope S3 and secret permissions separately from the main application role. Cross-account role assumption is supported. Set `tracecat.aws.assumeRoleAccountId` and `tracecat.aws.assumeRolePrincipalArn` to assume roles in other AWS accounts from the executor. ## Networking The chart supports Kubernetes Ingress and Istio VirtualService for external traffic routing. The chart creates a single Ingress resource with path-based routing. Set `ingress.split: true` to generate separate Ingress resources per service (useful when the API requires different annotations than the UI, such as longer timeouts). ```yaml theme={null} ingress: enabled: true className: "alb" # or nginx, traefik, etc. host: "tracecat.example.com" annotations: alb.ingress.kubernetes.io/scheme: internet-facing tls: - hosts: - tracecat.example.com secretName: tracecat-tls ``` Default path routing: | Path | Service | Port | | :----- | :------ | :--- | | `/api` | api | 8000 | | `/mcp` | mcp | 8099 | | `/` | ui | 3000 | MCP routes (`/mcp`, `/.well-known/oauth-*`, `/authorize`, `/token`, `/register`, `/consent`, `/auth/callback`) are included automatically when `mcp.enabled: true`. Disable `ingress.enabled` when using VirtualServices to avoid conflicting resources. ```yaml theme={null} ingress: enabled: false virtualService: enabled: true tracecat: enabled: true configs: - name: tracecat hosts: - "tracecat.example.com" gateways: - "istio-system/my-gateway" ``` Optional webhook and Temporal Web UI VirtualServices are available via `virtualService.webhooks` and `virtualService.temporal`. ## Installation ```bash theme={null} helm registry login ``` Use the credentials provided by the Tracecat team. Combine secrets, external services, networking, and URL configuration from the sections above into a single `values.yaml`. ```yaml theme={null} secrets: existingSecret: "tracecat-secrets" urls: publicApp: "https://tracecat.example.com" publicApi: "https://tracecat.example.com/api" tracecat: auth: types: "oidc" superadminEmail: "admin@example.com" ingress: enabled: true className: "alb" host: "tracecat.example.com" externalPostgres: host: "your-db-host" auth: existingSecret: "tracecat-postgres-credentials" externalRedis: auth: existingSecret: "tracecat-redis-credentials" externalS3: region: "us-west-2" ``` ```bash theme={null} helm install tracecat oci:///tracecat \ --version \ --namespace tracecat --create-namespace \ -f values.yaml \ --wait --timeout 10m ``` Replace `` with the version provided by the Tracecat team (e.g. `0.4.5`). The `--wait` flag blocks until all pods are ready. Initial provisioning takes a few minutes depending on Temporal schema setup. ## Access Tracecat Once deployed, access your instance at: * UI: `https://` * API docs: `https:///api/docs` * MCP: `https:///mcp` ## Upgrading ```bash theme={null} helm upgrade tracecat oci:///tracecat \ --version \ --namespace tracecat \ -f values.yaml \ --wait --timeout 10m ``` Do not change or lose your `dbEncryptionKey`, `serviceKey`, `signingSecret`, or `userAuthSecret` values between upgrades. Losing these secrets makes encrypted credentials unrecoverable and invalidates existing webhook URLs. ## Security ### Execution sandboxing The chart enables nsjail by default (`tracecat.sandbox.disableNsjail: false`). nsjail isolates user-defined Python scripts and custom actions inside the executor. ```yaml theme={null} tracecat: sandbox: disableNsjail: false # default ``` nsjail requires privileged pods with `SYS_ADMIN` capability and an `Unconfined` seccomp profile. The chart sets these automatically on executor and agent-executor containers. See [Security](/self-hosting/security) for backend choices (`pool`, `ephemeral`, `direct`) and isolation tradeoffs. ### Authentication Set `tracecat.auth.types` to `oidc` or `saml` for production deployments. See [OIDC](/authentication/oidc) and [SAML](/authentication/saml) for configuration details. ## Autoscaling The chart uses KEDA with a Temporal queue-based scaler to auto-scale worker, executor, and agent-executor deployments. Prerequisites: * `keda.enabled: true` (installs the KEDA subchart) * `metricsserver.enabled: true` (or an existing metrics-server in the cluster) ```yaml theme={null} keda: enabled: true metricsserver: enabled: true worker: autoscaling: enabled: true minReplicas: 1 maxReplicas: 8 targetQueueSize: 5 cooldownPeriod: 120 executor: autoscaling: enabled: true minReplicas: 1 maxReplicas: 8 ``` When autoscaling is enabled, the static `replicas` value is ignored. KEDA polls the Temporal task queue and scales based on queue depth. ## Minimum resources These are the default resource requests and limits from the chart. | Component | CPU request | Memory request | CPU limit | Memory limit | Default replicas | | :------------- | :---------- | :------------- | :-------- | :----------- | :--------------- | | UI | 500m | 512Mi | 500m | 1024Mi | 1 | | API | 2000m | 4096Mi | 2000m | 4096Mi | 2 | | Worker | 2000m | 2048Mi | 2000m | 2048Mi | 4 | | Executor | 4000m | 8192Mi | 4000m | 8192Mi | 4 | | Agent executor | 2000m | 4096Mi | 4000m | 16384Mi | 2 | | Agent worker | 2000m | 2048Mi | 2000m | 2048Mi | 2 | | LiteLLM | 4000m | 8192Mi | 4000m | 8192Mi | 2 | | MCP | 1000m | 1024Mi | 1000m | 1024Mi | 2 | The agent executor uses burstable limits (requests 2000m/4096Mi, limits 4000m/16384Mi) to handle variable LLM response sizes. All other services use guaranteed QoS where requests equal limits. ## Observability The chart bundles optional subcharts for Prometheus, Grafana, and Grafana Alloy (k8s-monitoring). ```yaml theme={null} tracecat: temporal: metrics: enabled: true monitoring: enabled: true prometheus: enabled: true grafana: enabled: true adminPassword: "change-me" ``` For Grafana Cloud or other external providers, enable only `tracecat.temporal.metrics.enabled` and configure your own scraping. See `values-eks-grafana-cloud.yaml` in the chart examples directory. For production observability with custom dashboards, OpenTelemetry export, and alerting, contact the Tracecat team for enterprise support. ## FAQ Yes. Set `tracecat.aws.assumeRoleAccountId` and `tracecat.aws.assumeRolePrincipalArn` in your values. The executor uses STS `AssumeRole` to access resources in other AWS accounts. Ensure the target account's trust policy allows the executor's IRSA role. Undersized Temporal clusters cause this error. Ensure the Temporal server pods have at least 4 CPU cores and 8 GB of memory. If using self-hosted Temporal with an external PostgreSQL, verify the database can handle the query throughput. Managed services like Amazon Aurora Serverless are recommended for production workloads. Yes. The chart includes KEDA `ScaledObject` resources for worker, executor, and agent-executor. Set `keda.enabled: true` and `.autoscaling.enabled: true`. Scaling is driven by Temporal task queue depth, not CPU or memory utilization. Yes. The chart requires PostgreSQL, Redis, and S3-compatible storage but does not require AWS. Use any provider for these services. For secrets management without AWS Secrets Manager, use the existing Kubernetes secret or chart-managed secret template strategies instead of External Secrets Operator. Set `scheduling.architecture` to `arm64` or `amd64`. The chart adds a `kubernetes.io/arch` node selector to all pods. Set it to an empty string to disable architecture pinning. # Security Source: https://docs.tracecat.com/self-hosting/security Harden your self-hosted Tracecat deployment: rotate secrets, lock down network egress, configure SSO and RBAC, and meet common compliance baselines. ## Infrastructure credentials The default configuration ships with weak, well-known passwords for PostgreSQL, MinIO, and Redis. Replace them with strong, unique values before exposing Tracecat to production traffic. ```bash theme={null} # PostgreSQL TRACECAT__POSTGRES_USER=tracecat TRACECAT__POSTGRES_PASSWORD= # Temporal PostgreSQL TEMPORAL__POSTGRES_USER=temporal TEMPORAL__POSTGRES_PASSWORD= # MinIO / S3 MINIO_ROOT_USER= MINIO_ROOT_PASSWORD= # Redis — add a password and update the URL REDIS_URL=redis://:@redis:6379 ``` For Redis, you also need to pass the password to the container. Add a `command` override in your `docker-compose.yml`: ```yaml theme={null} services: redis: command: ["redis-server", "--requirepass", ""] ``` In production, consider replacing self-hosted PostgreSQL and Redis with managed services (e.g., Amazon RDS, ElastiCache) that handle encryption at rest, automated backups, and credential rotation. ## Execution sandboxing Tracecat executes user-defined Python scripts and actions inside the executor service. The level of isolation depends on your configuration. By default, Tracecat runs with `TRACECAT__DISABLE_NSJAIL=true` and uses the `direct` executor backend. In this mode, scripts run as regular subprocesses and can access the executor's environment variables, filesystem, and network. This is acceptable for development but **not recommended for production**. ### PID namespace isolation The default `direct` backend provides best-effort PID namespace isolation using Linux `unshare`. This prevents scripts from inspecting other processes via `/proc`, but does not restrict filesystem or network access. It works without Docker privileged mode and is the baseline for non-sandboxed deployments. ### nsjail sandbox (recommended for production) For production, enable [nsjail](https://github.com/google/nsjail) — a process isolation tool from Google that enforces: * **Filesystem isolation** — scripts can only access their job directory and explicitly mounted paths. The host filesystem is not visible. * **Resource limits** — CPU time, memory, file size, and process count are capped per execution. A runaway script cannot starve the host. * **User namespace separation** — scripts run as unprivileged users even when the container runs as root. * **Network access** — network is allowed (scripts need to reach databases, APIs, and S3) but constrained to the container's network namespace. To enable nsjail, set the following in your `.env`: ```bash theme={null} TRACECAT__DISABLE_NSJAIL=false TRACECAT__EXECUTOR_BACKEND=pool # or 'ephemeral' for multi-tenant full isolation ``` nsjail requires: * Linux with kernel 4.6+ * Docker privileged mode or `CAP_SYS_ADMIN` capability on the executor container * The nsjail binary and sandbox rootfs (included in Tracecat images) nsjail is not supported on macOS or Windows. These platforms can only use the `direct` backend with PID namespace isolation. ### Choosing a backend | Backend | Isolation | Latency | Use case | | :---------- | :------------------------------- | :---------- | :-------------------------------- | | `direct` | PID namespace only | \~50ms | Development, trusted environments | | `pool` | nsjail sandbox (warm workers) | \~100-200ms | Single-tenant production | | `ephemeral` | nsjail sandbox (cold per action) | \~4000ms | Multi-tenant, maximum isolation | ## Authentication Docker Compose deployments default to basic email/password authentication. For production, configure [OIDC](/authentication/oidc) or [SAML](/authentication/saml) SSO. ## TLS Never run production traffic over plain HTTP. See [How do I configure SSL for production?](/self-hosting/docker-compose#how-do-i-configure-ssl-for-production) for Caddy-based automatic TLS setup. # AbuseIPDB Source: https://docs.tracecat.com/tools/abuseipdb Reference for the Tracecat AbuseIPDB integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Lookup IP address Action ID: `tools.abuseipdb.lookup_ip_address` Lookup an IP address in AbuseIPDB. Reference: [https://docs.abuseipdb.com/#check-endpoint](https://docs.abuseipdb.com/#check-endpoint) ### Secrets Required secrets: * `abuseipdb`: required values `ABUSEIPDB_API_KEY`. ### Input fields IP address to lookup. Maximum age of the IP address in days. Default: `30`. # AlertMedia Source: https://docs.tracecat.com/tools/alertmedia Reference for the Tracecat AlertMedia integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Create trip Action ID: `tools.alertmedia.create_trip` Create a trip in AlertMedia. Reference: [https://docs.alertmedia.com/reference/steps-create-a-trip-and-itinerary](https://docs.alertmedia.com/reference/steps-create-a-trip-and-itinerary) ### Secrets Required secrets: * `alertmedia`: required values `ALERTMEDIA_API_KEY`. ### Input fields City of the trip. Country code of the trip. For example, US, CA, GB, etc. End date of the trip. Example 2025-06-26 23:59:59 Latitude of the trip. Longitude of the trip. Name of the trip. Start date of the trip. Example 2025-06-26 00:00:00 User ID of the user to create the trip for. AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com)) Default: `null`. Time zone of the trip. Default: `"America/New_York"`. Time zone of the trip. Default: `"America/New_York"`. ## Delete trip Action ID: `tools.alertmedia.delete_trip` Delete a trip from AlertMedia. Reference: [https://docs.alertmedia.com/reference/steps-deleting-a-trip-or-itinerary](https://docs.alertmedia.com/reference/steps-deleting-a-trip-or-itinerary) ### Secrets Required secrets: * `alertmedia`: required values `ALERTMEDIA_API_KEY`. ### Input fields ID of the trip to delete. User ID of the user to delete the trip for. AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com)) Default: `null`. ## Get Travel Events Action ID: `tools.alertmedia.get_travel_events` Get travel events and concerns for users traveling. This can be traffic, weather, or other events that may affect the user's travel. This returns a list of events and an item range header. The item range header of 0-2/3 means that the first 3 events (0-2) have been returned and there are a total of 3 events. Reference: [https://docs.alertmedia.com/reference/get-list-events](https://docs.alertmedia.com/reference/get-list-events) ### Secrets Required secrets: * `alertmedia`: required values `ALERTMEDIA_API_KEY`. ### Input fields Whether to get active trips. Default: `null`. AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com)) Default: `null`. Item-Range header value. Default is 0-25. Default: `"0-25"`. Start date of the trips to get. Example 2025-06-26 00:00:00 Default: `""`. ## Get user trip by ID Action ID: `tools.alertmedia.get_user_trip_by_id` Get a trip by ID from AlertMedia. Reference: [https://docs.alertmedia.com/reference/get-list-a-users-travel-itinerary](https://docs.alertmedia.com/reference/get-list-a-users-travel-itinerary) ### Secrets Required secrets: * `alertmedia`: required values `ALERTMEDIA_API_KEY`. ### Input fields ID of the trip to get. User ID of the user to get the trip for. AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com)) Default: `null`. ## Get user trips Action ID: `tools.alertmedia.get_user_trips` Get a list of trips for a user from AlertMedia. This returns a list of trips and an item range header. The item range header of 0-2/3 means that the first 3 trips (0-2) have been returned and there are a total of 3 trips. Reference: [https://docs.alertmedia.com/reference/get-list-a-users-travel-itinerary](https://docs.alertmedia.com/reference/get-list-a-users-travel-itinerary) ### Secrets Required secrets: * `alertmedia`: required values `ALERTMEDIA_API_KEY`. ### Input fields User ID of the user to get the trips for. AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com)) Default: `null`. Item-Range header value. Default is 0-25. Default: `"0-25"`. ## Search trips Action ID: `tools.alertmedia.search_trips` Search for trips in AlertMedia. This returns a list of trips and an item range header. The item range header of 0-2/3 means that the first 3 trips (0-2) have been returned and there are a total of 3 trips. Reference: [https://docs.alertmedia.com/reference/get-list-a-users-travel-itinerary](https://docs.alertmedia.com/reference/get-list-a-users-travel-itinerary) ### Secrets Required secrets: * `alertmedia`: required values `ALERTMEDIA_API_KEY`. ### Input fields AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com)) Default: `null`. Item-Range header value. Default is 0-25. Default: `"0-25"`. Sort trips in response by one of start\_date, end\_date, name, city, country, state, country\_code. Add - before the field name to reverse the order (e.g. ?ordering=-start\_date returns trips sorted by start date Z-A). Default is -active\_date. Default: `"-active_date"`. Filter trips by status, this is a comma separated list of statuses. Valid values are upcoming, active, past. Default is upcoming,active,past. (all statuses) Default: `"upcoming,active,past"`. ## Search users Action ID: `tools.alertmedia.search_users` Search for users in AlertMedia. This returns a list of users and an item range header. The item range header of 0-2/3 means that the first 3 users (0-2) have been returned and there are a total of 3 users. Reference: [https://docs.alertmedia.com/reference/get-list-users](https://docs.alertmedia.com/reference/get-list-users) ### Secrets Required secrets: * `alertmedia`: required values `ALERTMEDIA_API_KEY`. ### Input fields AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com)) Default: `null`. Email of the user to search for. Default: `""`. Whether the user has an registered device. Default: `""`. Whether the user has an email. Default: `""`. Whether the user has a phone number. Default: `""`. Item-Range header value. Default is 0-25. Default: `"0-25"`. Name of the user to search for. Default: `""`. Sort users in response by one of last\_name, first\_name, last\_login, email, mobile\_phone, date\_updated. Add - before the field name to reverse the order (e.g. ?ordering=-last\_name returns users sorted by last name Z-A) Default: `""`. Phone number of the user to search for. Default: `""`. ## Update trip Action ID: `tools.alertmedia.update_trip` Update a trip in AlertMedia. Reference: [https://docs.alertmedia.com/reference/steps-create-a-trip-and-itinerary](https://docs.alertmedia.com/reference/steps-create-a-trip-and-itinerary) ### Secrets Required secrets: * `alertmedia`: required values `ALERTMEDIA_API_KEY`. ### Input fields Trip ID of the trip to update. User ID of the user to create the trip for. AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com)) Default: `null`. City of the trip. Default: `null`. Country code of the trip. For example, US, CA, GB, etc. Default: `null`. End date of the trip. Example 2025-06-26 23:59:59 Default: `null`. Time zone of the trip. Default: `null`. Latitude of the trip. Default: `null`. Longitude of the trip. Default: `null`. Name of the trip. Default: `null`. Start date of the trip. Example 2025-06-26 00:00:00 Default: `null`. Time zone of the trip. Default: `null`. # Amazon S3 Source: https://docs.tracecat.com/tools/amazon_s3 Reference for the Tracecat Amazon S3 integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Call S3 method Action ID: `tools.amazon_s3.call_method` Instantiate a S3 client and call a S3 method. Reference: [https://docs.aws.amazon.com/boto3/latest/guide/s3-example-download-file.html](https://docs.aws.amazon.com/boto3/latest/guide/s3-example-download-file.html) ### Secrets Optional secrets: * `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`. ### Input fields S3 method name. S3 method parameters. Endpoint URL for the AWS S3 service. Default: `null`. AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client. Default: `null`. ## Copy S3 objects Action ID: `tools.amazon_s3.copy_objects` Copy S3 objects from one bucket to another. Reference: [https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.copy\_object](https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.copy_object) ### Secrets Optional secrets: * `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`. ### Input fields Destination S3 bucket name. Prefix to filter objects (e.g., 'manuals\_' for keys starting with 'manuals\_'). Source S3 bucket name. Endpoint URL for the AWS S3 service. Default: `null`. AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client. Default: `null`. ## Delete S3 object Action ID: `tools.amazon_s3.delete_object` Delete an object from S3. Reference: [https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.delete\_object](https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.delete_object) ### Secrets Optional secrets: * `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`. ### Input fields S3 bucket name. S3 object key. Endpoint URL for the AWS S3 service. Default: `null`. AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client. Default: `null`. ## Get S3 object Action ID: `tools.amazon_s3.get_object` Download an object from S3 and return its body as a string. Reference: [https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.get\_object](https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.get_object) ### Secrets Optional secrets: * `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`. ### Input fields S3 bucket name. S3 object key. Endpoint URL for the AWS S3 service. Default: `null`. AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client. Default: `null`. ## Get S3 objects Action ID: `tools.amazon_s3.get_objects` Download multiple S3 objects and return their bodies as strings. Reference: [https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.get\_object](https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.get_object) ### Secrets Optional secrets: * `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`. ### Input fields S3 bucket name. S3 object keys. Endpoint URL for the AWS S3 service. Default: `null`. AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client. Default: `null`. ## List S3 objects Action ID: `tools.amazon_s3.list_objects` List objects in an S3 bucket. Reference: [https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.list\_objects\_v2](https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.list_objects_v2) ### Secrets Optional secrets: * `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`. ### Input fields S3 bucket name. Endpoint URL for the AWS S3 service. Default: `null`. Maximum number of objects to return. Default: `1000`. S3 object key prefix. Default: `null`. AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client. Default: `null`. ## Parse S3 URI Action ID: `tools.amazon_s3.parse_uri` Parse an S3 URI into bucket name and object key. Reference: [https://docs.aws.amazon.com/boto3/latest/guide/s3-example-download-file.html](https://docs.aws.amazon.com/boto3/latest/guide/s3-example-download-file.html) ### Secrets Optional secrets: * `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`. ### Input fields ## Put S3 object Action ID: `tools.amazon_s3.put_object` Uploads an object to S3. The object key is validated and content decoded. Reference: [https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.put\_object](https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.put_object) ### Secrets Optional secrets: * `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`. ### Input fields S3 bucket name. Base64 encoded content of the file to upload. S3 object key. Endpoint URL for the AWS S3 service. Default: `null`. AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client. Default: `null`. # Ansible Source: https://docs.tracecat.com/tools/ansible Reference for the Tracecat Ansible integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Run Ansible playbook Action ID: `tools.ansible.run_playbook` Run Ansible playbook on a single host given a list of plays in JSON format. Supports SSH host-connection mode only. Reference: [https://docs.ansible.com/ansible/latest/index.html](https://docs.ansible.com/ansible/latest/index.html) ### Secrets Required secrets: * `ansible`: required values `PRIVATE_KEY`. ### Input fields Host to SSH into and run the playbook on Host name to use in the inventory List of plays to run SSH user to connect as Environment variables to be used when running Ansible Default: `null`. Extra variables to pass to Ansible using `-e` Default: `null`. List of events to ignore from the playbook. Returns all events by default. Default: `null`. Optional mapping from password prompt to value. Example: \{"SSH password:": "\$\{\{ SECRETS.your\_secret\_name.some\_password }}"}. Default: `null`. Additional keyword arguments to pass to the runner Default: `null`. Timeout for the playbook execution in seconds Default: `60`. # ANY.RUN Source: https://docs.tracecat.com/tools/anyrun Reference for the Tracecat ANY.RUN integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Get analysis Action ID: `tools.anyrun.get_analysis` Retrieve details for an ANY.RUN analysis by ID. Reference: [https://any.run/api-documentation/#tag/analysis/GET/v1/analysis/\{analysis\_id}](https://any.run/api-documentation/#tag/analysis/GET/v1/analysis/\{analysis_id}) ### Secrets Required secrets: * `anyrun`: required values `ANYRUN_API_KEY`. ### Input fields Identifier of the analysis task. ## List analyses Action ID: `tools.anyrun.list_analyses` List ANY.RUN analyses with optional status filtering. Reference: [https://any.run/api-documentation/#tag/analysis/GET/v1/analysis/](https://any.run/api-documentation/#tag/analysis/GET/v1/analysis/) ### Secrets Required secrets: * `anyrun`: required values `ANYRUN_API_KEY`. ### Input fields Maximum number of analyses to return. Default: `50`. Pagination offset. Default: `0`. Optional analysis status to filter by (e.g. finished, running). Default: `null`. ## Submit analysis Action ID: `tools.anyrun.submit_analysis` Create an ANY.RUN analysis task for a file hash, URL, or file reference. Reference: [https://any.run/api-documentation/#tag/analysis/POST/v1/analysis/](https://any.run/api-documentation/#tag/analysis/POST/v1/analysis/) ### Secrets Required secrets: * `anyrun`: required values `ANYRUN_API_KEY`. ### Input fields Value of the object to analyze (URL, hash, or file UUID). Whether to run the analysis in interactive mode. Default: `false`. Type of object to analyze (url, hash, or file). Default: `"url"`. Execution environment to use (e.g. win10). Default: `"win10"`. # AWS Boto3 Source: https://docs.tracecat.com/tools/aws_boto3 Reference for the Tracecat AWS Boto3 integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Call method Action ID: `tools.aws_boto3.call_api` Instantiate a Boto3 client and call an AWS Boto3 API method. Reference: [https://docs.aws.amazon.com/boto3/latest/guide/clients.html](https://docs.aws.amazon.com/boto3/latest/guide/clients.html) ### Secrets Required secrets: * `aws`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`. ### Input fields Method name e.g. 'list\_buckets', 'list\_instances' AWS service name e.g. 's3', 'ec2', 'guardduty'. Endpoint URL for the AWS service. Default: `null`. Parameters for the API method. Default: `null`. AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client. Default: `null`. ## Call paginator Action ID: `tools.aws_boto3.call_paginated_api` Instantiate a Boto3 paginator and call a paginated AWS API method. Reference: [https://docs.aws.amazon.com/boto3/latest/guide/paginators.html](https://docs.aws.amazon.com/boto3/latest/guide/paginators.html) ### Secrets Required secrets: * `aws`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`. ### Input fields Paginator name e.g. 'list\_objects\_v2', 'describe\_instances'. AWS service name e.g. 's3', 'ec2', 'guardduty'. Endpoint URL for the AWS service. Default: `null`. Parameters for the API paginator. Default: `null`. AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client. Default: `null`. # Azure Log Analytics Source: https://docs.tracecat.com/tools/azure_log_analytics Reference for the Tracecat Azure Log Analytics integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Execute cross-workspace KQL query Action ID: `tools.azure_log_analytics.execute_cross_workspace_kql_query` Execute a KQL query across multiple Log Analytics workspaces for federated Azure Log Analytics queries. Reference: [https://learn.microsoft.com/en-us/rest/api/logsquery/query/execute?view=rest-logsquery-v1](https://learn.microsoft.com/en-us/rest/api/logsquery/query/execute?view=rest-logsquery-v1) ### Secrets Optional secrets: * `azure_log_analytics_oauth`: OAuth token `AZURE_LOG_ANALYTICS_USER_TOKEN`. * `azure_log_analytics_oauth`: OAuth token `AZURE_LOG_ANALYTICS_SERVICE_TOKEN`. ### Input fields List of additional workspace IDs to query. KQL query to execute across workspaces. Primary Log Analytics workspace ID (GUID). Base URL for the Azure Log Analytics API. Default: `"https://api.loganalytics.io"`. Allowed values: `https://api.loganalytics.io`, `https://api.loganalytics.us`. ISO8601 time period to limit query results (e.g., "P7D" for 7 days). Default: `null`. ## Execute KQL query Action ID: `tools.azure_log_analytics.execute_kql_query` Execute a KQL query against Azure Log Analytics workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/logsquery/query/execute?view=rest-logsquery-v1](https://learn.microsoft.com/en-us/rest/api/logsquery/query/execute?view=rest-logsquery-v1) ### Secrets Optional secrets: * `azure_log_analytics_oauth`: OAuth token `AZURE_LOG_ANALYTICS_USER_TOKEN`. * `azure_log_analytics_oauth`: OAuth token `AZURE_LOG_ANALYTICS_SERVICE_TOKEN`. ### Input fields KQL query to execute (e.g., "SecurityIncident | take 10"). Log Analytics workspace ID (GUID). Base URL for the Azure Log Analytics API. Default: `"https://api.loganalytics.io"`. Allowed values: `https://api.loganalytics.io`, `https://api.loganalytics.us`. ISO8601 time period to limit query results (e.g., "P7D" for 7 days, "PT1H" for 1 hour). Default: `null`. # MITRE Caldera Source: https://docs.tracecat.com/tools/caldera Reference for the Tracecat MITRE Caldera integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Add link to operation Action ID: `tools.caldera.add_operation_link` Queue an ability on an existing Caldera operation. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Executor name to run the ability with (e.g. windows, linux, darwin). Ability ID to add to the operation. Operation ID to update. Agent PAW that should run the ability. Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. ## Caldera health check Action ID: `tools.caldera.health_check` Query the Caldera REST API health endpoint. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. ## Create adversary Action ID: `tools.caldera.create_adversary` Create a new Caldera adversary profile. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Description of the adversary. Name for the adversary. Ordered list of ability IDs for the adversary playbook. Default: `[]`. Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. Plugin that owns the adversary. Default: `"stockpile"`. Optional tags to assign. Default: `[]`. ## Create Linux ability Action ID: `tools.caldera.create_linux_ability` Create a Caldera stockpile ability that runs on Linux agents. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Shell command to execute on the agent. Ability description. Ability name. MITRE ATT\&CK tactic (e.g. discovery, collection). MITRE ATT\&CK technique name. Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. Delete payloads from the agent after execution. Default: `true`. Optional payload files required by the ability. Default: `[]`. Privilege level required to run the ability (blank for default). Default: `""`. Whether the ability can run repeatedly on the same agent. Default: `false`. Optional MITRE ATT\&CK technique ID (e.g. T1059.004). Default: `null`. Command timeout in seconds. Default: `60`. ## Create operation Action ID: `tools.caldera.create_operation` Create a Caldera operation from an existing adversary profile. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Adversary ID whose abilities should be executed. Operation name. Whether to automatically close the operation when finished. Default: `false`. Autonomous mode value (0 = manual, 1 = full autonomous). Default: `1`. Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. Optional group assignment for the operation. Default: `""`. Sleep jitter value (format min/max seconds). Default: `"2/4"`. Obfuscator to use for commands. Default: `"plain-text"`. Objective ID the operation should satisfy. Default: `"495a9828-cab1-44dd-a0ca-66e58177d8cc"`. Planner ID to use when scheduling the operation. Default: `"aaa7c857-37a0-4c4a-85f7-4e9f7f30e31a"`. Source ID for fact collection. Default: `"ed32b9c3-9593-4c33-b0db-e2007315096b"`. Initial operation state (e.g. running, paused, finished). Default: `"paused"`. Whether to enable learning parsers during the run. Default: `true`. Visibility score for the operation. Default: `51`. ## Create Windows ability Action ID: `tools.caldera.create_windows_ability` Create a Caldera stockpile ability that runs on Windows agents. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Exact PowerShell command to execute. Ability description. Ability name. MITRE ATT\&CK tactic (e.g. discovery, execution). MITRE ATT\&CK technique name. Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. Delete payloads from the agent after execution. Default: `true`. Optional payload files required by the ability. Default: `[]`. Privilege level required to run the ability (blank for default). Default: `""`. Whether the ability can run repeatedly on the same agent. Default: `false`. Optional MITRE ATT\&CK technique ID (e.g. T1059.001). Default: `null`. Command timeout in seconds. Default: `60`. ## Get ability Action ID: `tools.caldera.get_ability` Retrieve a Caldera ability by ID. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Ability ID to fetch. Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. ## Get adversary Action ID: `tools.caldera.get_adversary` Retrieve a Caldera adversary by ID. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Adversary ID to fetch. Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. ## Get agent Action ID: `tools.caldera.get_agent` Retrieve a Caldera agent by PAW. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Agent PAW identifier. Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. ## Get link result Action ID: `tools.caldera.get_operation_link_result` Retrieve the result payload for a specific Caldera link. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Link ID to fetch. Operation ID that contains the link. Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. ## Get operation Action ID: `tools.caldera.get_operation` Retrieve a Caldera operation by ID. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Operation ID to fetch. Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. ## Get operation link Action ID: `tools.caldera.get_operation_link` Retrieve a specific link from a Caldera operation. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Link ID to fetch. Operation ID that contains the link. Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. ## List abilities Action ID: `tools.caldera.list_abilities` List all Caldera abilities. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. ## List adversaries Action ID: `tools.caldera.list_adversaries` List Caldera adversaries. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. ## List agents Action ID: `tools.caldera.list_agents` List all Caldera agents (alive or dead). Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. ## List operation links Action ID: `tools.caldera.list_operation_links` List links for a specific Caldera operation. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Operation ID to inspect. Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. ## List operations Action ID: `tools.caldera.list_operations` List all Caldera operations. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. ## List payloads Action ID: `tools.caldera.list_payloads` List uploaded payloads from Caldera. Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html) ### Secrets Required secrets: * `caldera`: required values `CALDERA_API_KEY`. ### Input fields Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)). Default: `null`. # Cloudflare SDK Source: https://docs.tracecat.com/tools/cloudflare_sdk Reference for the Tracecat Cloudflare SDK integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Call method Action ID: `tools.cloudflare_sdk.call_method` Instantiate a Cloudflare client and call a Cloudflare SDK method. Reference: [https://github.com/cloudflare/cloudflare-python](https://github.com/cloudflare/cloudflare-python) ### Secrets Required secrets: * `cloudflare`: required values `CLOUDFLARE_API_TOKEN`. ### Input fields Cloudflare SDK method name, e.g. `list` or `create`. Parameters for the Cloudflare SDK method. Default: `null`. Cloudflare SDK resource path, e.g. `zones` or `dns.records`. Default: `null`. ## Call paginated method Action ID: `tools.cloudflare_sdk.call_paginated_method` Instantiate a Cloudflare client and call a paginated Cloudflare SDK method. Reference: [https://github.com/cloudflare/cloudflare-python](https://github.com/cloudflare/cloudflare-python) ### Secrets Required secrets: * `cloudflare`: required values `CLOUDFLARE_API_TOKEN`. ### Input fields Paginated Cloudflare SDK method name, e.g. `list`. Parameters for the Cloudflare SDK method. Default: `null`. Cloudflare SDK resource path, e.g. `zones` or `dns.records`. Default: `null`. # Confluence Source: https://docs.tracecat.com/tools/confluence Reference for the Tracecat Confluence integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Add comment Action ID: `tools.confluence.add_page_comment` Add a comment to a Confluence page. Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content/\{id}/child-commentsOfContent](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content/\{id}/child-commentsOfContent) ### Secrets Required secrets: * `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`. ### Input fields Comment content in Confluence storage (XHTML) or wiki markup. Convert Markdown to storage before sending if needed. The ID of the page to comment on. Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api. Default: `null`. Content representation for the comment body (storage or wiki). Default: `"storage"`. ## Add page label Action ID: `tools.confluence.add_page_label` Add a label to a Confluence page. Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#label-addLabelsToContent](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#label-addLabelsToContent) ### Secrets Required secrets: * `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`. ### Input fields Label name to apply. The ID of the page to label. Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api. Default: `null`. Label prefix (global, my, or team). Default: `"global"`. ## Create page Action ID: `tools.confluence.create_page` Create a new Confluence page in a space, optionally under a parent. Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-createContent](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-createContent) ### Secrets Required secrets: * `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`. ### Input fields Page body in Confluence storage (XHTML) or wiki markup. Convert Markdown to storage before sending if needed. Space key for the page (e.g., DEV, TEAM). Title of the new page. Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api. Default: `null`. Content representation for the body (storage or wiki). Default: `"storage"`. Optional parent page ID to nest under. Default: `null`. ## Delete page Action ID: `tools.confluence.delete_page` Delete a Confluence page by ID. Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-delete](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-delete) ### Secrets Required secrets: * `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`. ### Input fields The ID of the page to delete. Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api. Default: `null`. ## Get child pages Action ID: `tools.confluence.get_page_children` List child pages for a parent Confluence page with pagination and optional content expansion. Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content/\{id}/child-childrenOfType](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content/\{id}/child-childrenOfType) ### Secrets Required secrets: * `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`. ### Input fields The ID of the parent page whose children you want to retrieve. Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api. Default: `null`. Fields to expand on each child (e.g., version, body.storage, body.view). Default: `"version"`. Whether to force body.storage expansion for child content. Default: `false`. Maximum number of child pages to return (1-50). Default: `25`. Starting index for pagination (0-based). Default: `0`. ## Get page by ID Action ID: `tools.confluence.get_page` Retrieve a Confluence page by its numeric ID with optional expanded fields. Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-getContentById](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-getContentById) ### Secrets Required secrets: * `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`. ### Input fields Confluence page ID (numeric). In URLs like [https://example.atlassian.net/wiki/spaces/TEAM/pages/123456789/Page+Title](https://example.atlassian.net/wiki/spaces/TEAM/pages/123456789/Page+Title) the ID is 123456789. Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api. Default: `null`. Comma-separated fields to expand (e.g., body.storage, body.view, version, space, ancestors, children.attachment). Default: `"body.storage,version,space"`. ## Get page by title Action ID: `tools.confluence.get_page_by_title` Find a Confluence page by title within a space. Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-getContent](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-getContent) ### Secrets Required secrets: * `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`. ### Input fields Space key containing the page (e.g., DEV, TEAM). Exact page title to retrieve. Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api. Default: `null`. Comma-separated fields to expand (e.g., body.storage, body.view, version, space, ancestors, children.attachment). Default: `"body.storage,version,space"`. ## Get page comments Action ID: `tools.confluence.get_page_comments` Retrieve comments for a Confluence page with pagination support. Use start/limit to iterate through all comments. Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content/\{id}/child-commentsOfContent](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content/\{id}/child-commentsOfContent) ### Secrets Required secrets: * `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`. ### Input fields Confluence page ID to fetch comments for. Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api. Default: `null`. Depth of comments to return (e.g., all, root). Default: `"all"`. Fields to expand on each comment (e.g., body.view, body.storage, version). Default: `"body.view,version"`. Maximum number of comments to return per request (1-50). Default: `25`. Starting index for pagination (0-based). Use \_links.next from response to get next page. Default: `0`. ## Get page labels Action ID: `tools.confluence.get_page_labels` List labels applied to a Confluence page. Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#label-getLabelsForContent](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#label-getLabelsForContent) ### Secrets Required secrets: * `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`. ### Input fields The ID of the page to fetch labels for. Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api. Default: `null`. ## Search content Action ID: `tools.confluence.search_content` Search Confluence content with Confluence Query Language (CQL) and optional space filters. Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#search-search](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#search-search) ### Secrets Required secrets: * `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`. ### Input fields Search query in CQL. Examples: 'type=page AND space=DEV', 'title\~"Runbook"', or 'text \~ "incident response"'. CQL supports operators like AND/OR, ranges, and exact matches. Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api. Default: `null`. Maximum number of results to return (1-50). Default: `10`. Optional comma-separated space keys to filter results (adds OR space clauses to the query). Default: `null`. ## Update page Action ID: `tools.confluence.update_page` Update an existing Confluence page, incrementing the version automatically. Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-update](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-update) ### Secrets Required secrets: * `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`. ### Input fields Updated page body in Confluence storage (XHTML) or wiki markup. Convert Markdown to storage before sending if needed. ID of the page to update. New title for the page. Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api. Default: `null`. Content representation for the body (storage or wiki). Default: `"storage"`. Whether this is a minor edit for versioning purposes. Default: `false`. Optional new parent page ID to set on update. Default: `null`. Optional version comment to record with the update. Default: `""`. # CrowdSec Source: https://docs.tracecat.com/tools/crowdsec Reference for the Tracecat CrowdSec integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Lookup IP address Action ID: `tools.crowdsec.lookup_ip_address` Get threat intel report for an IP address from CrowdSec. Reference: [https://docs.crowdsec.net/u/cti\_api/getting\_started/](https://docs.crowdsec.net/u/cti_api/getting_started/) ### Secrets Required secrets: * `crowdsec_cti`: required values `CTI_API_KEY`. ### Input fields IPv4 or IPv6 address to analyze or scan. # CrowdStrike Source: https://docs.tracecat.com/tools/crowdstrike Reference for the Tracecat CrowdStrike integration: registered actions, required secrets, expected inputs, and example workflow usage. ## List alerts Action ID: `tools.crowdstrike.list_alerts` Query for Crowdstrike alerts via the Falcon SIEM API. Reference: [https://falconpy.io/Service-Collections/Alerts.html#uber-class-example-7](https://falconpy.io/Service-Collections/Alerts.html#uber-class-example-7) ### Input fields End time for the query (exclusive). Start time for the query (inclusive). Maximum number of alerts to return. Default: `100`. Crowdstrike member CID. Default: `null`. Falcon Query Language (FQL) filter to apply to alerts. If specified, overrides `start_time` and `end_time`. Default: `null`. ## List detects Action ID: `tools.crowdstrike.list_detects` Query for CrowdStrike detects and summaries via the Falcon SIEM API. Reference: [https://falconpy.io/Service-Collections/Detects.html](https://falconpy.io/Service-Collections/Detects.html) ### Input fields End time for the query (exclusive). Start time for the query (inclusive). Maximum number of alerts to return. Default: `100`. Crowdstrike member CID. Default: `null`. Falcon Query Language (FQL) filter to apply to alerts. If specified, overrides `start_time` and `end_time`. Default: `null`. ## List incidents Action ID: `tools.crowdstrike.list_incidents` Query for Crowdstrike incidents via the Falcon SIEM API. Reference: [https://falconpy.io/Service-Collections/Incidents.html](https://falconpy.io/Service-Collections/Incidents.html) ### Input fields End time for the query (exclusive). Start time for the query (inclusive). Maximum number of incidents to return. Default: `100`. Crowdstrike member CID. Default: `null`. Falcon Query Language (FQL) filter to apply to cases. If specified, overrides `start_time` and `end_time`. Default: `null`. # Datadog Source: https://docs.tracecat.com/tools/datadog Reference for the Tracecat Datadog integration: registered actions, required secrets, expected inputs, and example workflow usage. ## List security signals Action ID: `tools.datadog.list_security_signals` Query for Datadog security signals. Reference: [https://docs.datadoghq.com/api/latest/security-monitoring/#get-a-list-of-security-signals](https://docs.datadoghq.com/api/latest/security-monitoring/#get-a-list-of-security-signals) ### Secrets Required secrets: * `datadog`: required values `DATADOG_API_KEY`, `DATADOG_APP_KEY`. ### Input fields End time for the query (exclusive). Start time for the query (inclusive). Datadog site API URL. Default: `null`. Maximum number of alerts to return. Default: `100`. Datadog search query. Default: `null`. # Elastic Security Source: https://docs.tracecat.com/tools/elastic_security Reference for the Tracecat Elastic Security integration: registered actions, required secrets, expected inputs, and example workflow usage. ## List detection alerts Action ID: `tools.elastic_security.list_detection_signals` Query for Elastic Security detection alerts. Reference: [https://www.elastic.co/docs/api/doc/kibana/v8/operation/operation-searchalerts](https://www.elastic.co/docs/api/doc/kibana/v8/operation/operation-searchalerts) ### Secrets Required secrets: * `elastic_security`: required values `ELASTIC_API_KEY`. ### Input fields End time for the query (exclusive). Start time for the query (inclusive). Kibana endpoint URL (e.g. [https://localhost:5601](https://localhost:5601)). Default: `null`. Maximum number of alerts to return. Default: `100`. Elastic JSON query DSL. If specified, overrides `start_time` and `end_time`. Default: `null`. Source field filter applied to each alert. Pass a list of dotted field names to include only those fields, or a dict of `includes` / `excludes` for fine-grained control. Maps directly to the Kibana `_source` request body parameter. When `null` (default), every field is returned. Default: `null`. Whether to verify SSL certificates. Default: `true`. # Elasticsearch Source: https://docs.tracecat.com/tools/elasticsearch Reference for the Tracecat Elasticsearch integration: registered actions, required secrets, expected inputs, and example workflow usage. ## List indexes Action ID: `tools.elasticsearch.list_indexes` List all indexes in the Elasticsearch cluster. Reference: [https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-cat-indices](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-cat-indices) ### Secrets Required secrets: * `elasticsearch`: required values `ELASTIC_API_KEY`. ### Input fields Elasticsearch base URL (e.g. [https://localhost:9200](https://localhost:9200)). Default: `null`. Whether to verify SSL certificates. Default: `true`. ## Search events Action ID: `tools.elasticsearch.search_events` Search events from Elasticsearch using query DSL. Reference: [https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-search](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-search) ### Secrets Required secrets: * `elasticsearch`: required values `ELASTIC_API_KEY`. ### Input fields Elasticsearch query DSL. Elasticsearch base URL (e.g. [https://localhost:9200](https://localhost:9200)). Default: `null`. Index name to search. If not specified, searches all indices. Default: `null`. Maximum number of events to return. Default: `100`. Whether to verify SSL certificates. Default: `true`. # EmailRep Source: https://docs.tracecat.com/tools/emailrep Reference for the Tracecat EmailRep integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Lookup email Action ID: `tools.emailrep.lookup_email` Lookup an email address in the EmailRep database. Reference: [https://docs.sublime.security/reference/emailrep-introduction](https://docs.sublime.security/reference/emailrep-introduction) ### Secrets Required secrets: * `emailrep`: required values `EMAILREP_API_KEY`. ### Input fields Email to lookup. Whether to include the summary of the email. Default: `true`. # Exa Source: https://docs.tracecat.com/tools/exa Reference for the Tracecat Exa integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Answer Action ID: `tools.exa.answer` Answer a question with Exa. Reference: [https://exa.ai/docs/reference/answer](https://exa.ai/docs/reference/answer) ### Secrets Required secrets: * `exa`: required values `EXA_API_KEY`. ### Input fields The question to answer. ## Create research task Action ID: `tools.exa.research` Start a research task that explores the web, gathers sources, and synthesizes findings. Returns immediately with a researchId for polling. Reference: [https://exa.ai/docs/reference/research/create-a-task](https://exa.ai/docs/reference/research/create-a-task) ### Secrets Required secrets: * `exa`: required values `EXA_API_KEY`. ### Input fields Instructions for what you would like research on. The model to use for research. Default: `"exa-research-fast"`. Allowed values: `exa-research-fast`, `exa-research`, `exa-research-pro`. ## Get contents Action ID: `tools.exa.get_contents` Get full page contents, summaries, and metadata for a list of URLs. Reference: [https://exa.ai/docs/reference/get-contents](https://exa.ai/docs/reference/get-contents) ### Secrets Required secrets: * `exa`: required values `EXA_API_KEY`. ### Input fields The URLs to get the contents for. ## Get research task Action ID: `tools.exa.get_research` Retrieve the current status and results of a research task by its research\_id. Reference: [https://exa.ai/docs/reference/research/get-a-task](https://exa.ai/docs/reference/research/get-a-task) ### Secrets Required secrets: * `exa`: required values `EXA_API_KEY`. ### Input fields Unique identifier for the research task to retrieve. ## List research tasks Action ID: `tools.exa.list_research` Get a paginated list of research tasks. Use cursor for pagination and limit to control page size. Reference: [https://exa.ai/docs/reference/research/list-tasks](https://exa.ai/docs/reference/research/list-tasks) ### Secrets Required secrets: * `exa`: required values `EXA_API_KEY`. ### Input fields Cursor token from previous response for pagination. Maximum number of results per page (maximum 50). Default: `10`. ## Search the web Action ID: `tools.exa.search` Search the web with Exa. Reference: [https://exa.ai/docs/reference/search](https://exa.ai/docs/reference/search) ### Secrets Required secrets: * `exa`: required values `EXA_API_KEY`. ### Input fields The query to search for. # FalconPy Source: https://docs.tracecat.com/tools/falconpy Reference for the Tracecat FalconPy integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Call command Action ID: `tools.falconpy.call_command` Instantiate a FalconPy Uber Class client and call a FalconPy API method. Reference: [https://falconpy.io/Usage/Basic-Uber-Class-usage.html](https://falconpy.io/Usage/Basic-Uber-Class-usage.html) ### Secrets Required secrets: * `crowdstrike`: required values `CROWDSTRIKE_CLIENT_ID`, `CROWDSTRIKE_CLIENT_SECRET`. ### Input fields Operation ID from [https://www.falconpy.io/Operations/All-Operations.html](https://www.falconpy.io/Operations/All-Operations.html) Base URL for the Falcon API Default: `null`. Extra keyword arguments to pass to the Falcon API Default: `null`. Multi-tenant customer ID Default: `null`. Parameters to pass into the command Default: `null`. # GitHub MCP Source: https://docs.tracecat.com/tools/github Reference for the Tracecat GitHub MCP integration: registered actions, required secrets, expected inputs, and example workflow usage. ## GitHub MCP Action ID: `tools.github.mcp` Use AI to interact with GitHub. Reference: [https://docs.github.com/en/copilot](https://docs.github.com/en/copilot) ### Secrets Required secrets: * `github_mcp_oauth`: OAuth token `GITHUB_MCP_USER_TOKEN`. Optional secrets: * `anthropic`: optional values `ANTHROPIC_API_KEY`. * `openai`: optional values `OPENAI_API_KEY`. * `gemini`: optional values `GEMINI_API_KEY`. * `amazon_bedrock`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`, `AWS_SESSION_TOKEN`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_MODEL_ID`, `AWS_INFERENCE_PROFILE_ID`. * `custom-model-provider`: optional values `CUSTOM_MODEL_PROVIDER_API_KEY`, `CUSTOM_MODEL_PROVIDER_MODEL_NAME`, `CUSTOM_MODEL_PROVIDER_BASE_URL`. * `azure_openai`: optional values `AZURE_API_BASE`, `AZURE_API_VERSION`, `AZURE_DEPLOYMENT_NAME`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`. * `azure_ai`: optional values `AZURE_API_BASE`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_API_VERSION`, `AZURE_AI_MODEL_NAME`. * `litellm`: required values `LITELLM_BASE_URL`. ### Input fields Instructions for the agent. User prompt to the agent. Model to use. Pick from the list of models enabled for this workspace. Provide this field, or both deprecated `model_name` and `model_provider`. Default: `null`. Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_provider`. Default: `null`. Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_name`. Default: `null`. # Gmail Source: https://docs.tracecat.com/tools/gmail Reference for the Tracecat Gmail integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Get Gmail attachment Action ID: `tools.gmail.get_attachment` Download an attachment from a Gmail message. ### Secrets Required secrets: * `google_gmail_oauth`: OAuth token `GOOGLE_GMAIL_USER_TOKEN`. ### Input fields The attachment ID to retrieve The message ID containing the attachment User ID or 'me' for authenticated user Default: `"me"`. ## Get Gmail message Action ID: `tools.gmail.get_message` Get the full content of a Gmail message. ### Secrets Required secrets: * `google_gmail_oauth`: OAuth token `GOOGLE_GMAIL_USER_TOKEN`. ### Input fields The message ID to retrieve Format: 'full' (complete), 'metadata' (headers only), 'minimal' (IDs only), 'raw' (RFC 2822) Default: `"full"`. User ID or 'me' for authenticated user Default: `"me"`. ## Get Gmail message headers Action ID: `tools.gmail.get_message_headers` Get only the headers of a Gmail message. ### Secrets Required secrets: * `google_gmail_oauth`: OAuth token `GOOGLE_GMAIL_USER_TOKEN`. ### Input fields The message ID to retrieve headers for Specific headers to return (e.g., \['From', 'To', 'Subject']). If not specified, returns all headers. Default: `null`. User ID or 'me' for authenticated user Default: `"me"`. ## Get Gmail thread Action ID: `tools.gmail.get_thread` Get all messages in an email thread. ### Secrets Required secrets: * `google_gmail_oauth`: OAuth token `GOOGLE_GMAIL_USER_TOKEN`. ### Input fields The thread ID to retrieve Format: 'full' (complete), 'metadata' (headers only), 'minimal' (IDs only) Default: `"full"`. User ID or 'me' for authenticated user Default: `"me"`. ## List Gmail labels Action ID: `tools.gmail.list_labels` List all Gmail labels for a user. ### Secrets Required secrets: * `google_gmail_oauth`: OAuth token `GOOGLE_GMAIL_USER_TOKEN`. ### Input fields User ID or 'me' for authenticated user Default: `"me"`. ## Search Gmail messages Action ID: `tools.gmail.search_messages` Search Gmail messages using Gmail's search syntax. ### Secrets Required secrets: * `google_gmail_oauth`: OAuth token `GOOGLE_GMAIL_USER_TOKEN`. ### Input fields Gmail search query (e.g., 'from:[suspicious@evil.com](mailto:suspicious@evil.com) has:attachment') Maximum number of results to return Default: `10`. Page token for pagination Default: `null`. User ID or 'me' for authenticated user Default: `"me"`. # Google API Source: https://docs.tracecat.com/tools/google_api Reference for the Tracecat Google API integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Call API Action ID: `tools.google_api.call_api` Instantiate a Google API client and call a Google API method. Reference: [https://googleapis.github.io/google-api-python-client/docs/dyn/](https://googleapis.github.io/google-api-python-client/docs/dyn/) ### Secrets Optional secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. * `google_api`: required values `GOOGLE_API_CREDENTIALS`. ### Input fields Google API method name, e.g. `list` or `get`. Resource path, e.g. `files` or `spreadsheets.values`. Google API service name, e.g. `drive` or `sheets`. Google API version, e.g. `v3` or `v4`. Parameters for the Google API method. Default: `null`. Service account scopes. Defaults to \["[https://www.googleapis.com/auth/cloud-platform](https://www.googleapis.com/auth/cloud-platform)"]. Default: `null`. Optional service account domain-wide delegation subject. Default: `null`. ## Call paginated API Action ID: `tools.google_api.call_paginated_api` Instantiate a Google API client and call a paginated Google API method. Reference: [https://googleapis.github.io/google-api-python-client/docs/dyn/](https://googleapis.github.io/google-api-python-client/docs/dyn/) ### Secrets Optional secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. * `google_api`: required values `GOOGLE_API_CREDENTIALS`. ### Input fields Google API method name, e.g. `list` or `get`. Resource path, e.g. `files` or `spreadsheets.values`. Google API service name, e.g. `drive` or `sheets`. Google API version, e.g. `v3` or `v4`. Dot-separated response path for the next page token. Defaults to "nextPageToken". Default: `"nextPageToken"`. Request parameter name for the next page token. Defaults to "pageToken". Default: `"pageToken"`. Parameters for the Google API method. Default: `null`. Service account scopes. Defaults to \["[https://www.googleapis.com/auth/cloud-platform](https://www.googleapis.com/auth/cloud-platform)"]. Default: `null`. Optional service account domain-wide delegation subject. Default: `null`. # Google Docs Source: https://docs.tracecat.com/tools/google_docs Reference for the Tracecat Google Docs integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Batch update document Action ID: `tools.google_docs.batch_update_document` Apply multiple updates to a Google Doc in a single request. Reference: [https://developers.google.com/workspace/docs/api/reference/rest/v1/documents/batchUpdate](https://developers.google.com/workspace/docs/api/reference/rest/v1/documents/batchUpdate) ### Secrets Optional secrets: * `google_docs_oauth`: OAuth token `GOOGLE_DOCS_SERVICE_TOKEN`. ### Input fields ID of the document to update. List of Docs API request objects to apply. Optional write control configuration (e.g., requiredRevisionId). Default: `null`. ## Create document Action ID: `tools.google_docs.create_document` Create a new Google Doc. Reference: [https://developers.google.com/workspace/docs/api/reference/rest/v1/documents/create](https://developers.google.com/workspace/docs/api/reference/rest/v1/documents/create) ### Secrets Optional secrets: * `google_docs_oauth`: OAuth token `GOOGLE_DOCS_SERVICE_TOKEN`. ### Input fields Optional document title. Default: `null`. ## Get document Action ID: `tools.google_docs.get_document` Retrieve a Google Doc with optional suggestions view mode. Reference: [https://developers.google.com/workspace/docs/api/reference/rest/v1/documents/get](https://developers.google.com/workspace/docs/api/reference/rest/v1/documents/get) ### Secrets Optional secrets: * `google_docs_oauth`: OAuth token `GOOGLE_DOCS_SERVICE_TOKEN`. ### Input fields ID of the document to fetch. How to display suggestions in the response. Default: `null`. # Google Drive Source: https://docs.tracecat.com/tools/google_drive Reference for the Tracecat Google Drive integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Add Drive permission Action ID: `tools.google_drive.add_permission` Grant access to a file or folder. ### Secrets Required secrets: * `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`. ### Input fields Email address to grant access to The file or folder ID Fields to return ('\*' for all) Default: `"*"`. Role: reader, writer, commenter, owner Default: `"reader"`. Send email notification Default: `false`. ## Create Drive folder Action ID: `tools.google_drive.create_folder` Create a new folder in Google Drive. ### Secrets Required secrets: * `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`. ### Input fields Name for the new folder Fields to return ('\*' for all) Default: `"*"`. Parent folder ID (empty = root) Default: `""`. ## Delete Drive file Action ID: `tools.google_drive.delete_file` Move a file or folder to trash. ### Secrets Required secrets: * `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`. ### Input fields The file or folder ID to delete Fields to return ('\*' for all) Default: `"*"`. ## Get Drive file Action ID: `tools.google_drive.get_file` Get detailed metadata for a specific file. ### Secrets Required secrets: * `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`. ### Input fields The file ID Fields to return ('\*' for all) Default: `"*"`. ## Get Drive file permissions Action ID: `tools.google_drive.get_file_permissions` List all permissions for a file or folder. ### Secrets Required secrets: * `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`. ### Input fields The file ID Fields to return ('\*' for all) Default: `"*"`. ## List Drive files Action ID: `tools.google_drive.list_files` List and search files in Google Drive. ### Secrets Required secrets: * `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`. ### Input fields Fields to return (e.g., 'files(id,name,mimeType)' or '\*' for all) Default: `"*"`. Maximum number of results Default: `10`. Sort order Default: `"modifiedTime desc"`. Search query (e.g., 'name contains "report"') Default: `""`. ## Permanently delete Drive file Action ID: `tools.google_drive.permanently_delete_file` Permanently delete a file or folder (bypass trash). ### Secrets Required secrets: * `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`. ### Input fields The file or folder ID to permanently delete ## Revoke Drive permission Action ID: `tools.google_drive.revoke_permission` Remove a permission (revoke access). ### Secrets Required secrets: * `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`. ### Input fields The file or folder ID The permission ID to revoke ## Update Drive permission Action ID: `tools.google_drive.update_permission` Update an existing permission (change role). ### Secrets Required secrets: * `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`. ### Input fields The file or folder ID The permission ID to update New role: reader, writer, commenter Fields to return ('\*' for all) Default: `"*"`. ## Upload Drive file Action ID: `tools.google_drive.upload_file` Upload a file to Google Drive. ### Secrets Required secrets: * `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`. ### Input fields Base64-encoded file content Name for the uploaded file Fields to return ('\*' for all) Default: `"*"`. MIME type of file Default: `"application/octet-stream"`. Parent folder ID (empty = root) Default: `""`. # Google Maps Source: https://docs.tracecat.com/tools/google_maps Reference for the Tracecat Google Maps integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Get location data Action ID: `tools.google_maps.get_location_data` Get location data from Google Maps. Reference: [https://developers.google.com/maps/documentation/geocoding/guides-v3/overview](https://developers.google.com/maps/documentation/geocoding/guides-v3/overview) ### Secrets Required secrets: * `google_maps`: required values `GOOGLE_MAPS_API_KEY`. ### Input fields The address to get the location data for. # Google SecOps Detection Engine Source: https://docs.tracecat.com/tools/google_secops_detection Reference for the Tracecat Google SecOps Detection Engine integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Cancel retrohunt Action ID: `tools.google_secops_detection.cancel_retrohunt` Cancel a running retrohunt operation. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) The retrohunt ID to cancel The rule ID ## Create detection rule Action ID: `tools.google_secops_detection.create_rule` Create a new detection rule in Chronicle. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) YARA-L 2.0 rule text ## Create retrohunt Action ID: `tools.google_secops_detection.create_retrohunt` Create a retrohunt to run a rule against historical data. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) End time (RFC 3339 format) The rule ID to run retrohunt for Start time (RFC 3339 format, e.g., '2024-01-01T00:00:00Z') ## Delete detection rule Action ID: `tools.google_secops_detection.delete_rule` Delete a detection rule. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) The rule ID to delete ## Disable detection rule Action ID: `tools.google_secops_detection.disable_rule` Disable a detection rule to stop live alerting. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) The rule ID to disable ## Enable detection rule Action ID: `tools.google_secops_detection.enable_rule` Enable a detection rule for live alerting. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) The rule ID to enable ## Get detection rule Action ID: `tools.google_secops_detection.get_rule` Get detailed information about a specific detection rule. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) The rule ID (e.g., 'ru\_12345678-1234-1234-1234-123456789012') ## Get retrohunt status Action ID: `tools.google_secops_detection.get_retrohunt` Get the status and results of a retrohunt operation. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) The retrohunt ID The rule ID ## Get rule deployment status Action ID: `tools.google_secops_detection.get_rule_deployment` Get the deployment status of a detection rule. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) The rule ID ## List detection rules Action ID: `tools.google_secops_detection.list_rules` List all detection rules in Chronicle. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) Maximum number of rules to return Default: `100`. Token for pagination Default: `null`. ## List detections for rule Action ID: `tools.google_secops_detection.list_detections` List detections generated by a specific rule. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) The rule ID to get detections for End time (RFC 3339 format) Default: `null`. Maximum detections to return Default: `100`. Token for pagination Default: `null`. Start time (RFC 3339 format, e.g., '2024-01-01T00:00:00Z') Default: `null`. ## List retrohunts Action ID: `tools.google_secops_detection.list_retrohunts` List all retrohunt operations for a specific rule. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) The rule ID Maximum retrohunts to return Default: `100`. Token for pagination Default: `null`. ## List rule errors Action ID: `tools.google_secops_detection.list_rule_errors` List compilation or execution errors for a detection rule. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) The rule ID Maximum errors to return Default: `100`. Token for pagination Default: `null`. ## Update detection rule Action ID: `tools.google_secops_detection.update_rule` Update an existing detection rule. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) The rule ID to update Updated YARA-L 2.0 rule text ## Verify detection rule Action ID: `tools.google_secops_detection.verify_rule` Verify YARA-L rule syntax without creating the rule. ### Secrets Required secrets: * `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`. ### Input fields Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia) YARA-L 2.0 rule text to validate # Google SecOps SOAR Source: https://docs.tracecat.com/tools/google_secops_soar Reference for the Tracecat Google SecOps SOAR integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Add case tag Action ID: `tools.google_secops_soar.add_case_tag` Add a tag to a Chronicle SOAR case. ### Secrets Required secrets: * `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`. ### Input fields Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)') The case ID Tag to add to the case Optional alert identifier within the case Default: `null`. ## Assign user to case Action ID: `tools.google_secops_soar.assign_user_to_case` Assign a user or SOC role to a Chronicle SOAR case. ### Secrets Required secrets: * `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`. ### Input fields Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)') The case ID User ID (GUID) or @RoleName to assign Optional alert identifier within the case Default: `null`. ## Bulk close cases Action ID: `tools.google_secops_soar.bulk_close_cases` Close multiple Chronicle SOAR cases in a single operation. ### Secrets Required secrets: * `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`. ### Input fields Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)') List of case IDs to close Comment for all closed cases Close reason enum: 0=Malicious, 1=NotMalicious, 2=Maintenance, 3=Inconclusive, 4=Unknown Root cause description ## Change case stage Action ID: `tools.google_secops_soar.change_case_stage` Change the stage of a Chronicle SOAR case. ### Secrets Required secrets: * `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`. ### Input fields Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)') The case ID New stage: Triage, Assessment, Investigation, Incident, Improvement, or Research ## Close alert Action ID: `tools.google_secops_soar.close_alert` Close a specific alert within a Chronicle SOAR case. ### Secrets Required secrets: * `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`. ### Input fields The alert identifier to close Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)') Comment explaining why the alert is being closed Close reason: Malicious, NotMalicious, Maintenance, or Inconclusive Root cause description The case ID where the alert is being closed Alert usefulness: None, NotUseful, or Useful Default: `"None"`. ## Create case comment Action ID: `tools.google_secops_soar.create_case_comment` Add a comment to a Chronicle SOAR case. ### Secrets Required secrets: * `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`. ### Input fields Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)') The case ID Comment text to add to the case Optional alert identifier Default: `null`. Optional base64-encoded file content Default: `null`. Optional attachment filename Default: `null`. Optional file type (e.g., '.pdf', '.txt') Default: `null`. ## Reopen alert Action ID: `tools.google_secops_soar.reopen_alert` Reopen a previously closed alert in a Chronicle SOAR case. ### Secrets Required secrets: * `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`. ### Input fields The alert identifier to reopen Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)') The case ID ## Search SOAR cases Action ID: `tools.google_secops_soar.search_cases` Search Chronicle SOAR cases with advanced filtering. ### Secrets Required secrets: * `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`. ### Input fields Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)') List of user IDs or @Role names Default: `null`. List of specific case IDs to retrieve Default: `null`. UTC end time (ISO 8601 format). Only used when time\_range\_filter=0 (CUSTOM) Default: `null`. List of environments to filter by Default: `null`. Filter by importance: \['True'] for important cases only Default: `null`. Filter by incident flag: \['True'] for incidents only Default: `null`. Filter by case status (true=closed, false=open, null=all) Default: `null`. Number of results per page (max 100) Default: `50`. List of priorities: Informative, Low, Medium, High, Critical Default: `null`. Page number (0-indexed) Default: `0`. List of stages: Triage, Assessment, Investigation, Incident, Improvement, Research Default: `null`. UTC start time (ISO 8601 format, e.g., '2024-01-01T00:00:00.000Z'). Only used when time\_range\_filter=0 (CUSTOM) Default: `null`. List of case tags to filter by Default: `null`. Predefined time range in days: 0=CUSTOM, 1=LAST\_DAY, 2=LAST\_2\_DAYS, 3=LAST\_3\_DAYS, 4=LAST\_4\_DAYS, 7=LAST\_WEEK, 14=LAST\_2\_WEEKS, 30=LAST\_MONTH, 90=LAST\_3\_MONTHS, 180=LAST\_6\_MONTHS, 365=LAST\_YEAR, 395=LAST\_13\_MONTHS Default: `null`. Search by case title/name (partial match supported) Default: `null`. ## Update alert priority Action ID: `tools.google_secops_soar.update_alert_priority` Update the priority of a specific alert within a case. ### Secrets Required secrets: * `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`. ### Input fields The alert identifier The alert name Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)') The case ID New priority: -1=Informative, 40=Low, 60=Medium, 80=High, 100=Critical Previous priority (0=Unchanged if unknown) Default: `0`. ## Update case comment Action ID: `tools.google_secops_soar.update_case_comment` Update an existing comment in a Chronicle SOAR case. ### Secrets Required secrets: * `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`. ### Input fields Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)') Updated comment text The comment ID to update Optional attachment ID to update Default: `null`. Optional updated base64-encoded file content Default: `null`. Optional updated filename Default: `null`. Optional updated file type Default: `null`. ## Update case priority Action ID: `tools.google_secops_soar.update_case_priority` Update the priority of a Chronicle SOAR case. ### Secrets Required secrets: * `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`. ### Input fields Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)') The case ID Priority: -1=Informative, 40=Low, 60=Medium, 80=High, 100=Critical # Google Sheets Source: https://docs.tracecat.com/tools/google_sheets Reference for the Tracecat Google Sheets integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Append values Action ID: `tools.google_sheets.append_values` Append rows to a Google Sheets range. Reference: [https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/append](https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/append) ### Secrets Optional secrets: * `google_sheets_oauth`: OAuth token `GOOGLE_SHEETS_SERVICE_TOKEN`. ### Input fields A1 notation range to append to. Target spreadsheet ID. Two-dimensional array of values to append. Include the appended values in the response payload. Default: `false`. How the input data should be inserted. Default: `"INSERT_ROWS"`. Allowed values: `OVERWRITE`, `INSERT_ROWS`. Orientation of the values array. Default: `null`. How input data should be interpreted. Default: `"USER_ENTERED"`. Allowed values: `RAW`, `USER_ENTERED`. ## Batch clear values Action ID: `tools.google_sheets.batch_clear_values` Clear values from one or more ranges in a spreadsheet. Reference: [https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/batchClear](https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/batchClear) ### Secrets Optional secrets: * `google_sheets_oauth`: OAuth token `GOOGLE_SHEETS_SERVICE_TOKEN`. ### Input fields List of A1 notation ranges to clear. Spreadsheet ID to clear. ## Batch get values Action ID: `tools.google_sheets.batch_get_values` Retrieve values from multiple ranges in a spreadsheet. Reference: [https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/batchGet](https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/batchGet) ### Secrets Optional secrets: * `google_sheets_oauth`: OAuth token `GOOGLE_SHEETS_SERVICE_TOKEN`. ### Input fields A1 notation ranges to retrieve. Spreadsheet ID to read from. How dates and times should be represented. Default: `null`. Orientation of the returned values. Default: `null`. How values should be rendered in the response. Default: `null`. ## Batch update values Action ID: `tools.google_sheets.batch_update_values` Update cell values across multiple ranges in one request. Reference: [https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/batchUpdate](https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/batchUpdate) ### Secrets Optional secrets: * `google_sheets_oauth`: OAuth token `GOOGLE_SHEETS_SERVICE_TOKEN`. ### Input fields Spreadsheet ID to update. List of updates with range, values, and optional major\_dimension per entry. Include the updated values in the response payload. Default: `false`. How dates and times should be represented in the response. Default: `null`. How updated values should be rendered in the response. Default: `null`. How input data should be interpreted. Default: `"USER_ENTERED"`. Allowed values: `RAW`, `USER_ENTERED`. ## Copy sheet Action ID: `tools.google_sheets.copy_sheet` Copy a sheet to another spreadsheet. Reference: [https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.sheets/copyTo](https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.sheets/copyTo) ### Secrets Optional secrets: * `google_sheets_oauth`: OAuth token `GOOGLE_SHEETS_SERVICE_TOKEN`. ### Input fields Destination spreadsheet ID. ID of the sheet to copy. Source spreadsheet ID. ## Create spreadsheet Action ID: `tools.google_sheets.create_spreadsheet` Create a new Google Spreadsheet with an optional set of sheets. Reference: [https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets/create](https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets/create) ### Secrets Optional secrets: * `google_sheets_oauth`: OAuth token `GOOGLE_SHEETS_SERVICE_TOKEN`. ### Input fields Spreadsheet title. Optional list of sheet titles to create. Default: `null`. ## Get spreadsheet Action ID: `tools.google_sheets.get_spreadsheet` Retrieve spreadsheet metadata and optional grid data. Reference: [https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets/get](https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets/get) ### Secrets Optional secrets: * `google_sheets_oauth`: OAuth token `GOOGLE_SHEETS_SERVICE_TOKEN`. ### Input fields Spreadsheet ID to fetch. Return grid data along with metadata. Default: `false`. Optional A1 notation ranges to include. Default: `null`. # Gophish Source: https://docs.tracecat.com/tools/gophish Reference for the Tracecat Gophish integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Create campaign Action ID: `tools.gophish.create_campaign` Create a campaign in Gophish. Reference: [https://docs.getgophish.com/api-documentation/campaigns#create-campaign](https://docs.getgophish.com/api-documentation/campaigns#create-campaign) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The body of the campaign to create. Look at the Gophish API documentation for the expected body. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Create group Action ID: `tools.gophish.create_group` Create a group in Gophish. Reference: [https://docs.getgophish.com/api-documentation/users-and-groups#create-group](https://docs.getgophish.com/api-documentation/users-and-groups#create-group) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The body of the group to create. Look at the Gophish API documentation for the expected body. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Create landing page Action ID: `tools.gophish.create_landing_page` Create a landing page in Gophish. Reference: [https://docs.getgophish.com/api-documentation/landing-pages#create-landing-page](https://docs.getgophish.com/api-documentation/landing-pages#create-landing-page) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The body of the landing page to create. Look at the Gophish API documentation for the expected body. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Create sending profile Action ID: `tools.gophish.create_sending_profile` Create a sending profile in Gophish. Reference: [https://docs.getgophish.com/api-documentation/sending-profiles#create-sending-profile](https://docs.getgophish.com/api-documentation/sending-profiles#create-sending-profile) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The body of the sending profile to create. Look at the Gophish API documentation for the expected body. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Create template Action ID: `tools.gophish.create_template` Create a template in Gophish. Reference: [https://docs.getgophish.com/api-documentation/templates#create-template](https://docs.getgophish.com/api-documentation/templates#create-template) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The body of the template to create. Look at the Gophish API documentation for the expected body. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Delete campaign Action ID: `tools.gophish.delete_campaign` Delete a campaign in Gophish. Reference: [https://docs.getgophish.com/api-documentation/campaigns#delete-campaign](https://docs.getgophish.com/api-documentation/campaigns#delete-campaign) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the campaign to delete. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Delete group Action ID: `tools.gophish.delete_group` Delete a group in Gophish. Reference: [https://docs.getgophish.com/api-documentation/users-and-groups#delete-group](https://docs.getgophish.com/api-documentation/users-and-groups#delete-group) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the group to delete. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Delete landing page Action ID: `tools.gophish.delete_landing_page` Delete a landing page in Gophish. Reference: [https://docs.getgophish.com/api-documentation/landing-pages#delete-landing-page](https://docs.getgophish.com/api-documentation/landing-pages#delete-landing-page) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the landing page to delete. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Delete sending profile Action ID: `tools.gophish.delete_sending_profile` Delete a sending profile in Gophish. Reference: [https://docs.getgophish.com/api-documentation/sending-profiles#delete-sending-profile](https://docs.getgophish.com/api-documentation/sending-profiles#delete-sending-profile) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the sending profile to delete. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Delete template Action ID: `tools.gophish.delete_template` Delete a template in Gophish. Reference: [https://docs.getgophish.com/api-documentation/templates#delete-template](https://docs.getgophish.com/api-documentation/templates#delete-template) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the template to delete. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Get campaign Action ID: `tools.gophish.get_campaign` Get a campaign from Gophish. Reference: [https://docs.getgophish.com/api-documentation/campaigns#get-campaign](https://docs.getgophish.com/api-documentation/campaigns#get-campaign) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the campaign to get. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Get campaign results Action ID: `tools.gophish.get_campaign_results` Get a campaign's results from Gophish. Reference: [https://docs.getgophish.com/api-documentation/campaigns#get-campaign-results](https://docs.getgophish.com/api-documentation/campaigns#get-campaign-results) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the campaign to get results for. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Get campaign summary Action ID: `tools.gophish.get_campaign_summary` Get a campaign summary from Gophish. Reference: [https://docs.getgophish.com/api-documentation/campaigns#get-campaign-summary](https://docs.getgophish.com/api-documentation/campaigns#get-campaign-summary) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the campaign to get summary for. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Get group Action ID: `tools.gophish.get_group` Get a group from Gophish. Reference: [https://docs.getgophish.com/api-documentation/users-and-groups#get-group](https://docs.getgophish.com/api-documentation/users-and-groups#get-group) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the group to get. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Get group summary Action ID: `tools.gophish.get_group_summary` Get a group summary from Gophish. Reference: [https://docs.getgophish.com/api-documentation/users-and-groups#get-group-summary](https://docs.getgophish.com/api-documentation/users-and-groups#get-group-summary) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the group to get. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Get landing page Action ID: `tools.gophish.get_landing_page` Get a landing page in Gophish. Reference: [https://docs.getgophish.com/api-documentation/landing-pages#get-landing-page](https://docs.getgophish.com/api-documentation/landing-pages#get-landing-page) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the landing page to get. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Get sending profile Action ID: `tools.gophish.get_sending_profile` Get a sending profile in Gophish. Reference: [https://docs.getgophish.com/api-documentation/sending-profiles#get-sending-profile](https://docs.getgophish.com/api-documentation/sending-profiles#get-sending-profile) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the sending profile to get. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Get template Action ID: `tools.gophish.get_template` Get a template in Gophish. Reference: [https://docs.getgophish.com/api-documentation/templates#get-template](https://docs.getgophish.com/api-documentation/templates#get-template) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the template to get. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## List campaigns Action ID: `tools.gophish.list_campaigns` List campaigns from Gophish. Reference: [https://docs.getgophish.com/api-documentation/campaigns#get-campaigns](https://docs.getgophish.com/api-documentation/campaigns#get-campaigns) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## List groups Action ID: `tools.gophish.list_groups` List groups from Gophish. Reference: [https://docs.getgophish.com/api-documentation/users-and-groups#get-groups](https://docs.getgophish.com/api-documentation/users-and-groups#get-groups) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## List groups summary Action ID: `tools.gophish.list_groups_summary` List groups summary from Gophish. Reference: [https://docs.getgophish.com/api-documentation/users-and-groups#get-groups-summary](https://docs.getgophish.com/api-documentation/users-and-groups#get-groups-summary) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## List landing pages Action ID: `tools.gophish.list_landing_pages` List landing pages from Gophish. Reference: [https://docs.getgophish.com/api-documentation/landing-pages#get-landing-pages](https://docs.getgophish.com/api-documentation/landing-pages#get-landing-pages) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## List sending profiles Action ID: `tools.gophish.list_sending_profiles` List sending profiles from Gophish. Reference: [https://docs.getgophish.com/api-documentation/sending-profiles#get-sending-profiles](https://docs.getgophish.com/api-documentation/sending-profiles#get-sending-profiles) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## List templates Action ID: `tools.gophish.list_templates` List templates from Gophish. Reference: [https://docs.getgophish.com/api-documentation/templates#get-templates](https://docs.getgophish.com/api-documentation/templates#get-templates) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Modify group Action ID: `tools.gophish.modify_group` Modify a group in Gophish. Reference: [https://docs.getgophish.com/api-documentation/users-and-groups#modify-group](https://docs.getgophish.com/api-documentation/users-and-groups#modify-group) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the group to modify. The body of the group to modify. Look at the Gophish API documentation for the expected body. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Modify landing page Action ID: `tools.gophish.modify_landing_page` Modify a landing page in Gophish. Reference: [https://docs.getgophish.com/api-documentation/landing-pages#modify-landing-page](https://docs.getgophish.com/api-documentation/landing-pages#modify-landing-page) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The ID of the landing page to modify. The body of the landing page to modify. Look at the Gophish API documentation for the expected body. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Modify sending profile Action ID: `tools.gophish.modify_sending_profile` Modify a sending profile in Gophish. Reference: [https://docs.getgophish.com/api-documentation/sending-profiles#modify-sending-profile](https://docs.getgophish.com/api-documentation/sending-profiles#modify-sending-profile) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The body of the sending profile to modify. Look at the Gophish API documentation for the expected body. The ID of the sending profile to modify. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Modify template Action ID: `tools.gophish.modify_template` Modify a template in Gophish. Reference: [https://docs.getgophish.com/api-documentation/templates#modify-template](https://docs.getgophish.com/api-documentation/templates#modify-template) ### Secrets Required secrets: * `gophish`: required values `GOPHISH_API_KEY`. ### Input fields The body of the template to modify. Look at the Gophish API documentation for the expected body. The ID of the template to modify. The base URL of the Gophish instance. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. # HackerOne Source: https://docs.tracecat.com/tools/hackerone Reference for the Tracecat HackerOne integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Get program Action ID: `tools.hackerone.get_program` Get details of a specific program from HackerOne. Reference: [https://api.hackerone.com/customer-resources/?python#programs-get-program](https://api.hackerone.com/customer-resources/?python#programs-get-program) ### Secrets Required secrets: * `hackerone`: required values `HACKERONE_API_USERNAME`, `HACKERONE_API_TOKEN`. ### Input fields The ID of the program to retrieve. ## Get programs Action ID: `tools.hackerone.get_programs` Get a paginated list of programs from HackerOne. Reference: [https://api.hackerone.com/customer-resources/?python#programs-get-programs](https://api.hackerone.com/customer-resources/?python#programs-get-programs) ### Secrets Required secrets: * `hackerone`: required values `HACKERONE_API_USERNAME`, `HACKERONE_API_TOKEN`. ### Input fields The page number to retrieve (starts at 1). Default: `1`. Number of programs per page (1-100). Default: `25`. ## Get report Action ID: `tools.hackerone.get_report` Get details of a specific report from HackerOne. Reference: [https://api.hackerone.com/customer-resources/?python#reports-get-report](https://api.hackerone.com/customer-resources/?python#reports-get-report) ### Secrets Required secrets: * `hackerone`: required values `HACKERONE_API_USERNAME`, `HACKERONE_API_TOKEN`. ### Input fields The ID of the report to retrieve. ## Get reports Action ID: `tools.hackerone.get_reports` Get a paginated list of reports from HackerOne. Reference: [https://api.hackerone.com/customer-resources/?python#reports-update-weakness](https://api.hackerone.com/customer-resources/?python#reports-update-weakness) ### Secrets Required secrets: * `hackerone`: required values `HACKERONE_API_USERNAME`, `HACKERONE_API_TOKEN`. ### Input fields Filters to apply to the reports. For example, \{'filter\[program]\[]': 'tracecat', 'filter\[state]\[]': \['new', 'triaged'], 'filter\[assignee]\[]': 'Tracecat Team'} The page number to retrieve (starts at 1). Default: `1`. Number of reports per page (1-100). Default: `25`. # Have I Been Pwned Source: https://docs.tracecat.com/tools/hibp Reference for the Tracecat Have I Been Pwned integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Check email for breaches Action ID: `tools.hibp.check_email_breaches` Check if an email address has been compromised in known data breaches. Reference: [https://haveibeenpwned.com/API/v3#BreachesForAccount](https://haveibeenpwned.com/API/v3#BreachesForAccount) ### Secrets Required secrets: * `hibp`: required values `HIBP_API_KEY`. ### Input fields Email address to check for breaches. Filter results to only breaches from this domain. Default: `null`. Include unverified breaches in results. Default: `true`. Return only breach names (True) or full breach details (False). Default: `true`. ## Check email for pastes Action ID: `tools.hibp.check_email_pastes` Check if an email address has been found in any pastes. Reference: [https://haveibeenpwned.com/API/v3#PastesForAccount](https://haveibeenpwned.com/API/v3#PastesForAccount) ### Secrets Required secrets: * `hibp`: required values `HIBP_API_KEY`. ### Input fields Email address to check for pastes. ## Get all breaches Action ID: `tools.hibp.get_all_breaches` Get a list of all data breaches in the system. Reference: [https://haveibeenpwned.com/API/v3#AllBreaches](https://haveibeenpwned.com/API/v3#AllBreaches) ### Input fields Filter breaches to only those affecting this domain. Default: `null`. ## Get breach details Action ID: `tools.hibp.get_breach_details` Get detailed information about a specific data breach. Reference: [https://haveibeenpwned.com/API/v3#SingleBreach](https://haveibeenpwned.com/API/v3#SingleBreach) ### Input fields Name of the breach to get details for. ## Get data classes Action ID: `tools.hibp.get_data_classes` Get all data classes in the system. Reference: [https://haveibeenpwned.com/API/v3#DataClasses](https://haveibeenpwned.com/API/v3#DataClasses) ### Input fields This action does not take input fields. ## Get latest breach Action ID: `tools.hibp.get_latest_breach` Get the most recently added breach in the system. Reference: [https://haveibeenpwned.com/API/v3#LatestBreach](https://haveibeenpwned.com/API/v3#LatestBreach) ### Input fields This action does not take input fields. # Hybrid Analysis Source: https://docs.tracecat.com/tools/hybrid_analysis Reference for the Tracecat Hybrid Analysis integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Get sandbox report Action ID: `tools.hybrid_analysis.get_sandbox_report` Get sandbox report summary from Hybrid Analysis. Reference: [https://hybrid-analysis.com/docs/api/v2#/Sandbox%20Report/b7bf5dba3bdd7e12a97034ad679b7358](https://hybrid-analysis.com/docs/api/v2#/Sandbox%20Report/b7bf5dba3bdd7e12a97034ad679b7358) ### Secrets Required secrets: * `hybrid_analysis`: required values `HYBRID_ANALYSIS_API_KEY`. ### Input fields Job ID to get the report for. ## Lookup file Action ID: `tools.hybrid_analysis.lookup_file` Lookup a file with Hybrid Analysis. Reference: [https://hybrid-analysis.com/docs/api/v2#/Analysis%20Overview/052627a17af8cc6ae5240f4684040902](https://hybrid-analysis.com/docs/api/v2#/Analysis%20Overview/052627a17af8cc6ae5240f4684040902) ### Secrets Required secrets: * `hybrid_analysis`: required values `HYBRID_ANALYSIS_API_KEY`. ### Input fields SHA256 hash of the file to lookup. ## Submit file Action ID: `tools.hybrid_analysis.submit_file` Submit a file to Hybrid Analysis sandbox for analysis. Reference: [https://hybrid-analysis.com/docs/api/v2#/Sandbox%20Submission/e306d626e3fbbe3f10982ff88251b2b7](https://hybrid-analysis.com/docs/api/v2#/Sandbox%20Submission/e306d626e3fbbe3f10982ff88251b2b7) ### Secrets Required secrets: * `hybrid_analysis`: required values `HYBRID_ANALYSIS_API_KEY`. ### Input fields File to submit for analysis. 400 (Mac Catalina 64 bit x86); 310 (Linux (Ubuntu 20.04, 64 bit)); 200 (Android Static Analysis); 160 (Windows 10 64 bit); 140 (Windows 11 64 bit); 120 (Windows 7 64 bit); 110 (Windows 7 32 bit HWP Support); 100 (Windows 7 32 bit); Default: `310`. ## Submit URL Action ID: `tools.hybrid_analysis.submit_url` Submit a URL for analysis with Hybrid Analysis. Reference: [https://hybrid-analysis.com/docs/api/v2#/Sandbox%20Submission/22e1723d4cec5c9b20d50715e4e5de8f](https://hybrid-analysis.com/docs/api/v2#/Sandbox%20Submission/22e1723d4cec5c9b20d50715e4e5de8f) ### Secrets Required secrets: * `hybrid_analysis`: required values `HYBRID_ANALYSIS_API_KEY`. ### Input fields URL to submit for analysis. 400 (Mac Catalina 64 bit x86); 310 (Linux (Ubuntu 20.04, 64 bit)); 200 (Android Static Analysis); 160 (Windows 10 64 bit); 140 (Windows 11 64 bit); 120 (Windows 7 64 bit); 110 (Windows 7 32 bit HWP Support); 100 (Windows 7 32 bit); Default: `160`. # IPinfo Source: https://docs.tracecat.com/tools/ipinfo Reference for the Tracecat IPinfo integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Lookup IP address Action ID: `tools.ipinfo.lookup_ip_address` Get IPinfo.io report for an IP address. Reference: [https://ipinfo.io/developers](https://ipinfo.io/developers) ### Secrets Required secrets: * `ipinfo`: required values `IPINFO_API_TOKEN`. ### Input fields IP address to lookup. # Jira MCP Source: https://docs.tracecat.com/tools/jira Reference for the Tracecat Jira MCP integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Add comment to issue Action ID: `tools.jira.add_issue_comment` Add a comment to an issue in Jira. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-comments/#api-rest-api-3-issue-issueidorkey-comment-post](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-comments/#api-rest-api-3-issue-issueidorkey-comment-post) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields Comment to add to the issue. Plain strings are wrapped as ADF text paragraphs. JSON object strings are deserialized. Dictionaries are sent as the Jira comment `body` value. ID or key of the issue to add a comment to. Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)). Default: `null`. ## Assign issue Action ID: `tools.jira.assign_issue` Assign an issue to a user. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-assignee-put](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-assignee-put) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields Jira issue key (e.g. TC-123) Jira user ID (e.g. 1234567890) Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)) Default: `null`. ## Create issue Action ID: `tools.jira.create_issue` Create a new issue in Jira. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-post](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-post) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields Detailed description of the incident. Plain strings are wrapped as ADF text paragraphs. JSON object strings are deserialized. Dictionaries are sent as provided. Jira issue type ID. Priority ID. Must be one of the priorities in the priority scheme. Jira project ID. Brief one-line summary of the incident. Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)). Default: `null`. List of fields to add to the issue. ADF values can be passed as objects. For example usage: `[ {"customfield_10000": "New value"}, {"customfield_10001": {"version": 1, "type": "doc", "content": []}} ]` Default: `[]`. Tags to categorize the incident. Added as Jira labels. Default: `[]`. ## Get fields Action ID: `tools.jira.get_fields` Get a list of fields from Jira. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-fields/#api-group-issue-fields](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-fields/#api-group-issue-fields) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)) Default: `null`. ## Get issue Action ID: `tools.jira.get_issue` Get an issue from Jira by ID or key. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-get](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-get) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields ID or key of the issue to get. Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)) Default: `null`. A list of fields to return for each issue, use it to retrieve a subset of fields. This parameter accepts a comma-separated list of strings. Expand options include: \*all, \*navigable, summary, comment,-description, -comment (defaults to \*all). Default: `"*all"`. ## Get priorities by scheme Action ID: `tools.jira.get_priorities` Get a list of priorities from Jira for a given priority scheme. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-priority-schemes/#api-rest-api-3-priorityscheme-schemeid-priorities-get](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-priority-schemes/#api-rest-api-3-priorityscheme-schemeid-priorities-get) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields Jira priority scheme ID. Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)) Default: `null`. Maximum number of priorities to return. Default: `50`. ## Get priority schemes Action ID: `tools.jira.get_priority_schemes` Get a list of priority schemes from Jira. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-priority-schemes/#api-rest-api-3-priorityscheme-get](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-priority-schemes/#api-rest-api-3-priorityscheme-get) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)) Default: `null`. Maximum number of priority schemes to return. Default: `50`. ## Get projects Action ID: `tools.jira.get_projects` Get a list of projects from Jira. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-projects/#api-rest-api-3-project-search-get](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-projects/#api-rest-api-3-project-search-get) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)) Default: `null`. Maximum number of projects to return. Default: `50`. ## Get transitions Action ID: `tools.jira.get_transitions` Get a list of available transitions for an issue. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-transitions-get](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-transitions-get) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields ID or key of the issue to get transitions for. Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)). Default: `null`. ## Get user ID Action ID: `tools.jira.get_user_id` Get a user ID from Jira. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-user-search/#api-rest-api-3-user-search-get](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-user-search/#api-rest-api-3-user-search-get) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields Jira username (e.g. [john.doe@example.com](mailto:john.doe@example.com)) Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)) Default: `null`. ## Jira MCP Action ID: `tools.jira.mcp` Use AI to interact with Jira through Atlassian's remote MCP server. Reference: [https://support.atlassian.com/atlassian-rovo-mcp-server/docs/getting-started-with-the-atlassian-remote-mcp-server/](https://support.atlassian.com/atlassian-rovo-mcp-server/docs/getting-started-with-the-atlassian-remote-mcp-server/) ### Secrets Required secrets: * `jira_mcp_oauth`: OAuth token `JIRA_MCP_USER_TOKEN`. Optional secrets: * `anthropic`: optional values `ANTHROPIC_API_KEY`. * `openai`: optional values `OPENAI_API_KEY`. * `gemini`: optional values `GEMINI_API_KEY`. * `amazon_bedrock`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`, `AWS_SESSION_TOKEN`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_MODEL_ID`, `AWS_INFERENCE_PROFILE_ID`. * `custom-model-provider`: optional values `CUSTOM_MODEL_PROVIDER_API_KEY`, `CUSTOM_MODEL_PROVIDER_MODEL_NAME`, `CUSTOM_MODEL_PROVIDER_BASE_URL`. * `azure_openai`: optional values `AZURE_API_BASE`, `AZURE_API_VERSION`, `AZURE_DEPLOYMENT_NAME`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`. * `azure_ai`: optional values `AZURE_API_BASE`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_API_VERSION`, `AZURE_AI_MODEL_NAME`. * `litellm`: required values `LITELLM_BASE_URL`. ### Input fields Instructions for the agent. User prompt to the agent. Model to use. Pick from the list of models enabled for this workspace. Provide this field, or both deprecated `model_name` and `model_provider`. Default: `null`. Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_provider`. Default: `null`. Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_name`. Default: `null`. ## Search issues Action ID: `tools.jira.search_issues` Search for issues in Jira using JQL. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-search/#api-rest-api-3-search-jql-get](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-search/#api-rest-api-3-search-jql-get) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields JQL query to search for issues. Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)) Default: `null`. A list of fields to return for each issue, use it to retrieve a subset of fields. This parameter accepts a comma-separated list. Expand options include: \*all, \*navigable, summary, comment, -description, -comment (defaults to id). Default: `"id"`. Maximum number of results to return. Default: `100`. Next page token to get the next page of results. If not provided, the first page of results will be returned. Default: `null`. ## Update issue description Action ID: `tools.jira.update_issue_description` Update the description of an existing issue in Jira. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-put](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-put) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields Updated description of the incident. Plain strings are wrapped as ADF text paragraphs. JSON object strings are deserialized. Dictionaries are sent as provided. ID or key of the issue to update. Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)). Default: `null`. ## Update issue fields Action ID: `tools.jira.update_issue_fields` Update the fields of an existing issue in Jira. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-put](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-put) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields List of fields to update in the issue. ADF values can be passed as objects. For example usage: `[ {"customfield_10000": "New value"}, {"customfield_10001": {"version": 1, "type": "doc", "content": []}} ]` ID or key of the issue to update. Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)). Default: `null`. ## Update issue status Action ID: `tools.jira.update_issue_status` Update the status of an issue. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-transitions-post](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-transitions-post) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields ID or key of the issue to update. ID of the transition to perform. Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)). Default: `null`. ## Upload attachment Action ID: `tools.jira.upload_attachment` Upload an attachment to a Jira issue. Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-attachments/#api-rest-api-3-issue-issueidorkey-attachments-post](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-attachments/#api-rest-api-3-issue-issueidorkey-attachments-post) ### Secrets Required secrets: * `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`. ### Input fields Base64 encoded content of the file to upload. MIME type of the file (e.g., "application/pdf", "image/png", "text/plain"). Name of the file to upload. Jira issue key or ID to upload the attachment to (e.g., "PROJ-123"). Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)). Default: `null`. # Kubernetes SDK Source: https://docs.tracecat.com/tools/kubernetes_sdk Reference for the Tracecat Kubernetes SDK integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Call API Action ID: `tools.kubernetes_sdk.call_api` Instantiate an isolated Kubernetes SDK client and call an API method. Reference: [https://github.com/kubernetes-client/python](https://github.com/kubernetes-client/python) ### Secrets Required secrets: * `kubernetes`: required values `KUBECONFIG`; optional values `KUBECONFIG_CONTEXT`. ### Input fields Kubernetes API class, e.g. `CoreV1Api`. Kubernetes API method, e.g. `list_namespaced_pod`. Parameters for the Kubernetes API method. Default: `null`. # LDAP Source: https://docs.tracecat.com/tools/ldap Reference for the Tracecat LDAP integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Add LDAP entry Action ID: `tools.ldap.add_entry` Add an entry to the LDAP directory. Reference: [https://ldap3.readthedocs.io/en/latest/add.html](https://ldap3.readthedocs.io/en/latest/add.html) ### Secrets Required secrets: * `ldap`: required values `LDAP_HOST`, `LDAP_PORT`, `LDAP_USER`, `LDAP_PASSWORD`. ### Input fields Attributes of the entry Distinguished name of the entry Object class of the entry Additional connection parameters Default: `null`. Additional server parameters Default: `null`. ## Delete LDAP entry Action ID: `tools.ldap.delete_entry` Delete an entry from the LDAP directory. Reference: [https://ldap3.readthedocs.io/en/latest/delete.html](https://ldap3.readthedocs.io/en/latest/delete.html) ### Secrets Required secrets: * `ldap`: required values `LDAP_HOST`, `LDAP_PORT`, `LDAP_USER`, `LDAP_PASSWORD`. ### Input fields Distinguished name of the entry Additional connection parameters Default: `null`. Additional server parameters Default: `null`. ## Modify LDAP entry Action ID: `tools.ldap.modify_entry` Modify an LDAP entry in the directory. Reference: [https://ldap3.readthedocs.io/en/latest/modify.html](https://ldap3.readthedocs.io/en/latest/modify.html) ### Secrets Required secrets: * `ldap`: required values `LDAP_HOST`, `LDAP_PORT`, `LDAP_USER`, `LDAP_PASSWORD`. ### Input fields Changes to the entry Distinguished name of the entry Additional connection parameters Default: `null`. Additional server parameters Default: `null`. ## Search LDAP directory Action ID: `tools.ldap.search_entries` Search the LDAP directory for entries matching the query. Reference: [https://ldap3.readthedocs.io/en/latest/searches.html](https://ldap3.readthedocs.io/en/latest/searches.html) ### Secrets Required secrets: * `ldap`: required values `LDAP_HOST`, `LDAP_PORT`, `LDAP_USER`, `LDAP_PASSWORD`. ### Input fields Search base DN LDAP search filter (RFC4515 syntax). Example: '(cn=John\*)' or '(&(objectClass=person)(mail=\*@example.com))' Additional connection parameters Default: `null`. Additional server parameters Default: `null`. # LeakCheck Source: https://docs.tracecat.com/tools/leakcheck Reference for the Tracecat LeakCheck integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Lookup Domain leak Action ID: `tools.leakcheck.search_domain_leak` Retrieve leaks linked to a domain name Reference: [https://wiki.leakcheck.io/en/api](https://wiki.leakcheck.io/en/api) ### Secrets Required secrets: * `leakcheck`: required values `LEAKCHECK_API_KEY`. ### Input fields Domain name to search for leaks. ## Lookup Email leak Action ID: `tools.leakcheck.search_email_leak` Retrieve leaks linked to an email address Reference: [https://wiki.leakcheck.io/en/api](https://wiki.leakcheck.io/en/api) ### Secrets Required secrets: * `leakcheck`: required values `LEAKCHECK_API_KEY`. ### Input fields Email address to search for leaks. # Linear MCP Source: https://docs.tracecat.com/tools/linear Reference for the Tracecat Linear MCP integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Linear MCP Action ID: `tools.linear.mcp` Use AI to interact with Linear. Reference: [https://linear.app/docs/mcp](https://linear.app/docs/mcp) ### Secrets Required secrets: * `linear_mcp_oauth`: OAuth token `LINEAR_MCP_USER_TOKEN`. Optional secrets: * `anthropic`: optional values `ANTHROPIC_API_KEY`. * `openai`: optional values `OPENAI_API_KEY`. * `gemini`: optional values `GEMINI_API_KEY`. * `amazon_bedrock`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`, `AWS_SESSION_TOKEN`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_MODEL_ID`, `AWS_INFERENCE_PROFILE_ID`. * `custom-model-provider`: optional values `CUSTOM_MODEL_PROVIDER_API_KEY`, `CUSTOM_MODEL_PROVIDER_MODEL_NAME`, `CUSTOM_MODEL_PROVIDER_BASE_URL`. * `azure_openai`: optional values `AZURE_API_BASE`, `AZURE_API_VERSION`, `AZURE_DEPLOYMENT_NAME`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`. * `azure_ai`: optional values `AZURE_API_BASE`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_API_VERSION`, `AZURE_AI_MODEL_NAME`. * `litellm`: required values `LITELLM_BASE_URL`. ### Input fields Instructions for the agent. User prompt to the agent. Model to use. Pick from the list of models enabled for this workspace. Provide this field, or both deprecated `model_name` and `model_provider`. Default: `null`. Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_provider`. Default: `null`. Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_name`. Default: `null`. # Microsoft Defender for Endpoint Source: https://docs.tracecat.com/tools/microsoft_defender_endpoint Reference for the Tracecat Microsoft Defender for Endpoint integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Create machine action Action ID: `tools.microsoft_defender_endpoint.create_machine_action` Submit a machine action (for example, isolate or run an antivirus scan) in Microsoft Defender for Endpoint. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/machineaction](https://learn.microsoft.com/en-us/defender-endpoint/api/machineaction) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Type of machine action to perform. Allowed values: `Isolate`, `Unisolate`, `CollectInvestigationPackage`, `RunAntivirusScan`, `RestrictCodeExecution`, `UnrestrictCodeExecution`, `StopAndQuarantineFile`, `LiveResponse`, `Offboard`, `RequestSample`. Comment describing why the action is being taken. Machine ID to target with the action. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. Optional action parameters payload (for example, \{"scanType": "Quick"} for RunAntivirusScan). Default: `null`. ## Create or update indicator Action ID: `tools.microsoft_defender_endpoint.create_or_update_indicator` Create or update a Microsoft Defender for Endpoint custom indicator of compromise. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/post-ti-indicator](https://learn.microsoft.com/en-us/defender-endpoint/api/post-ti-indicator) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Enforcement action for the indicator. Allowed values: `Alert`, `Warn`, `Block`, `Audit`, `BlockAndRemediate`, `AlertAndBlock`, `Allowed`. Indicator description. Indicator type. Allowed values: `FileSha1`, `FileSha256`, `FileMd5`, `CertificateThumbprint`, `IpAddress`, `DomainName`, `Url`. Indicator value (for example, SHA1 hash, domain, URL, or IP address). Indicator alert title. Friendly application name to display in end-user notifications. Default: `null`. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. Optional ISO 8601 timestamp when the indicator expires (for example, 2025-12-31T00:00:00Z). Default: `null`. Whether Defender should generate an alert when the indicator matches. Default: `null`. Optional list of RBAC device group names that the indicator applies to. Default: `null`. Recommended remediation steps to include with the indicator. Default: `null`. Optional severity to associate with the indicator. Default: `null`. ## Get alert Action ID: `tools.microsoft_defender_endpoint.get_alert` Retrieve a Microsoft Defender for Endpoint alert by ID. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id](https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Alert ID to retrieve. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. ## Get file from machine Action ID: `tools.microsoft_defender_endpoint.get_file_from_machine` Request a file from a device using Microsoft Defender Live Response. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response](https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Absolute file path on the device (escape backslashes, for example C:\\\Windows\\\Temp\\\sample.txt). Machine ID to collect the file from. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. Comment describing the Live Response action. Default: `null`. ## Get incident Action ID: `tools.microsoft_defender_endpoint.get_incident` Retrieve a Microsoft Defender for Endpoint incident by ID. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Incident ID to retrieve. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. ## Get machine Action ID: `tools.microsoft_defender_endpoint.get_machine` Retrieve detailed information about a device from Microsoft Defender for Endpoint. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/get-machine-by-id](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machine-by-id) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Machine ID to retrieve, as returned by the alerts or incidents APIs. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. ## Isolate machine Action ID: `tools.microsoft_defender_endpoint.isolate_machine` Isolate a device from the network using Microsoft Defender for Endpoint. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/isolate-machine](https://learn.microsoft.com/en-us/defender-endpoint/api/isolate-machine) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Comment describing why the device is being isolated. Machine ID to isolate. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. Isolation scope to apply. Default: `"Full"`. Allowed values: `Full`, `Selective`, `UnManagedDevice`. ## List alerts Action ID: `tools.microsoft_defender_endpoint.list_alerts` List Microsoft Defender for Endpoint alerts with optional filtering and time range. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/get-alerts](https://learn.microsoft.com/en-us/defender-endpoint/api/get-alerts) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. OData filter expression to apply (for example, status eq 'Active' and severity eq 'High'). Default: `null`. OData order by clause (for example, lastUpdateTime desc). Default: `null`. ISO 8601 timestamp to restrict alerts updated after this time (convenience filter applied as lastUpdateTime ge). Default: `null`. Maximum number of alerts to return (maps to \$top OData query option). Default: `null`. ## List incidents Action ID: `tools.microsoft_defender_endpoint.list_incidents` List Microsoft Defender for Endpoint incidents with optional OData filtering. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. OData filter expression to apply (for example, status eq 'Active' and severity eq 'High'). Default: `null`. OData order by clause (for example, lastUpdateTime desc). Default: `null`. Maximum number of incidents to return (maps to \$top OData query option). Default: `null`. ## List indicators Action ID: `tools.microsoft_defender_endpoint.list_indicators` Retrieve Microsoft Defender for Endpoint indicators with optional OData filters. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/get-ti-indicators-collection](https://learn.microsoft.com/en-us/defender-endpoint/api/get-ti-indicators-collection) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. OData filter expression to apply (for example, action eq 'AlertAndBlock'). Default: `null`. OData order by clause (for example, creationTimeDateTimeUtc desc). Default: `null`. OData skip token to continue pagination. Default: `null`. Maximum number of indicators to return (maps to \$top). Default: `null`. ## List machine actions Action ID: `tools.microsoft_defender_endpoint.list_machine_actions` List Microsoft Defender for Endpoint machine actions with optional filters. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/get-machineactions-collection](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machineactions-collection) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. OData filter expression to apply (for example, machineId eq 'deviceId'). Default: `null`. OData order by clause (for example, creationDateTimeUtc desc). Default: `null`. OData skip token to continue pagination. Default: `null`. Maximum number of machine actions to return (maps to \$top). Default: `null`. ## List machines Action ID: `tools.microsoft_defender_endpoint.list_machines` List Microsoft Defender for Endpoint machines with optional filters. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. OData filter expression to apply (for example, healthStatus eq 'Active'). Default: `null`. OData order by clause (for example, lastSeen desc). Default: `null`. OData skip token to continue pagination. Default: `null`. Maximum number of machines to return (maps to \$top). Default: `null`. ## Put file on machine Action ID: `tools.microsoft_defender_endpoint.put_file_on_machine` Copy a file from the Live Response library onto a device. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response](https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Name of the file in the Live Response library to push to the device. Machine ID to receive the file. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. Comment describing why the file was delivered. Default: `null`. ## Release machine from isolation Action ID: `tools.microsoft_defender_endpoint.unisolate_machine` Release a device from network isolation in Microsoft Defender for Endpoint. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/unisolate-machine](https://learn.microsoft.com/en-us/defender-endpoint/api/unisolate-machine) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Comment describing why the device is being released. Machine ID to release from isolation. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. ## Run advanced hunting query Action ID: `tools.microsoft_defender_endpoint.run_advanced_hunting_query` Execute a Microsoft Defender advanced hunting query across Defender for Endpoint data. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/run-advanced-query-api](https://learn.microsoft.com/en-us/defender-endpoint/api/run-advanced-query-api) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Kusto Query Language (KQL) query to run (for example, "DeviceNetworkEvents | take 25"). Optional AdvancedQueryRunSettings object (for example, \{"TimeoutInSeconds": 120}). Default: `null`. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. ## Run antivirus scan Action ID: `tools.microsoft_defender_endpoint.run_antivirus_scan` Trigger a Microsoft Defender Antivirus scan on a device. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/run-av-scan](https://learn.microsoft.com/en-us/defender-endpoint/api/run-av-scan) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Comment describing why the scan was requested. Machine ID to scan. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. Type of antivirus scan to perform. Default: `"Quick"`. Allowed values: `Quick`, `Full`. ## Run live response Action ID: `tools.microsoft_defender_endpoint.run_live_response` Run a sequence of Live Response commands on a device in Microsoft Defender for Endpoint. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response](https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Ordered list of Live Response commands (each object requires at least a 'type' key and optional 'params' list of key/value objects). Machine ID to target with Live Response commands. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. Comment describing the purpose of the Live Response session. Default: `null`. ## Run script on machine Action ID: `tools.microsoft_defender_endpoint.run_script_on_machine` Execute a script from the Live Response library on a device. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response](https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Machine ID to target with the script. Name of the uploaded Live Response script to run. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. Comment describing the Live Response action. Default: `null`. Optional arguments passed to the script (quoted as a single string). Default: `null`. ## Update alert Action ID: `tools.microsoft_defender_endpoint.update_alert` Update status, ownership, or classification details for a Microsoft Defender for Endpoint alert. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/update-alert](https://learn.microsoft.com/en-us/defender-endpoint/api/update-alert) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Alert ID to update. User principal name (UPN) or email address to assign the alert to. Default: `null`. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. Updated alert classification. Default: `null`. Comment to append to the alert. Default: `null`. Determination that provides additional context for the classification (for example, Malware, SecurityTesting, NotMalicious). Default: `null`. Updated alert status. Default: `null`. ## Update incident Action ID: `tools.microsoft_defender_endpoint.update_incident` Update classification, determination, or assignment details for a Microsoft Defender for Endpoint incident. Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list) ### Secrets Optional secrets: * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`. * `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`. ### Input fields Incident ID to update. User principal name (UPN) or email to assign the incident to. Default: `null`. Base URL for the Microsoft Defender for Endpoint API. Default: `"https://api.securitycenter.microsoft.com"`. Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`. Classification to apply to the incident (for example, Unknown, TruePositive, FalsePositive, InformationalExpectedActivity). Default: `null`. Comment to add to the incident history. Default: `null`. Determination that provides additional context for the classification (for example, Unknown, Malware, SecurityTesting). Default: `null`. Incident status (for example, Active, Resolved, InProgress, Redirected). Default: `null`. Tags to associate with the incident. Default: `null`. # Microsoft Entra Source: https://docs.tracecat.com/tools/microsoft_entra Reference for the Tracecat Microsoft Entra integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Add user to group Action ID: `tools.microsoft_entra.add_user_to_group` Add a Microsoft Entra ID user to a group. Reference: [https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0) ### Secrets Optional secrets: * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`. * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`. ### Input fields The unique identifier of the group. The unique identifier of the user (directory object) to add. Microsoft Graph API version. Default: `"v1.0"`. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. ## Create group Action ID: `tools.microsoft_entra.create_group` Create a Microsoft Entra ID group. Reference: [https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0) ### Secrets Optional secrets: * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`. * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`. ### Input fields Properties for the new group resource (displayName, mailEnabled, mailNickname, securityEnabled, etc.). Microsoft Graph API version. Default: `"v1.0"`. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. ## Create user Action ID: `tools.microsoft_entra.create_user` Create a Microsoft Entra ID user account. Reference: [https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0) ### Secrets Optional secrets: * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`. * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`. ### Input fields User properties for the request body (e.g. accountEnabled, displayName, mailNickname, userPrincipalName, passwordProfile). Microsoft Graph API version. Default: `"v1.0"`. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. ## Delete group Action ID: `tools.microsoft_entra.delete_group` Delete a Microsoft Entra ID group. Reference: [https://learn.microsoft.com/en-us/graph/api/group-delete?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-delete?view=graph-rest-1.0) ### Secrets Optional secrets: * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`. * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`. ### Input fields The unique identifier of the group to delete. Microsoft Graph API version. Default: `"v1.0"`. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. ## Delete user Action ID: `tools.microsoft_entra.delete_user` Delete a Microsoft Entra ID user. Reference: [https://learn.microsoft.com/en-us/graph/api/user-delete?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/user-delete?view=graph-rest-1.0) ### Secrets Optional secrets: * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`. * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`. ### Input fields The unique identifier of the user to delete. Microsoft Graph API version. Default: `"v1.0"`. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. ## Get group Action ID: `tools.microsoft_entra.get_group` Retrieve details for a Microsoft Entra ID group. Reference: [https://learn.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0) ### Secrets Optional secrets: * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`. * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`. ### Input fields The unique identifier of the group to retrieve. Microsoft Graph API version. Default: `"v1.0"`. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. Optional related entities to expand in the response. Default: `null`. Optional set of group properties to return. Default: `null`. ## Get user Action ID: `tools.microsoft_entra.get_user` Retrieve details for a Microsoft Entra ID user. Reference: [https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0) ### Secrets Optional secrets: * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`. * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`. ### Input fields The unique identifier of the user to retrieve. Microsoft Graph API version. Default: `"v1.0"`. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. Optional related entities to expand in the response. Default: `null`. Optional set of user properties to return. Default: `null`. ## Get user ID by email Action ID: `tools.microsoft_entra.get_user_id_by_email` Get a user's ID by searching for their email address in mail or userPrincipalName. Reference: [https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0) ### Secrets Optional secrets: * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`. * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`. ### Input fields The email address to search for. Microsoft Graph API version. Default: `"v1.0"`. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. ## List groups Action ID: `tools.microsoft_entra.list_groups` List Microsoft Entra ID groups with optional OData queries. Reference: [https://learn.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0) ### Secrets Optional secrets: * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`. * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`. ### Input fields Microsoft Graph API version. Default: `"v1.0"`. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. Set ConsistencyLevel=eventual for advanced queries when required by Microsoft Graph. Default: `false`. Optional related entities to expand in the response. Default: `null`. Optional OData \$filter expression. Default: `null`. Optional maximum page size to request via Prefer=odata.maxpagesize. Default: `null`. Optional OData \$orderby expression. Default: `null`. Optional search phrase. Use quoted property names as documented, for example "displayName:Engineering". Default: `null`. Optional set of group properties to return. Default: `null`. Opaque continuation token from a previous response (\$skiptoken). Default: `null`. Maximum number of results to return in a single page (\$top). Default: `null`. ## List users Action ID: `tools.microsoft_entra.list_users` List Microsoft Entra ID users with optional OData query parameters. Reference: [https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0) ### Secrets Optional secrets: * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`. * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`. ### Input fields Microsoft Graph API version. Default: `"v1.0"`. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. Set ConsistencyLevel=eventual for advanced queries when required by Microsoft Graph. Default: `false`. Include @odata.count in the response by setting \$count=true. Default: `false`. Optional related entities to expand in the response. Default: `null`. Optional OData \$filter expression. Default: `null`. Optional maximum page size to request via Prefer=odata.maxpagesize. Default: `null`. Optional OData \$orderby expression. Default: `null`. Optional search phrase. Use quoted property names per Microsoft Graph syntax, for example "displayName:Alex". Default: `null`. Optional set of user properties to return. Default: `null`. Opaque continuation token from a previous response (\$skiptoken). Default: `null`. Maximum number of results to return in a single page (\$top). Default: `null`. ## Remove user from group Action ID: `tools.microsoft_entra.remove_user_from_group` Remove a Microsoft Entra ID user from a group. Reference: [https://learn.microsoft.com/en-us/graph/api/group-delete-members?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-delete-members?view=graph-rest-1.0) ### Secrets Optional secrets: * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`. * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`. ### Input fields The unique identifier of the group. The unique identifier of the user (directory object) to remove. Microsoft Graph API version. Default: `"v1.0"`. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. ## Update group Action ID: `tools.microsoft_entra.update_group` Update properties on a Microsoft Entra ID group. Reference: [https://learn.microsoft.com/en-us/graph/api/group-update?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-update?view=graph-rest-1.0) ### Secrets Optional secrets: * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`. * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`. ### Input fields The unique identifier of the group to update. Group properties to update as defined in the Microsoft Graph group resource. Microsoft Graph API version. Default: `"v1.0"`. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. ## Update user Action ID: `tools.microsoft_entra.update_user` Update properties on a Microsoft Entra ID user. Reference: [https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0) ### Secrets Optional secrets: * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`. * `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`. ### Input fields User properties to update as defined in the Microsoft Graph user resource. The unique identifier of the user to update. Microsoft Graph API version. Default: `"v1.0"`. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. # Microsoft Sentinel Source: https://docs.tracecat.com/tools/microsoft_sentinel Reference for the Tracecat Microsoft Sentinel integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Create incident comment Action ID: `tools.microsoft_sentinel.create_incident_comment` Create a comment on an incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/create-or-update?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Comment ID (GUID). Incident ID. Comment message text. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Create or update alert rule Action ID: `tools.microsoft_sentinel.create_or_update_alert_rule` Create or update an alert rule in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/create-or-update?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Alert rule properties including kind, displayName, enabled, query, etc. Azure resource group name. Alert rule ID. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Create or update bookmark Action ID: `tools.microsoft_sentinel.create_or_update_bookmark` Create or update a bookmark in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/create-or-update?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Bookmark ID. Bookmark properties including displayName, notes, query, labels, etc. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Create or update incident Action ID: `tools.microsoft_sentinel.create_or_update_incident` Create or update an incident in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/create-or-update?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Incident properties including title, severity, status, description, etc. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Create or update incident relation Action ID: `tools.microsoft_sentinel.create_or_update_incident_relation` Create or update a relation for an incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/create-or-update?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Relation properties including relatedResourceId. Relation name (GUID). Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Create or update watchlist Action ID: `tools.microsoft_sentinel.create_or_update_watchlist` Create or update a watchlist in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/create-or-update?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Watchlist properties including displayName, provider, source, itemsSearchKey, etc. Azure resource group name. Azure subscription ID. Watchlist alias. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Create or update watchlist item Action ID: `tools.microsoft_sentinel.create_or_update_watchlist_item` Create or update an item in a watchlist in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/create-or-update?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Watchlist item properties including itemsKeyValue. Azure resource group name. Azure subscription ID. Watchlist alias. Watchlist item ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Create threat intelligence indicator Action ID: `tools.microsoft_sentinel.create_threat_intelligence_indicator` Create a threat intelligence indicator in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/create?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/create?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Threat intelligence indicator name (GUID). Indicator properties including kind, pattern, patternType, source, displayName, etc. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete alert rule Action ID: `tools.microsoft_sentinel.delete_alert_rule` Delete an alert rule from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Alert rule ID. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete bookmark Action ID: `tools.microsoft_sentinel.delete_bookmark` Delete a bookmark from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Bookmark ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete incident Action ID: `tools.microsoft_sentinel.delete_incident` Delete an incident from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete incident comment Action ID: `tools.microsoft_sentinel.delete_incident_comment` Delete a comment from an incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Comment ID. Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete incident relation Action ID: `tools.microsoft_sentinel.delete_incident_relation` Delete a relation from an incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Relation name. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete threat intelligence indicator Action ID: `tools.microsoft_sentinel.delete_threat_intelligence_indicator` Delete a threat intelligence indicator from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Threat intelligence indicator name. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete watchlist Action ID: `tools.microsoft_sentinel.delete_watchlist` Delete a watchlist from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Watchlist alias. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete watchlist item Action ID: `tools.microsoft_sentinel.delete_watchlist_item` Delete an item from a watchlist in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Watchlist alias. Watchlist item ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get alert rule Action ID: `tools.microsoft_sentinel.get_alert_rule` Get a specific alert rule by ID from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Alert rule ID. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get alert rule template Action ID: `tools.microsoft_sentinel.get_alert_rule_template` Get a specific alert rule template by ID from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rule-templates/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rule-templates/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Alert rule template ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get bookmark Action ID: `tools.microsoft_sentinel.get_bookmark` Get a specific bookmark by ID from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Bookmark ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get incident Action ID: `tools.microsoft_sentinel.get_incident` Get a specific incident by ID from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get incident relation Action ID: `tools.microsoft_sentinel.get_incident_relation` Get a specific relation for an incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Relation name (GUID). Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get threat intelligence indicator Action ID: `tools.microsoft_sentinel.get_threat_intelligence_indicator` Get a specific threat intelligence indicator by name from Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Threat intelligence indicator name (GUID). Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get watchlist Action ID: `tools.microsoft_sentinel.get_watchlist` Get a specific watchlist by alias from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Watchlist alias. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get watchlist item Action ID: `tools.microsoft_sentinel.get_watchlist_item` Get a specific item from a watchlist in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Watchlist alias. Watchlist item ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List alert rule templates Action ID: `tools.microsoft_sentinel.list_alert_rule_templates` Get all alert rule templates available in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rule-templates/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rule-templates/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List alert rules Action ID: `tools.microsoft_sentinel.list_alert_rules` Get all alert rules in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List bookmarks Action ID: `tools.microsoft_sentinel.list_bookmarks` Get all bookmarks in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List incident alerts Action ID: `tools.microsoft_sentinel.list_incident_alerts` Get all alerts related to a specific incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-alerts?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-alerts?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List incident bookmarks Action ID: `tools.microsoft_sentinel.list_incident_bookmarks` Get all bookmarks related to a specific incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-bookmarks?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-bookmarks?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List incident comments Action ID: `tools.microsoft_sentinel.list_incident_comments` Get all comments for a specific incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List incident entities Action ID: `tools.microsoft_sentinel.list_incident_entities` Get all entities related to a specific incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-entities?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-entities?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List incident relations Action ID: `tools.microsoft_sentinel.list_incident_relations` Get all relations for a specific incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List incidents Action ID: `tools.microsoft_sentinel.list_incidents` Get all incidents in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. OData filter expression (e.g., "properties/status eq 'Active'"). Default: `null`. OData orderby expression (e.g., "properties/createdTimeUtc desc"). Default: `null`. Skiptoken for pagination. Default: `null`. Maximum number of incidents to return. Default: `null`. ## List threat intelligence indicators Action ID: `tools.microsoft_sentinel.list_threat_intelligence_indicators` Get all threat intelligence indicators in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. OData filter expression. Default: `null`. OData orderby expression. Default: `null`. Skiptoken for pagination. Default: `null`. Maximum number of indicators to return. Default: `null`. ## List watchlist items Action ID: `tools.microsoft_sentinel.list_watchlist_items` Get all items in a specific watchlist in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Watchlist alias. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List watchlists Action ID: `tools.microsoft_sentinel.list_watchlists` Get all watchlists in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Query threat intelligence indicators Action ID: `tools.microsoft_sentinel.query_threat_intelligence_indicators` Query threat intelligence indicators using advanced filters in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Query parameters including keywords, patternTypes, sources, threatTypes, etc. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. # Microsoft Teams Source: https://docs.tracecat.com/tools/microsoft_teams Reference for the Tracecat Microsoft Teams integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Create Teams channel Action ID: `tools.microsoft_teams.create_channel` Create a new channel in a Microsoft Teams team. Can create either public (standard) or private channels. Reference: [https://learn.microsoft.com/en-us/graph/api/channel-post?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/channel-post?view=graph-rest-1.0) ### Secrets Required secrets: * `microsoft_teams_oauth`: OAuth token `MICROSOFT_TEAMS_USER_TOKEN`. ### Input fields The display name for the channel. The ID of the team. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. Description for the channel. Default: `null`. Whether to create a private channel (requires members). Default: `false`. List of user IDs to add as owners (required for private channels). Default: `null`. ## Delete Teams channel Action ID: `tools.microsoft_teams.delete_channel` Delete a channel from a Microsoft Teams team. Reference: [https://learn.microsoft.com/en-us/graph/api/channel-delete?view=graph-rest-beta\&tabs=http](https://learn.microsoft.com/en-us/graph/api/channel-delete?view=graph-rest-beta\&tabs=http) ### Secrets Required secrets: * `microsoft_teams_oauth`: OAuth token `MICROSOFT_TEAMS_USER_TOKEN`. ### Input fields The ID of the channel. The ID of the team. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. ## List channel messages Action ID: `tools.microsoft_teams.list_channel_messages` Retrieve the list of messages (without the replies) in a channel of a team. Reference: [https://learn.microsoft.com/en-us/graph/api/channel-list-messages?view=graph-rest-beta\&tabs=python](https://learn.microsoft.com/en-us/graph/api/channel-list-messages?view=graph-rest-beta\&tabs=python) ### Secrets Required secrets: * `microsoft_teams_oauth`: OAuth token `MICROSOFT_TEAMS_USER_TOKEN`. ### Input fields The ID of the channel. The ID of the team. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. Whether to expand replies for each message. Default: `false`. Number of messages to return per page (default 20, max 50). Default: `null`. ## Send adaptive card Action ID: `tools.microsoft_teams.send_adaptive_card` Send a message with Adaptive Cards to a Microsoft Teams channel. Reference: [https://learn.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0) ### Secrets Required secrets: * `microsoft_teams_oauth`: OAuth token `MICROSOFT_TEAMS_USER_TOKEN`. ### Input fields List of Adaptive Card elements. The ID of the channel. The ID of the team. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. Title for the card (appears as subject). Default: `null`. ## Send replies to a Teams message Action ID: `tools.microsoft_teams.post_replies` Send a reply to a Microsoft Teams message. Reference: [https://learn.microsoft.com/en-us/graph/api/chatmessage-post-replies?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/chatmessage-post-replies?view=graph-rest-1.0) ### Secrets Required secrets: * `microsoft_teams_oauth`: OAuth token `MICROSOFT_TEAMS_USER_TOKEN`. ### Input fields The ID of the channel. The reply message to send. The ID of the message to reply to. The ID of the team. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. The content type of the reply message. Default: `"html"`. ## Send Teams message Action ID: `tools.microsoft_teams.send_message` Send a message to a Microsoft Teams channel. Reference: [https://learn.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0) ### Secrets Required secrets: * `microsoft_teams_oauth`: OAuth token `MICROSOFT_TEAMS_USER_TOKEN`. ### Input fields The ID of the channel. The message to send. The ID of the team. Base URL for the Microsoft Graph API. Default: `"https://graph.microsoft.com"`. Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`. # MinIO Source: https://docs.tracecat.com/tools/minio Reference for the Tracecat MinIO integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Call MinIO method Action ID: `tools.minio.call_method` Instantiate a MinIO client and call a MinIO method. Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/](https://docs.min.io/enterprise/aistor-object-store/developers/) ### Secrets Required secrets: * `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`. ### Input fields MinIO method name. MinIO method parameters. Whether to check the server certificate for HTTPS connection. Default: `true`. MinIO endpoint URL. Default: `null`. Whether to use HTTPS connection. Default: `true`. ## Copy MinIO objects Action ID: `tools.minio.copy_objects` Copy MinIO objects from one bucket to another. Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/#copy\_object](https://docs.min.io/enterprise/aistor-object-store/developers/#copy_object) ### Secrets Required secrets: * `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`. ### Input fields Destination MinIO bucket name. Prefix to filter objects. Source MinIO bucket name. Whether to check the server certificate for HTTPS connection. Default: `true`. MinIO endpoint URL. Default: `null`. Whether to use HTTPS connection. Default: `true`. ## Delete MinIO object Action ID: `tools.minio.delete_object` Delete an object from MinIO. Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/#remove\_object](https://docs.min.io/enterprise/aistor-object-store/developers/#remove_object) ### Secrets Required secrets: * `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`. ### Input fields MinIO bucket name. MinIO object key. Whether to check the server certificate for HTTPS connection. Default: `true`. MinIO endpoint URL. Default: `null`. Whether to use HTTPS connection. Default: `true`. ## Get MinIO object Action ID: `tools.minio.get_object` Download an object from MinIO and return its body as a string. Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/#get\_object](https://docs.min.io/enterprise/aistor-object-store/developers/#get_object) ### Secrets Required secrets: * `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`. ### Input fields MinIO bucket name. MinIO object key. Whether to check the server certificate for HTTPS connection. Default: `true`. MinIO endpoint URL. Default: `null`. Whether to use HTTPS connection. Default: `true`. ## Get MinIO objects Action ID: `tools.minio.get_objects` Download multiple MinIO objects and return their bodies as strings. Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/#get\_object](https://docs.min.io/enterprise/aistor-object-store/developers/#get_object) ### Secrets Required secrets: * `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`. ### Input fields MinIO bucket name. MinIO object keys. Whether to check the server certificate for HTTPS connection. Default: `true`. MinIO endpoint URL. Default: `null`. Whether to use HTTPS connection. Default: `true`. ## List MinIO buckets Action ID: `tools.minio.list_buckets` List MinIO buckets Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/#list\_buckets](https://docs.min.io/enterprise/aistor-object-store/developers/#list_buckets) ### Secrets Required secrets: * `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`. ### Input fields Whether to check the server certificate for HTTPS connection. Default: `true`. MinIO endpoint URL. Default: `null`. Whether to use HTTPS connection. Default: `true`. ## List MinIO objects Action ID: `tools.minio.list_objects` List objects in a MinIO bucket. Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/#list\_objects](https://docs.min.io/enterprise/aistor-object-store/developers/#list_objects) ### Secrets Required secrets: * `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`. ### Input fields MinIO bucket name. Whether to check the server certificate for HTTPS connection. Default: `true`. MinIO endpoint URL. Default: `null`. MinIO object key prefix. Default: `null`. List recursively. Default: `true`. Whether to use HTTPS connection. Default: `true`. ## Put MinIO object Action ID: `tools.minio.put_object` Put an object to MinIO. Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/#put\_object](https://docs.min.io/enterprise/aistor-object-store/developers/#put_object) ### Secrets Required secrets: * `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`. ### Input fields MinIO bucket name. Base64 encoded content of the file to upload. MinIO object key. Whether to check the server certificate for HTTPS connection. Default: `true`. MinIO endpoint URL. Default: `null`. Whether to use HTTPS connection. Default: `true`. # Notion MCP Source: https://docs.tracecat.com/tools/notion Reference for the Tracecat Notion MCP integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Notion MCP Action ID: `tools.notion.mcp` Use AI to interact with Notion. Reference: [https://developers.notion.com/guides/mcp/overview](https://developers.notion.com/guides/mcp/overview) ### Secrets Required secrets: * `notion_mcp_oauth`: OAuth token `NOTION_MCP_USER_TOKEN`. Optional secrets: * `anthropic`: optional values `ANTHROPIC_API_KEY`. * `openai`: optional values `OPENAI_API_KEY`. * `gemini`: optional values `GEMINI_API_KEY`. * `amazon_bedrock`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`, `AWS_SESSION_TOKEN`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_MODEL_ID`, `AWS_INFERENCE_PROFILE_ID`. * `custom-model-provider`: optional values `CUSTOM_MODEL_PROVIDER_API_KEY`, `CUSTOM_MODEL_PROVIDER_MODEL_NAME`, `CUSTOM_MODEL_PROVIDER_BASE_URL`. * `azure_openai`: optional values `AZURE_API_BASE`, `AZURE_API_VERSION`, `AZURE_DEPLOYMENT_NAME`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`. * `azure_ai`: optional values `AZURE_API_BASE`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_API_VERSION`, `AZURE_AI_MODEL_NAME`. * `litellm`: required values `LITELLM_BASE_URL`. ### Input fields Instructions for the agent. User prompt to the agent. Model to use. Pick from the list of models enabled for this workspace. Provide this field, or both deprecated `model_name` and `model_provider`. Default: `null`. Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_provider`. Default: `null`. Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_name`. Default: `null`. # Okta Source: https://docs.tracecat.com/tools/okta Reference for the Tracecat Okta integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Activate user Action ID: `tools.okta.activate_user` Activate a user account in Okta. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userlifecycle/#tag/UserLifecycle/operation/activateUser](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userlifecycle/#tag/UserLifecycle/operation/activateUser) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields User ID, login, or email of the user to activate Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. Whether to send an activation email to the user Default: `true`. ## Add user to group Action ID: `tools.okta.add_to_group` Add a user to a specific group in Okta. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/assignUserToGroup](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/assignUserToGroup) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields ID of the group to add the user to User ID, login, or email to add to the group Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. ## Assign group to application Action ID: `tools.okta.assign_group_to_app` Assign a group to an application in Okta. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/applicationgroups/#tag/ApplicationGroups/operation/updateGroupAssignmentToApplication](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/applicationgroups/#tag/ApplicationGroups/operation/updateGroupAssignmentToApplication) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields Application ID to assign the group to Group ID to assign to the application Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. Priority of the group assignment (0-100) Default: `null`. ## Clear user sessions Action ID: `tools.okta.clear_user_sessions` Clear all active sessions for a user in Okta. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usersessions/#tag/UserSessions/operation/revokeUserSessions](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usersessions/#tag/UserSessions/operation/revokeUserSessions) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields User ID, login, or email of the user whose sessions to clear Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. ## Create user Action ID: `tools.okta.create_user` Create a new user in your Okta organization. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/createUser](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/createUser) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields Email address of the new user First name of the new user Last name of the new user Whether to activate the user immediately Default: `true`. Additional user profile attributes Default: `null`. Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. Login for the user (defaults to email if not provided) Default: `null`. ## Expire password Action ID: `tools.okta.expire_password` Expire password for an Okta user and will force the user to set a new password on next sign-in. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usercred/#tag/UserCred/operation/expirePassword](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usercred/#tag/UserCred/operation/expirePassword) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields ID of an existing user. Okta organization URL. Default: `null`. Revoke all sessions for the user. Default: `false`. ## Expire password with temporary password Action ID: `tools.okta.expire_password_with_temp_password` Expire password for an Okta user and will return a temporary password. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usercred/#tag/UserCred/operation/expirePasswordWithTempPassword](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usercred/#tag/UserCred/operation/expirePasswordWithTempPassword) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields ID of an existing user. Okta organization URL. Default: `null`. Revoke all sessions for the user. Default: `false`. ## Get group members Action ID: `tools.okta.get_group_members` List all users that are members of a specific group. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/listGroupUsers](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/listGroupUsers) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields ID of the group to get members for Pagination cursor to start from Default: `null`. Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. Number of members to return (default 200) Default: `200`. ## Get groups assigned to user Action ID: `tools.okta.get_groups_assigned_to_user` List all groups that a user is a member of. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userresources/#tag/UserResources/operation/listUserGroups](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userresources/#tag/UserResources/operation/listUserGroups) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields User ID, login, or email to get group memberships for Pagination cursor to start from Default: `null`. Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. Maximum number of groups to return (default 200) Default: `200`. ## Get user Action ID: `tools.okta.get_user` Retrieve a specific user by ID, login, or email from your Okta organization. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/getUser](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/getUser) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields User ID, login, or email of the user to retrieve Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. ## List groups in organization Action ID: `tools.okta.list_groups_in_org` List all groups in your Okta organization with optional filtering. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/listGroups](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/listGroups) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields Pagination cursor to start from Default: `null`. Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. Number of groups to return (default 200) Default: `200`. Search expression for filtering groups Default: `null`. ## List users Action ID: `tools.okta.list_users` List all users in your Okta organization with optional filtering and search. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/listUsers](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/listUsers) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields Pagination cursor to start from Default: `null`. Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. Filter expression for users Default: `null`. Number of users to return (default 200) Default: `200`. ## Lookup user by email Action ID: `tools.okta.lookup_user_by_email` Get an Okta user by email. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/listUsers](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/listUsers) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields Email of an existing user. Okta organization URL. Default: `null`. ## Remove user from group Action ID: `tools.okta.remove_from_group` Remove a user from a specific group in Okta. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/unassignUserFromGroup](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/unassignUserFromGroup) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields ID of the group to remove the user from User ID, login, or email to remove from the group Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. ## Reset password Action ID: `tools.okta.reset_password` Reset password for an Okta user and send a password reset email or return a password reset link. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usercred/#tag/UserCred/operation/resetPassword](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usercred/#tag/UserCred/operation/resetPassword) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields ID of an existing user. Okta organization URL. Default: `null`. Revoke all sessions for the user. Default: `false`. Sends a OTT link email to the user, if false returns password reset link. Default: `true`. ## Revoke sessions Action ID: `tools.okta.revoke_sessions` Revoke all IdP sessions for an Okta user. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usersessions/#tag/UserSessions/operation/revokeUserSessions](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usersessions/#tag/UserSessions/operation/revokeUserSessions) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields ID of an existing user. Okta organization URL. Default: `null`. ## Search users Action ID: `tools.okta.search_users` Search for users using a query string that matches login, email, firstName, or lastName. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/listUsers](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/listUsers) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields Query string to search for users Pagination cursor to start from Default: `null`. Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. Number of users to return (default 10) Default: `10`. ## Suspend user Action ID: `tools.okta.suspend_user` Suspend an Okta user. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userlifecycle/#tag/UserLifecycle/operation/suspendUser](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userlifecycle/#tag/UserLifecycle/operation/suspendUser) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields ID of an existing user. Okta organization URL. Default: `null`. ## Unsuspend user Action ID: `tools.okta.unsuspend_user` Unsuspend an Okta user. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userlifecycle/#tag/UserLifecycle/operation/unsuspendUser](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userlifecycle/#tag/UserLifecycle/operation/unsuspendUser) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields ID of the user to unsuspend. Okta organization URL. Default: `null`. # Okta Source: https://docs.tracecat.com/tools/okta_oar Reference for the Tracecat Okta integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Create message Action ID: `tools.okta_oar.create_message` Create a message in an Okta Access Request ticket. Reference: [https://developer.okta.com/docs/api/iga/openapi/governance-production-requests-admin-v1-reference/requests/#tag/Requests/operation/createRequestMessage](https://developer.okta.com/docs/api/iga/openapi/governance-production-requests-admin-v1-reference/requests/#tag/Requests/operation/createRequestMessage) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields Message content to add to the request ID of the access request to add message to Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. ## Get requests Action ID: `tools.okta_oar.get_requests` Get Okta Access Request tickets with optional filtering and pagination. Reference: [https://developer.okta.com/docs/api/iga/openapi/governance-production-requests-admin-v1-reference/requests/](https://developer.okta.com/docs/api/iga/openapi/governance-production-requests-admin-v1-reference/requests/) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields Pagination cursor for retrieving next set of results Default: `""`. Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. Filter expression for requests Default: `""`. Number of requests to return (default 20) Default: `"20"`. Field to order results by Default: `""`. ## Get specific request Action ID: `tools.okta_oar.get_specific_request` Get a specific Okta Access Request ticket by ID. Reference: [https://developer.okta.com/docs/api/iga/openapi/governance-production-requests-admin-v1-reference/requests/#tag/Requests/operation/getRequest](https://developer.okta.com/docs/api/iga/openapi/governance-production-requests-admin-v1-reference/requests/#tag/Requests/operation/getRequest) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields ID of the access request to retrieve Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. ## Get user Action ID: `tools.okta_oar.get_user` Get an Okta user by ID. Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#get-user](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#get-user) ### Secrets Required secrets: * `okta`: required values `OKTA_API_TOKEN`. ### Input fields User ID, login, or email of the user to retrieve Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)') Default: `null`. # Okta SDK Applications Source: https://docs.tracecat.com/tools/okta_sdk Reference for the Tracecat Okta SDK Applications integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Activate application Action ID: `tools.okta_sdk.activate_application` Activate an Okta application. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta application ID. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. OAuth scopes for private-key auth. Default: `null`. ## Call method Action ID: `tools.okta_sdk.call_method` Instantiate an Okta SDK client and call an async Okta SDK method. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta SDK client method name, e.g. `list_users`. Auth mode. Auto prefers OAuth/bearer, then private key, then SSWS. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. Parameters for the Okta SDK method. Default: `null`. Okta SDK rate-limit retry count. Default: `2`. OAuth scopes for private-key auth. Default: `null`. ## Call paginated method Action ID: `tools.okta_sdk.call_paginated_method` Call an Okta SDK list method and follow Okta `Link` pagination. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta SDK method name, e.g. `list_users`. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. Per-page item limit. Default: `null`. Maximum pages to fetch. Default: `null`. Parameters for the Okta SDK method. Default: `null`. Okta SDK rate-limit retry count. Default: `2`. OAuth scopes for private-key auth. Default: `null`. ## Change user password Action ID: `tools.okta_sdk.change_password` Change an Okta user's password. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta change password request body. Okta user ID or login. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. OAuth scopes for private-key auth. Default: `null`. Apply Okta strict validation. Default: `null`. ## Create group Action ID: `tools.okta_sdk.add_group` Create an Okta group. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta group body. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. OAuth scopes for private-key auth. Default: `null`. ## Deactivate application Action ID: `tools.okta_sdk.deactivate_application` Deactivate an Okta application. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta application ID. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. OAuth scopes for private-key auth. Default: `null`. ## Deactivate user Action ID: `tools.okta_sdk.deactivate_user` Deactivate an Okta user. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta user ID or login. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. Okta Prefer header value. Default: `null`. OAuth scopes for private-key auth. Default: `null`. Send Okta lifecycle email. Default: `null`. ## Delete group Action ID: `tools.okta_sdk.delete_group` Delete an Okta group. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta group ID. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. OAuth scopes for private-key auth. Default: `null`. ## Delete user Action ID: `tools.okta_sdk.delete_user` Delete or clear an Okta user, depending on current user status. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta user ID or login. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. Okta Prefer header value. Default: `null`. OAuth scopes for private-key auth. Default: `null`. Send Okta lifecycle email. Default: `null`. ## Forgot password Action ID: `tools.okta_sdk.forgot_password` Start Okta forgot-password flow for a user. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta user ID or login. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. OAuth scopes for private-key auth. Default: `null`. Send Okta lifecycle email. Default: `null`. ## Get application Action ID: `tools.okta_sdk.get_application` Get an Okta application. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta application ID. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. Okta expand expression. Default: `null`. OAuth scopes for private-key auth. Default: `null`. ## Get factor Action ID: `tools.okta_sdk.get_factor` Get an Okta user factor. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta factor ID. Okta user ID or login. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. OAuth scopes for private-key auth. Default: `null`. ## Get group Action ID: `tools.okta_sdk.get_group` Get an Okta group. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta group ID. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. OAuth scopes for private-key auth. Default: `null`. ## List applications Action ID: `tools.okta_sdk.list_applications` List Okta applications. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta pagination cursor. Default: `null`. Include VPN settings. Default: `null`. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. Okta expand expression. Default: `null`. Okta filter expression. Default: `null`. Include non-deleted applications. Default: `null`. Per-page item limit. Default: `null`. Search query. Default: `null`. OAuth scopes for private-key auth. Default: `null`. Use Okta application-list optimization. Default: `null`. ## List factors Action ID: `tools.okta_sdk.list_factors` List enrolled factors for an Okta user. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta user ID or login. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. OAuth scopes for private-key auth. Default: `null`. ## List group applications Action ID: `tools.okta_sdk.list_assigned_applications_for_group` List applications assigned to an Okta group. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta group ID. Okta pagination cursor. Default: `null`. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. Per-page item limit. Default: `null`. OAuth scopes for private-key auth. Default: `null`. ## List log events Action ID: `tools.okta_sdk.list_log_events` List Okta System Log events. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta pagination cursor. Default: `null`. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. Okta filter expression. Default: `null`. Per-page item limit. Default: `null`. Search query. Default: `null`. OAuth scopes for private-key auth. Default: `null`. Lower time bound for log events. Default: `null`. Sort order, e.g. `ASCENDING` or `DESCENDING`. Default: `null`. Upper time bound for log events. Default: `null`. ## Reactivate user Action ID: `tools.okta_sdk.reactivate_user` Reactivate an Okta user. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta user ID or login. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. OAuth scopes for private-key auth. Default: `null`. Send Okta lifecycle email. Default: `null`. ## Replace group Action ID: `tools.okta_sdk.replace_group` Replace an Okta group. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta group body. Okta group ID. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. OAuth scopes for private-key auth. Default: `null`. ## Replace user Action ID: `tools.okta_sdk.replace_user` Replace an Okta user profile and credentials. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta user request body. Okta user ID or login. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. ETag value for conditional replace. Default: `null`. OAuth scopes for private-key auth. Default: `null`. Apply Okta strict validation. Default: `null`. ## Reset user factors Action ID: `tools.okta_sdk.reset_factors` Reset all enrolled factors for an Okta user. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta user ID or login. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. OAuth scopes for private-key auth. Default: `null`. ## Revoke user sessions Action ID: `tools.okta_sdk.revoke_user_sessions` Revoke active Okta sessions for a user. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta user ID or login. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. Forget remembered devices. Default: `null`. Revoke OAuth tokens too. Default: `null`. OAuth scopes for private-key auth. Default: `null`. ## Unenroll factor Action ID: `tools.okta_sdk.unenroll_factor` Unenroll an Okta user factor. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta factor ID. Okta user ID or login. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. Remove recovery enrollment. Default: `null`. OAuth scopes for private-key auth. Default: `null`. ## Unlock user Action ID: `tools.okta_sdk.unlock_user` Unlock an Okta user account. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta user ID or login. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. OAuth scopes for private-key auth. Default: `null`. ## Update user Action ID: `tools.okta_sdk.update_user` Partially update an Okta user profile and credentials. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta user request body. Okta user ID or login. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. ETag value for conditional update. Default: `null`. OAuth scopes for private-key auth. Default: `null`. Apply Okta strict validation. Default: `null`. ## Verify factor Action ID: `tools.okta_sdk.verify_factor` Verify an Okta user factor. Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python) ### Secrets Optional secrets: * `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`. * `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`. ### Input fields Okta factor ID. Okta user ID or login. Accept-Language header value. Default: `null`. Auth mode. Default: `"auto"`. Okta org URL. Defaults to `OKTA_BASE_URL`. Default: `null`. Okta verify factor request body. Default: `null`. OAuth scopes for private-key auth. Default: `null`. Okta template ID. Default: `null`. Token lifetime in seconds. Default: `null`. User-Agent header value. Default: `null`. X-Forwarded-For header value. Default: `null`. # PagerDuty Source: https://docs.tracecat.com/tools/pagerduty Reference for the Tracecat PagerDuty integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Acknowledge event Action ID: `tools.pagerduty.acknowledge_event` Resolves an existing event in PagerDuty Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference) ### Input fields Identifies the alert The GUID of one of your Events API V2 integrations. This is the "Integration Key" listed on the Events API V2 integration's detail page. ## Get all schedules Action ID: `tools.pagerduty.get_all_schedules` Get all the on-call schedules. Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference) ### Secrets Required secrets: * `pagerduty`: required values `PAGERDUTY_API_KEY`. ### Input fields Filters the result, showing only the records whose name matches the query. Default: `null`. ## Get contact methods Action ID: `tools.pagerduty.get_contact_methods` Get contact methods in PagerDuty. Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference) ### Secrets Required secrets: * `pagerduty`: required values `PAGERDUTY_API_KEY`. ### Input fields The ID of the user. ## Get incident data Action ID: `tools.pagerduty.get_incident_data` Show detailed information about an incident. Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference) ### Secrets Required secrets: * `pagerduty`: required values `PAGERDUTY_API_KEY`. ### Input fields The ID of the incident. ## Get incidents Action ID: `tools.pagerduty.get_incidents` List existing incidents. Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference) ### Secrets Required secrets: * `pagerduty`: required values `PAGERDUTY_API_KEY`. ### Input fields Incident de-duplication key. Default: `null`. The start of the date range over which you want to search. Maximum range is 6 months and default is 1 month. Default: `null`. Filter incidents by status. Default: `null`. The end of the date range over which you want to search. Maximum range is 6 months and default is 1 month. Default: `null`. ## Get user notification rules Action ID: `tools.pagerduty.get_user_notification_rules` Get the notification rules of a PagerDuty user. Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference) ### Secrets Required secrets: * `pagerduty`: required values `PAGERDUTY_API_KEY`. ### Input fields The ID of the user. ## Get users on-call Action ID: `tools.pagerduty.get_users_on_call` Get the users on-call. Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference) ### Secrets Required secrets: * `pagerduty`: required values `PAGERDUTY_API_KEY`. ### Input fields The ID of the schedule(s). The start of the time range over which you want to search. Defaults to current time. Default: `null`. The end of the time range over which you want to search. Defaults to current time. Default: `null`. ## Resolve event Action ID: `tools.pagerduty.resolve_event` Resolves an existing event in PagerDuty Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference) ### Input fields Identifies the alert The GUID of one of your Events API V2 integrations. This is the "Integration Key" listed on the Events API V2 integration's detail page. ## Trigger event Action ID: `tools.pagerduty.trigger_event` Trigger event to report a new problem Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference) ### Input fields The GUID of one of your Events API V2 integrations. This is the "Integration Key" listed on the Events API V2 integration's detail page. The perceived severity of the status the event is describing withrespect to the affected system. Allowed values: `critical`, `warning`, `error`, `info`. The unique location of the affected system, preferably a hostname or FQDN. A brief text summary of the event, used to generate the summaries/titles of any associated alerts. The class/type of the event. Default: `""`. Component of the source machine that is responsible for the event. Default: `""`. Logical grouping of components of a service. Default: `""`. Incident de-duplication key. Default: `null`. # Panther Source: https://docs.tracecat.com/tools/panther Reference for the Tracecat Panther integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Bulk update Panther alerts Action ID: `tools.panther.bulk_update_alerts` Update multiple Panther alerts at once. ### Secrets Required secrets: * `panther`: required values `PANTHER_API_KEY`. ### Input fields List of alert IDs to update. Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)). User ID to assign the alerts to. Default: `null`. New status for the alerts. Default: `null`. ## Create Panther query Action ID: `tools.panther.create_query` Create a new saved query in Panther. ### Secrets Required secrets: * `panther`: required values `PANTHER_API_KEY`. ### Input fields Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)). Name of the saved query. SQL query to save. Must be valid SQL, not PantherFlow. Description of the query. Default: `null`. Schedule configuration for the query. Default: `null`. ## Delete Panther query Action ID: `tools.panther.delete_query` Delete a saved query from Panther. ### Secrets Required secrets: * `panther`: required values `PANTHER_API_KEY`. ### Input fields Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)). The unique identifier of the saved query. ## Execute Panther query Action ID: `tools.panther.execute_query` Execute a saved query in Panther. ### Secrets Required secrets: * `panther`: required values `PANTHER_API_KEY`. ### Input fields Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)). The unique identifier of the saved query. Parameters to pass to the query. Default: `null`. ## Get Panther alert Action ID: `tools.panther.get_alert` Get a single alert from Panther by ID. ### Secrets Required secrets: * `panther`: required values `PANTHER_API_KEY`. ### Input fields The unique identifier of the alert. Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)). ## Get Panther query Action ID: `tools.panther.get_query` Get a saved query from Panther by ID. ### Secrets Required secrets: * `panther`: required values `PANTHER_API_KEY`. ### Input fields Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)). The unique identifier of the saved query. ## List Panther alerts Action ID: `tools.panther.list_alerts` List alerts from Panther with optional filters. ### Secrets Required secrets: * `panther`: required values `PANTHER_API_KEY`. ### Input fields Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)). Pagination cursor for next page. Default: `null`. Maximum number of alerts to return. Default: `null`. Filter by alert severity. Default: `null`. Filter by alert status. Default: `null`. ## List Panther queries Action ID: `tools.panther.list_queries` List saved queries from Panther. ### Secrets Required secrets: * `panther`: required values `PANTHER_API_KEY`. ### Input fields Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)). Pagination cursor for next page. Default: `null`. Maximum number of queries to return. Default: `null`. ## Update Panther alert Action ID: `tools.panther.update_alert` Update a Panther alert's status or assignee. ### Secrets Required secrets: * `panther`: required values `PANTHER_API_KEY`. ### Input fields The unique identifier of the alert. Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)). User ID to assign the alert to. Default: `null`. New status for the alert. Default: `null`. ## Update Panther query Action ID: `tools.panther.update_query` Update a saved query in Panther. ### Secrets Required secrets: * `panther`: required values `PANTHER_API_KEY`. ### Input fields Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)). The unique identifier of the saved query. New description for the query. Default: `null`. New name for the query. Default: `null`. New schedule configuration for the query. Default: `null`. New SQL query. Must be valid SQL. Default: `null`. # PhishLabs Source: https://docs.tracecat.com/tools/phishlabs Reference for the Tracecat PhishLabs integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Get case data Action ID: `tools.phishlabs.get_case_data` Get PhishLabs case API data. Reference: [https://caseapi.phishlabs.com/v1/data/docs/](https://caseapi.phishlabs.com/v1/data/docs/) ### Secrets Required secrets: * `phishlabs`: required values `PL_USERNAME`, `PL_PASSWORD`. ### Input fields Filter cases based on the case status. Default is "Pending Input". Default: `[ "Pending Input" ]`. Filter cases by case type. Default: `[]`. Maximum number of cases to return. Default is 100, minimum is 20, maximum is 200. Default: `100`. If False, disables SSL verification for internal networks. Default: `true`. ## Get feed data Action ID: `tools.phishlabs.get_feed_data` Get PhishLabs feed API data. Reference: [https://feed.phishlabs.com/redoc#operation/Feed\_GetBAFeed](https://feed.phishlabs.com/redoc#operation/Feed_GetBAFeed) ### Secrets Required secrets: * `phishlabs`: required values `PL_CUSTOMER_ID`, `PL_USERNAME`, `PL_PASSWORD`. ### Input fields The start date of date range (date and time). eg. 2023-01-01 10:00. Default: `null`. Include the integer that maps to the type of incident you want returned. Default is 0. Default: `0`. The status of the incident as it appears in the Web App. Default is "Requires Input". Default: `"Requires Input"`. The end date of date range (date and time). eg. 2023-01-07 10:00. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Get threat intel data Action ID: `tools.phishlabs.get_threat_data` Get PhishLabs Threat Intel API data. Reference: [https://threatintel.phishlabs.com/redoc/incidentexternalapi](https://threatintel.phishlabs.com/redoc/incidentexternalapi) ### Secrets Required secrets: * `phishlabs`: required values `PL_CLIENT_ID`, `PL_CLIENT_SECRET`. ### Input fields The severity of incidents to be returned. 'Low', 'Medium', 'High' Default: `[]`. The status code(s) of the incident. Default: `[ "RequiresInput", "RequiresApproval" ]`. The type of Incident to be returned. 'SocialMedia' or 'DarkWeb' Default: `null`. The number of records to return per page. Default: `200`. The type of Threats to be returned. Threat Types ending with "SM" are Social Media, "DW" are Dark Web. Default: `[]`. # PyMongo Source: https://docs.tracecat.com/tools/pymongo Reference for the Tracecat PyMongo integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Execute operation Action ID: `tools.pymongo.execute_operation` Instantiate a PyMongo client and execute an operation on a Collection object. Reference: [https://pymongo.readthedocs.io/en/stable/api/pymongo/asynchronous/collection.html](https://pymongo.readthedocs.io/en/stable/api/pymongo/asynchronous/collection.html) ### Secrets Required secrets: * `mongodb`: required values `MONGODB_CONNECTION_STRING`. ### Input fields Collection to operate on Database to operate on Operation to perform on the Collection, e.g. 'find', 'insert\_one'. Parameters for the operation Default: `null`. # Rootly Source: https://docs.tracecat.com/tools/rootly Reference for the Tracecat Rootly integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Create alert Action ID: `tools.rootly.create_alert` Creates a new alert from provided data. Reference: [https://docs.rootly.com/api-reference/alerts/creates-an-alert](https://docs.rootly.com/api-reference/alerts/creates-an-alert) ### Secrets Required secrets: * `rootly`: required values `ROOTLY_API_KEY`. ### Input fields Alert data attributes Default: `null`. ## Create incident Action ID: `tools.rootly.create_incident` Creates a new incident from provided data. Reference: [https://docs.rootly.com/api-reference/incidents/creates-an-incident](https://docs.rootly.com/api-reference/incidents/creates-an-incident) ### Secrets Required secrets: * `rootly`: required values `ROOTLY_API_KEY`. ### Input fields Incident data attributes Default: `null`. ## Get alert Action ID: `tools.rootly.get_alert` Retrieves a specific alert by id. Reference: [https://docs.rootly.com/api-reference/alerts/retrieves-an-alert](https://docs.rootly.com/api-reference/alerts/retrieves-an-alert) ### Secrets Required secrets: * `rootly`: required values `ROOTLY_API_KEY`. ### Input fields The ID of the alert. Include additional data. Comma separated if needed (e.g. environments,services,groups) Default: `null`. ## Get incident Action ID: `tools.rootly.get_incident` Retrieves a specific incident by id. Reference: [https://docs.rootly.com/api-reference/incidents/retrieves-an-incident](https://docs.rootly.com/api-reference/incidents/retrieves-an-incident) ### Secrets Required secrets: * `rootly`: required values `ROOTLY_API_KEY`. ### Input fields The ID of the incident. Include additional data. Comma separated if needed (e.g. sub\_statuses,causes,subscribers) Default: `null`. ## List alerts Action ID: `tools.rootly.list_alerts` List alerts. Reference: [https://docs.rootly.com/api-reference/alerts/list-alerts](https://docs.rootly.com/api-reference/alerts/list-alerts) ### Secrets Required secrets: * `rootly`: required values `ROOTLY_API_KEY`. ### Input fields Include additional data. Comma separated if needed (e.g. environments,services,groups) Default: `null`. Page number. Default: `null`. Page size. Default: `null`. Filter by status (e.g. triggered, acknowledged, resolved) Default: `null`. ## List incidents Action ID: `tools.rootly.list_incidents` List incidents. Reference: [https://docs.rootly.com/api-reference/incidents/list-incidents](https://docs.rootly.com/api-reference/incidents/list-incidents) ### Secrets Required secrets: * `rootly`: required values `ROOTLY_API_KEY`. ### Input fields Include additional data. Comma separated if needed (e.g. sub\_statuses,causes,subscribers) Default: `null`. Page number. Default: `null`. Page size. Default: `null`. Filter by severity (e.g. not-sure-yet, sev4-minor-issue) Default: `null`. Filter by status (e.g. started, mitigated, resolved) Default: `null`. ## List incidents alerts Action ID: `tools.rootly.list_incident_alerts` List incidents alerts. Reference: [https://docs.rootly.com/api-reference/alerts/list-incident-alerts](https://docs.rootly.com/api-reference/alerts/list-incident-alerts) ### Secrets Required secrets: * `rootly`: required values `ROOTLY_API_KEY`. ### Input fields The ID of the incident. Include additional data. Comma separated if needed (e.g. environments,services,groups) Default: `null`. # RunReveal MCP Source: https://docs.tracecat.com/tools/runreveal Reference for the Tracecat RunReveal MCP integration: registered actions, required secrets, expected inputs, and example workflow usage. ## RunReveal MCP Action ID: `tools.runreveal.mcp` Use AI to interact with RunReveal. Reference: [https://docs.runreveal.com/ai-chat/model-context-protocol](https://docs.runreveal.com/ai-chat/model-context-protocol) ### Secrets Required secrets: * `runreveal_mcp_oauth`: OAuth token `RUNREVEAL_MCP_USER_TOKEN`. Optional secrets: * `anthropic`: optional values `ANTHROPIC_API_KEY`. * `openai`: optional values `OPENAI_API_KEY`. * `gemini`: optional values `GEMINI_API_KEY`. * `amazon_bedrock`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`, `AWS_SESSION_TOKEN`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_MODEL_ID`, `AWS_INFERENCE_PROFILE_ID`. * `custom-model-provider`: optional values `CUSTOM_MODEL_PROVIDER_API_KEY`, `CUSTOM_MODEL_PROVIDER_MODEL_NAME`, `CUSTOM_MODEL_PROVIDER_BASE_URL`. * `azure_openai`: optional values `AZURE_API_BASE`, `AZURE_API_VERSION`, `AZURE_DEPLOYMENT_NAME`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`. * `azure_ai`: optional values `AZURE_API_BASE`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_API_VERSION`, `AZURE_AI_MODEL_NAME`. * `litellm`: required values `LITELLM_BASE_URL`. ### Input fields Instructions for the agent. User prompt to the agent. Model to use. Pick from the list of models enabled for this workspace. Provide this field, or both deprecated `model_name` and `model_provider`. Default: `null`. Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_provider`. Default: `null`. Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_name`. Default: `null`. # SentinelOne Source: https://docs.tracecat.com/tools/sentinel_one Reference for the Tracecat SentinelOne integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Abort scan Action ID: `tools.sentinel_one.abort_scan` Abort a running scan on SentinelOne agents. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields ID of the agent/device to abort scan on. SentinelOne tenant URL. Default: `null`. ## Disable agent Action ID: `tools.sentinel_one.disable_agent` Disable a SentinelOne agent. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields ID of the agent to disable. SentinelOne tenant URL. Default: `null`. Whether the agent should reboot after disabling. Default: `false`. ## Enable agent Action ID: `tools.sentinel_one.enable_agent` Enable a SentinelOne agent. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields ID of the agent to enable. SentinelOne tenant URL. Default: `null`. Whether the agent should reboot after enabling. Default: `false`. ## Initiate scan Action ID: `tools.sentinel_one.initiate_scan` Initiate a scan on SentinelOne agents. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields ID of the agent/device to scan. SentinelOne tenant URL. Default: `null`. ## Isolate endpoint Action ID: `tools.sentinel_one.disconnect_device` Disconnect a SentinelOne agent from the network. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields ID of the endpoint/agent to disconnect. SentinelOne tenant URL. Default: `null`. ## List agent IDs Action ID: `tools.sentinel_one.list_agent_ids` Get a simple list of SentinelOne agent IDs. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields SentinelOne tenant URL. Default: `null`. The maximum number of agents to return. Default: `1000`. ## List alerts Action ID: `tools.sentinel_one.list_alerts` Query for SentinelOne alerts. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields End time for the query (exclusive). Start time for the query (inclusive). SentinelOne tenant URL. Default: `null`. Maximum number of alerts to return. Default: `100`. SentinelOne search query. Default: `null`. ## List threats Action ID: `tools.sentinel_one.list_threats` Query for SentinelOne threats. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields End time for the query (exclusive). Start time for the query (inclusive). SentinelOne tenant URL. Default: `null`. Maximum number of alerts to return. Default: `100`. SentinelOne search query. Default: `null`. ## Lookup agents by account ID Action ID: `tools.sentinel_one.lookup_agent_account_id` Find all SentinelOne agents in a specific account. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields Account ID to filter agents by. SentinelOne tenant URL. Default: `null`. The maximum number of agents to return. Default: `100`. ## Lookup agents by email Action ID: `tools.sentinel_one.lookup_agent_email` Find all SentinelOne agents associated with a user email address. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields Email address to search for in agent user fields. SentinelOne tenant URL. Default: `null`. The maximum number of agents to return. Default: `100`. ## Lookup agents by file hash Action ID: `tools.sentinel_one.lookup_agent_hash` Find all SentinelOne agents that have encountered threats with a specific file hash. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields File hash (MD5, SHA1, SHA256) to search for in agent threats. SentinelOne tenant URL. Default: `null`. The maximum number of agents to return. Default: `100`. ## Lookup agents by group ID Action ID: `tools.sentinel_one.lookup_agent_groupid` Find all SentinelOne agents in a specific group. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields Group ID to filter agents by. SentinelOne tenant URL. Default: `null`. The maximum number of agents to return. Default: `100`. ## Lookup agents by hostname Action ID: `tools.sentinel_one.lookup_agent_hostname` Find all SentinelOne agents by hostname/computer name. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields Hostname/computer name to search for (supports partial matches). SentinelOne tenant URL. Default: `null`. The maximum number of agents to return. Default: `100`. ## Lookup agents by IP address Action ID: `tools.sentinel_one.lookup_agent_ip` Find all SentinelOne agents by IP address (external IP, network interface, or gateway). Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields IP address to search for (supports partial matches). SentinelOne tenant URL. Default: `null`. The maximum number of agents to return. Default: `100`. ## Lookup agents by MAC address Action ID: `tools.sentinel_one.lookup_agent_mac_address` Find all SentinelOne agents by MAC address (network interface physical address or gateway MAC). Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields MAC address to search for (supports partial matches, e.g., "aa:0f" or "41:") SentinelOne console base URL (e.g., [https://your-tenant.sentinelone.net](https://your-tenant.sentinelone.net)) Default: `null`. Maximum number of agents to return (1-1000) Default: `100`. Whether to also search gateway MAC addresses Default: `false`. ## Lookup agents by machine type Action ID: `tools.sentinel_one.lookup_agent_machine_type` Find all SentinelOne agents filtered by machine type (laptop, desktop, server, etc.). Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields Machine types to include (e.g., laptop, desktop, server) SentinelOne console base URL (e.g., [https://your-tenant.sentinelone.net](https://your-tenant.sentinelone.net)) Default: `null`. Machine types to exclude (optional) Default: `[]`. Maximum number of agents to return (1-1000) Default: `100`. ## Lookup agents by operating system Action ID: `tools.sentinel_one.lookup_agent_os` Find all SentinelOne agents filtered by operating system type, name, revision, and version information. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields OS types to include (e.g., windows, linux, macos, windows\_legacy) SentinelOne console base URL (e.g., [https://your-tenant.sentinelone.net](https://your-tenant.sentinelone.net)) Default: `null`. Maximum number of agents to return (1-1000) Default: `100`. Free-text filter by OS full name (optional) Default: `""`. OS revision filter (optional) Default: `""`. Free-text filter by OS full name and version (supports multiple values) Default: `[]`. ## Unisolate endpoint Action ID: `tools.sentinel_one.connect_to_network` Connect a SentinelOne agent to the network. Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp) ### Secrets Required secrets: * `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`. ### Input fields ID of the endpoint/agent to connect. SentinelOne tenant URL. Default: `null`. # Sentry MCP Source: https://docs.tracecat.com/tools/sentry Reference for the Tracecat Sentry MCP integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Sentry MCP Action ID: `tools.sentry.mcp` Use AI to interact with Sentry. Reference: [https://docs.sentry.io/ai/mcp/](https://docs.sentry.io/ai/mcp/) ### Secrets Required secrets: * `sentry_mcp_oauth`: OAuth token `SENTRY_MCP_USER_TOKEN`. Optional secrets: * `anthropic`: optional values `ANTHROPIC_API_KEY`. * `openai`: optional values `OPENAI_API_KEY`. * `gemini`: optional values `GEMINI_API_KEY`. * `amazon_bedrock`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`, `AWS_SESSION_TOKEN`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_MODEL_ID`, `AWS_INFERENCE_PROFILE_ID`. * `custom-model-provider`: optional values `CUSTOM_MODEL_PROVIDER_API_KEY`, `CUSTOM_MODEL_PROVIDER_MODEL_NAME`, `CUSTOM_MODEL_PROVIDER_BASE_URL`. * `azure_openai`: optional values `AZURE_API_BASE`, `AZURE_API_VERSION`, `AZURE_DEPLOYMENT_NAME`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`. * `azure_ai`: optional values `AZURE_API_BASE`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_API_VERSION`, `AZURE_AI_MODEL_NAME`. * `litellm`: required values `LITELLM_BASE_URL`. ### Input fields Instructions for the agent. User prompt to the agent. Model to use. Pick from the list of models enabled for this workspace. Provide this field, or both deprecated `model_name` and `model_provider`. Default: `null`. Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_provider`. Default: `null`. Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_name`. Default: `null`. # ServiceNow Source: https://docs.tracecat.com/tools/servicenow Reference for the Tracecat ServiceNow integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Create ServiceNow record Action ID: `tools.servicenow.create_record` Create a record in a ServiceNow table. Reference: [https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html](https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html) ### Secrets Required secrets: * `servicenow_oauth`: OAuth token `SERVICENOW_SERVICE_TOKEN`. ### Input fields Base API URL, e.g. [https://example.service-now.com/api/now](https://example.service-now.com/api/now). JSON payload for the new record. ServiceNow table name, e.g. 'incident', 'sys\_user'. Optional query parameters such as sysparm\_display\_value. Default: `null`. ## Delete ServiceNow record Action ID: `tools.servicenow.delete_record` Delete a ServiceNow table record by sys\_id. Reference: [https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html](https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html) ### Secrets Required secrets: * `servicenow_oauth`: OAuth token `SERVICENOW_SERVICE_TOKEN`. ### Input fields Base API URL, e.g. [https://example.service-now.com/api/now](https://example.service-now.com/api/now). Unique record identifier (sys\_id). ServiceNow table name, e.g. 'incident', 'sys\_user'. Optional query parameters such as sysparm\_display\_value. Default: `null`. ## Get ServiceNow record Action ID: `tools.servicenow.get_record` Retrieve a record from a ServiceNow table by sys\_id. Reference: [https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html](https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html) ### Secrets Required secrets: * `servicenow_oauth`: OAuth token `SERVICENOW_SERVICE_TOKEN`. ### Input fields Base API URL, e.g. [https://example.service-now.com/api/now](https://example.service-now.com/api/now). Unique record identifier (sys\_id). ServiceNow table name, e.g. 'incident', 'sys\_user'. Optional query parameters such as sysparm\_fields or sysparm\_display\_value. Default: `null`. ## Query ServiceNow records Action ID: `tools.servicenow.query_records` Query a ServiceNow table with optional filters. Reference: [https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html](https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html) ### Secrets Required secrets: * `servicenow_oauth`: OAuth token `SERVICENOW_SERVICE_TOKEN`. ### Input fields Base API URL, e.g. [https://example.service-now.com/api/now](https://example.service-now.com/api/now). ServiceNow table name, e.g. 'incident', 'sys\_user'. Optional query parameters such as sysparm\_query, sysparm\_fields, or sysparm\_limit. Default: `null`. ## Update ServiceNow record Action ID: `tools.servicenow.update_record` Update fields on a ServiceNow table record. Reference: [https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html](https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html) ### Secrets Required secrets: * `servicenow_oauth`: OAuth token `SERVICENOW_SERVICE_TOKEN`. ### Input fields Base API URL, e.g. [https://example.service-now.com/api/now](https://example.service-now.com/api/now). Fields to update on the record. Unique record identifier (sys\_id). ServiceNow table name, e.g. 'incident', 'sys\_user'. Optional query parameters such as sysparm\_display\_value. Default: `null`. # Slack Source: https://docs.tracecat.com/tools/slack Reference for the Tracecat Slack integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Add reaction Action ID: `tools.slack.add_reaction` Add a reaction to a message in a Slack channel. Reference: [https://docs.slack.dev/reference/methods/reactions.add/](https://docs.slack.dev/reference/methods/reactions.add/) ### Input fields ID of the channel to add the reaction to. Name of the reaction to add. Timestamp of the message to add the reaction to. ## Append stream Action ID: `tools.slack.append_stream` Append text or chunks to an existing Slack streaming message. Reference: [https://docs.slack.dev/reference/methods/chat.appendStream/](https://docs.slack.dev/reference/methods/chat.appendStream/) ### Input fields ID of the channel containing the streaming message. Timestamp of the streaming message. Streaming chunks, such as markdown\_text, task\_update, plan\_update, or blocks chunks. Default: `null`. Markdown-formatted text to append to the stream. Default: `null`. ## Archive channel Action ID: `tools.slack.archive_channel` Archive a Slack channel. Reference: [https://docs.slack.dev/reference/methods/conversations.archive/](https://docs.slack.dev/reference/methods/conversations.archive/) ### Input fields ID of the channel to archive. ## Assistant search context Action ID: `tools.slack.assistant_search_context` Search Slack messages, files, channels, and users for AI assistant context. Reference: [https://docs.slack.dev/reference/methods/assistant.search.context/](https://docs.slack.dev/reference/methods/assistant.search.context/) ### Input fields Action token from a Slack assistant message event. User prompt or search query. UNIX timestamp filter for results after this time. Default: `null`. UNIX timestamp filter for results before this time. Default: `null`. Slack channel types to search. Default: `[ "public_channel" ]`. Slack content types to include in search results. Default: `[ "messages" ]`. Context channel ID to scope the search when applicable. Default: `null`. Cursor returned by Slack for the next page of results. Default: `null`. Whether to disable semantic search and use keyword search only. Default: `false`. Whether to highlight the search query in results. Default: `false`. Whether to include archived channels in search results. Default: `false`. Whether to include bot-authored results. Default: `false`. Whether to include context messages around message results. Default: `false`. Whether to include deleted users in user search results. Default: `false`. Whether to include message blocks in the response. Default: `false`. Number of results to return, up to a maximum of 20. Default: `20`. Slack search modifiers, such as has:pin before:yesterday. Default: `null`. Field to sort results by. Supported values are score and timestamp. Default: `"score"`. Direction to sort results by. Supported values are asc and desc. Default: `"desc"`. Term clauses that every returned search result should match. Default: `[]`. ## Assistant search info Action ID: `tools.slack.assistant_search_info` Return Slack assistant search capabilities for the workspace. Reference: [https://docs.slack.dev/reference/methods/assistant.search.info/](https://docs.slack.dev/reference/methods/assistant.search.info/) ### Input fields This action does not take input fields. ## Create channel Action ID: `tools.slack.create_channel` Create a new Slack channel. Reference: [https://docs.slack.dev/reference/methods/conversations.create/](https://docs.slack.dev/reference/methods/conversations.create/) ### Input fields Name of the channel to create. Whether the channel is private. Default: `false`. ## Delete message Action ID: `tools.slack.delete_message` Delete a message from a Slack channel. Reference: [https://docs.slack.dev/reference/methods/chat.delete/](https://docs.slack.dev/reference/methods/chat.delete/) ### Input fields ID of the channel to delete the message from. Timestamp of the message to delete. ## Get reactions Action ID: `tools.slack.get_reactions` Get reactions to a message. Reference: [https://docs.slack.dev/reference/methods/reactions.get/](https://docs.slack.dev/reference/methods/reactions.get/) ### Input fields The channel to get reactions from. The timestamp of the message to get reactions from. ## Get user profile Action ID: `tools.slack.get_profile` Get a user's profile. Reference: [https://docs.slack.dev/reference/methods/users.profile.get/](https://docs.slack.dev/reference/methods/users.profile.get/) ### Input fields ID of the user to get the profile of. ## Invite members to channel Action ID: `tools.slack.invite_members` Invite members to a Slack channel. Reference: [https://docs.slack.dev/reference/methods/conversations.invite/](https://docs.slack.dev/reference/methods/conversations.invite/) ### Input fields ID of the channel to invite members to. List of user IDs to invite to the channel. ## Kick member Action ID: `tools.slack.kick_member` Kick a member from a Slack channel. Reference: [https://docs.slack.dev/reference/methods/conversations.kick/](https://docs.slack.dev/reference/methods/conversations.kick/) ### Input fields ID of the channel to kick members from. ID of the user to kick from the channel. ## List channels Action ID: `tools.slack.list_channels` List all channels. Reference: [https://docs.slack.dev/reference/methods/conversations.list/](https://docs.slack.dev/reference/methods/conversations.list/) ### Input fields Whether to exclude archived channels from the list. Default: `false`. Maximum number of channels to return. Default: `100`. Types of channels to return. Default: `[ "public_channel", "private_channel" ]`. ## List conversation replies Action ID: `tools.slack.list_replies` List replies to a conversation in a Slack channel. Reference: [https://docs.slack.dev/reference/methods/conversations.replies/](https://docs.slack.dev/reference/methods/conversations.replies/) ### Input fields ID of the channel to list replies from. Timestamp of the thread's parent message or message in the thread to list replies from. Also known as `thread_ts` in some Slack responses. ## List members Action ID: `tools.slack.list_members` List members of a Slack channel. Reference: [https://docs.slack.dev/reference/methods/conversations.members/](https://docs.slack.dev/reference/methods/conversations.members/) ### Input fields ID of the channel to list members of. Maximum number of members to return. Default: `100`. ## List messages Action ID: `tools.slack.list_messages` List messages from a Slack channel. Reference: [https://docs.slack.dev/reference/methods/conversations.history/](https://docs.slack.dev/reference/methods/conversations.history/) ### Input fields ID of the channel to list messages from. Unix timestamp of the latest message to return. Default: `null`. Maximum number of messages to return. Default: `100`. Unix timestamp of the oldest message to return. Default: `null`. ## List users Action ID: `tools.slack.list_users` List users in a Slack workspace. Reference: [https://docs.slack.dev/reference/methods/users.list/](https://docs.slack.dev/reference/methods/users.list/) ### Input fields Whether to include the locale in the response. Default: `false`. The maximum number of users to return. Default: `100`. ## Lookup many users by email Action ID: `tools.slack.lookup_users_by_email` Lookup users by emails. Returns a list of users found and a list of users not found. Reference: [https://docs.slack.dev/reference/methods/users.lookupByEmail/](https://docs.slack.dev/reference/methods/users.lookupByEmail/) ### Secrets Required secrets: * `slack`: required values `SLACK_BOT_TOKEN`. ### Input fields List of user emails. ## Lookup user by email Action ID: `tools.slack.lookup_user_by_email` Get a Slack user by email. Reference: [https://docs.slack.dev/reference/methods/users.lookupByEmail/](https://docs.slack.dev/reference/methods/users.lookupByEmail/) ### Input fields Email of an existing user. ## Open view Action ID: `tools.slack.open_view` Open a view. Used to create a pop up modal. Reference: [https://docs.slack.dev/reference/methods/views.open/](https://docs.slack.dev/reference/methods/views.open/) ### Input fields Trigger ID from a Slack interaction payload. See: [https://docs.slack.dev/reference/interaction-payloads/block\_actions-payload/](https://docs.slack.dev/reference/interaction-payloads/block_actions-payload/) View payload for the modal to open. See: [https://docs.slack.dev/reference/views/modal-views/](https://docs.slack.dev/reference/views/modal-views/) ## Post ephemeral message Action ID: `tools.slack.post_ephemeral` Send an ephemeral Slack message to a user in a channel. Reference: [https://docs.slack.dev/reference/methods/chat.postEphemeral/](https://docs.slack.dev/reference/methods/chat.postEphemeral/) ### Input fields Channel, private group, or IM channel to send the ephemeral message to. ID of the user who will receive the ephemeral message. Legacy option to post the message as the authenticated user. Default: `null`. List of JSON-based attachments. Default: `null`. List of JSON-based blocks. Default: `null`. Emoji to use as the icon for this message. Default: `null`. URL to an image to use as the icon for this message. Default: `null`. Whether Slack should find and link channel names and usernames. Default: `false`. Markdown-formatted message text. Do not use with blocks or text. Default: `null`. How Slack should parse message text. Default: `null`. Message text. Used as fallback text when blocks are provided. Default: `null`. Parent message timestamp for posting the ephemeral message in a thread. Default: `null`. Bot username to display. Default: `null`. ## Post message Action ID: `tools.slack.post_message` Post a message to a Slack channel. Reference: [https://docs.slack.dev/reference/methods/chat.postMessage/](https://docs.slack.dev/reference/methods/chat.postMessage/) ### Input fields The channel to post the message to. List of JSON-based blocks. Default: `null`. The text to post to Slack, in Markdown format. Default: `null`. The message to post to Slack. Default: `null`. The timestamp of the thread to reply to. Default: `null`. Whether to unfurl links in the message. Default: `true`. Whether to unfurl media in the message. Default: `false`. ## Remove reaction Action ID: `tools.slack.remove_reaction` Remove a reaction from a message in a Slack channel. Reference: [https://docs.slack.dev/reference/methods/reactions.remove/](https://docs.slack.dev/reference/methods/reactions.remove/) ### Input fields ID of the channel to remove the reaction from. Name of the reaction to remove. Timestamp of the message to remove the reaction from. ## Revoke sessions Action ID: `tools.slack.revoke_sessions` Revoke all sessions on all devices for a Slack user. Reference: [https://docs.slack.dev/reference/methods/admin.users.session.reset/](https://docs.slack.dev/reference/methods/admin.users.session.reset/) ### Input fields ID of an existing user. ## Search messages Action ID: `tools.slack.search_messages` Search for messages matching a query in a Slack workspace. Reference: [https://docs.slack.dev/reference/methods/search.messages/](https://docs.slack.dev/reference/methods/search.messages/) ### Secrets Required secrets: * `slack_oauth`: OAuth token `SLACK_USER_TOKEN`. ### Input fields Search query. To search within a channel / specific user, add `in:channel_name` / `from:<@user_id>` to the query. Number of messages to return. Default: `20`. For the first call send '\*', for subsequent calls send the value of `next_cursor` from the previous call. Default: `null`. Sort by score or timestamp. Default: `"score"`. Allowed values: `score`, `timestamp`. ## Set assistant thread status Action ID: `tools.slack.set_assistant_thread_status` Set the status for a Slack AI assistant thread. Reference: [https://docs.slack.dev/reference/methods/assistant.threads.setStatus/](https://docs.slack.dev/reference/methods/assistant.threads.setStatus/) ### Input fields Channel ID containing the assistant thread. Status to display for the bot user. Use an empty string to clear it. Message timestamp of the assistant thread. Emoji to use as the icon for this message. Default: `null`. Image URL to use as the icon for this message. Default: `null`. Loading indicator messages to rotate through, up to 10 messages. Default: `[]`. Bot username to display. Default: `null`. ## Set assistant thread suggested prompts Action ID: `tools.slack.set_assistant_thread_suggested_prompts` Set suggested prompts for a Slack AI assistant thread. Reference: [https://docs.slack.dev/reference/methods/assistant.threads.setSuggestedPrompts/](https://docs.slack.dev/reference/methods/assistant.threads.setSuggestedPrompts/) ### Input fields Channel ID containing the assistant thread. Suggested prompts, each with title and message attributes. Message timestamp of the assistant thread. Optional title for the suggested prompts list. Default: `null`. ## Set assistant thread title Action ID: `tools.slack.set_assistant_thread_title` Set the title for a Slack AI assistant thread. Reference: [https://docs.slack.dev/reference/methods/assistant.threads.setTitle/](https://docs.slack.dev/reference/methods/assistant.threads.setTitle/) ### Input fields Channel ID containing the assistant thread. Message timestamp of the assistant thread. Title to use for the assistant thread. ## Set channel description Action ID: `tools.slack.set_channel_description` Set the description of a Slack channel. Reference: [https://docs.slack.dev/reference/methods/conversations.setPurpose/](https://docs.slack.dev/reference/methods/conversations.setPurpose/) ### Input fields The ID of the channel to set the description for. The description to set for the channel. ## Set channel topic Action ID: `tools.slack.set_channel_topic` Set the topic of a Slack channel. Reference: [https://docs.slack.dev/reference/methods/conversations.setTopic/](https://docs.slack.dev/reference/methods/conversations.setTopic/) ### Input fields The ID of the channel to set the topic for. The topic to set for the channel. ## Start stream Action ID: `tools.slack.start_stream` Start a new Slack streaming message in a thread. Reference: [https://docs.slack.dev/reference/methods/chat.startStream/](https://docs.slack.dev/reference/methods/chat.startStream/) ### Input fields ID of the channel, private group, or DM for the stream. Parent message timestamp to reply to with the stream. Initial streaming chunks, such as markdown\_text, task\_update, plan\_update, or blocks chunks. Default: `null`. Emoji to use as the icon for this message. Default: `null`. URL to an image to use as the icon for this message. Default: `null`. Initial markdown-formatted text for the stream. Default: `null`. ID of the recipient user's team. Required by Slack when streaming to channels. Default: `null`. ID of the user receiving the stream. Required by Slack when streaming to channels. Default: `null`. How task chunks are displayed. Accepts timeline, plan, or dense. Default: `null`. Bot username to display. Default: `null`. ## Stop stream Action ID: `tools.slack.stop_stream` Stop and finalize a Slack streaming message. Reference: [https://docs.slack.dev/reference/methods/chat.stopStream/](https://docs.slack.dev/reference/methods/chat.stopStream/) ### Input fields ID of the channel containing the streaming message. Timestamp of the streaming message. Blocks rendered at the bottom of the finalized message. Default: `null`. Final streaming chunks, such as markdown\_text, task\_update, plan\_update, or blocks chunks. Default: `null`. Final markdown-formatted text to append before stopping the stream. Default: `null`. Slack message metadata with event\_type and event\_payload fields. Default: `null`. ## Update message Action ID: `tools.slack.update_message` Update a message in a Slack channel. Reference: [https://docs.slack.dev/reference/methods/chat.update/](https://docs.slack.dev/reference/methods/chat.update/) ### Input fields ID of the channel to update the message in. Timestamp of the message to update. List of JSON-based blocks. Default: `null`. The text to update the message with, in Markdown format. Default: `null`. New text for the message. Default: `null`. ## Update view Action ID: `tools.slack.update_view` Update a view. Used to update a pop up modal. Reference: [https://docs.slack.dev/reference/methods/views.update/](https://docs.slack.dev/reference/methods/views.update/) ### Input fields Updated view payload for the modal. See: [https://docs.slack.dev/reference/views/modal-views/](https://docs.slack.dev/reference/views/modal-views/) ID of the view to update. # Slack SDK Source: https://docs.tracecat.com/tools/slack_sdk Reference for the Tracecat Slack SDK integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Call method Action ID: `tools.slack_sdk.call_method` Instantiate a Slack client and call a Slack SDK or Web API method. Reference: [https://docs.slack.dev/reference/methods](https://docs.slack.dev/reference/methods) ### Secrets Required secrets: * `slack`: required values `SLACK_BOT_TOKEN`. ### Input fields Slack Python SDK method name or Web API method name (e.g. `chat_postMessage` or `chat.postMessage`) Slack Python SDK method parameters Default: `null`. ## Call paginated method Action ID: `tools.slack_sdk.call_paginated_method` Instantiate a Slack client and call a paginated Slack SDK method. Reference: [https://docs.slack.dev/apis/web-api/pagination#methods](https://docs.slack.dev/apis/web-api/pagination#methods) ### Secrets Required secrets: * `slack`: required values `SLACK_BOT_TOKEN`. ### Input fields Slack Python SDK method name that supports cursor pagination (e.g. `conversations_history`) Key to extract from the response. Default: `null`. Maximum number of items to retrieve. Must be less than 1000 Default: `200`. Slack Python SDK method parameters Default: `null`. ## Post response Action ID: `tools.slack_sdk.post_response` Post messsage back to Slack interaction via `response_url`. Reference: [https://docs.slack.dev/interactivity/handling-user-interaction#message\_responses](https://docs.slack.dev/interactivity/handling-user-interaction#message_responses) ### Input fields Webhook URL. Blocks to send to the webhook. Default: `null`. Whether to replace the original message. Default: `false`. Response type. Defaults to `ephemeral`. Default: `"ephemeral"`. Allowed values: `in_channel`, `ephemeral`. Text to send to the webhook. Default: `null`. Thread timestamp. If None, defaults to the current timestamp. Default: `null`. # Splunk Source: https://docs.tracecat.com/tools/splunk Reference for the Tracecat Splunk integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Add fields to collection Action ID: `tools.splunk.add_kv_fields` Add field definitions to a KV Store collection in Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-9](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-9) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection to add fields to. Must be unique and contain only alphanumeric characters, underscores, and hyphens. List of field definitions to add. Each field requires name and type. Supported types: array, number, bool, string, cidr, time Example: \[\{"name": "username", "type": "string"}, \{"name": "age", "type": "number"}] Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Batch save KV entries Action ID: `tools.splunk.batch_save_kv_entries` Insert or update multiple entries in a Splunk KV Store collection in a single request. If an entry includes a \_key that matches an existing document, it is updated; otherwise a new document is created. Processing stops on the first failure. Reference: [https://help.splunk.com/en/splunk-cloud-platform/leverage-rest-apis/rest-api-reference/10.0.2503/kv-store-endpoints/kv-store-endpoint-descriptions#ariaid-title16](https://help.splunk.com/en/splunk-cloud-platform/leverage-rest-apis/rest-api-reference/10.0.2503/kv-store-endpoints/kv-store-endpoint-descriptions#ariaid-title16) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection to save entries into. List of documents to save. Each document is a dict of field-value pairs. Include a \_key field to update an existing document; omit it to create a new one (Splunk auto-generates the key). Maximum 1000 documents per request (Splunk default). Example: \[\{"username": "john", "email": "[john@example.com](mailto:john@example.com)", "active": true}, \{"username": "jane", "email": "[jane@example.com](mailto:jane@example.com)", "active": false}] Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Create KV collection Action ID: `tools.splunk.create_kv_collection` Create a new KV Store collection in Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-9](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-9) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection. Must be unique and contain only alphanumeric characters, underscores, and hyphens. Splunk app context where the collection will be created (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Create KV entry Action ID: `tools.splunk.create_kv_entry` Create a new entry in a Splunk KV Store collection. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-2](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-2) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection where the entry will be created. Key-value pairs to store in the collection. The \_key field is automatically generated by Splunk if not provided. Example: \{"username": "john", "email": "[john@example.com](mailto:john@example.com)", "active": true} Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Delete KV collection Action ID: `tools.splunk.delete_kv_collection` Delete a KV Store collection from Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#delete-0](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#delete-0) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection to delete. Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Delete KV entry Action ID: `tools.splunk.delete_kv_entry` Delete an entry from a KV Store collection in Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#delete-1](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#delete-1) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection containing the entry. The \_key value of the entry to delete from the collection. Example: "5f3a1b2c3d4e5f6a7b8c9d0e" Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Discover fields Action ID: `tools.splunk.discover_fields` Discover fields in Splunk data using the fieldsummary command with statistics and sample values. Reference: [https://help.splunk.com/en?resourceId=Splunk\_SearchReference\_Fieldsummary\&version=splunk-9\_4](https://help.splunk.com/en?resourceId=Splunk_SearchReference_Fieldsummary\&version=splunk-9_4) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields End time for the search. Start time for the search. Adhoc search level. Default: `"fast"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)). Default: `null`. Index to search for fields. Use \* for all indexes. Default: `"*"`. Maximum number of fields to return. Default: `100`. Maximum number of sample values to return per field. Default: `5`. Whether to verify SSL certificates. Default: `true`. ## Get KV collection Action ID: `tools.splunk.get_kv_collection` Get configuration details for a specific KV Store collection from Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-5](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-5) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection to retrieve. Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Get KV entry Action ID: `tools.splunk.get_kv_entry` Get a specific entry from a KV Store collection in Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-7](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-7) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection containing the entry. The \_key value of the entry to retrieve from the collection. Example: "5f3a1b2c3d4e5f6a7b8c9d0e" Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## List data models Action ID: `tools.splunk.list_data_models` List all data models on the Splunk server using native Splunk search. ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Adhoc search level. Default: `"fast"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)). Default: `null`. Whether to verify SSL certificates. Default: `true`. ## List field extractions Action ID: `tools.splunk.list_field_extractions` List all configured field extraction rules using a simple Splunk query. ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Adhoc search level. Default: `"fast"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)). Default: `null`. Whether to verify SSL certificates. Default: `true`. ## List indexes Action ID: `tools.splunk.list_indexes` List all indexes on the Splunk server using native Splunk search. ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Adhoc search level. Default: `"fast"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)). Default: `null`. Whether to verify SSL certificates. Default: `true`. ## List KV collections Action ID: `tools.splunk.list_kv_collections` List all KV Store collections in Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-4](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-4) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Splunk app context to list collections from (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Maximum number of collections to return. Default: `100`. Number of collections to skip for pagination. Default: `0`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Search query to filter collections. Example: "name=*whitelist*" to find collections with "whitelist" in the name. Default: `""`. Field to sort results by. Default: `"_key"`. How to sort values ("auto", "num", "alpha\_case", or "alpha"). Default: `"auto"`. Sort order ("asc" or "desc"). Default: `"asc"`. Return summarized response with fewer details for faster response. Default: `false`. Whether to verify SSL certificates. Default: `true`. ## List KV entries Action ID: `tools.splunk.list_kv_entries` List entries in a KV Store collection from Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-6](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-6) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection to list entries from. Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Maximum number of entries to return. Default: `100`. Number of entries to skip for pagination. Default: `0`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. MongoDB-style query to filter entries. Supported operators: * Conditional: $gt, $gte, $lt, $lte, \$ne * Regex: \$regex * Logical: $and, $or, \$not Examples: * \{"title": "Item"} - Find entries where title equals "Item" * \{"price": \{"\$gt": 5}} - Find entries where price > 5 * \{"ip": \{"\$regex": "192.168.1.\*"}} - Find entries matching IP pattern Default: `{}`. Include entries from both specified owner and "nobody" user. Default: `false`. Number of items to skip from the start (alternative to offset). Default: `0`. Field to sort entries by. Default: `"_key"`. Whether to verify SSL certificates. Default: `true`. ## List sourcetypes Action ID: `tools.splunk.list_sourcetypes` List all defined sourcetypes on the Splunk server. Reference: [https://help.splunk.com/en?resourceId=Splunk\_RESTREF\_RESTsearch\&version=splunk-9\_4](https://help.splunk.com/en?resourceId=Splunk_RESTREF_RESTsearch\&version=splunk-9_4) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Adhoc search level. Default: `"fast"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)). Default: `null`. Whether to verify SSL certificates. Default: `true`. ## Search events Action ID: `tools.splunk.search_events` Search events from Splunk. Reference: [https://help.splunk.com/en?resourceId=Splunk\_RESTREF\_RESTsearch\&version=splunk-9\_4#search.2Fjobs](https://help.splunk.com/en?resourceId=Splunk_RESTREF_RESTsearch\&version=splunk-9_4#search.2Fjobs) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields End time for the search. Maximum number of events to return. Splunk (Splunk Query Language) search query. You MUST start the query with `search`, e.g. `search index=main | head 10` Start time for the search. Adhoc search level. Default: `"fast"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)). Default: `null`. Whether to verify SSL certificates. Default: `true`. ## Submit HEC event Action ID: `tools.splunk.submit_hec_event` Submit an event to Splunk using the HTTP Event Collector (HEC). Uses HEC token authentication. Reference: [https://help.splunk.com/en/splunk-enterprise/get-data-in/get-started-with-getting-data-in/9.4/get-data-with-http-event-collector/format-events-for-http-event-collector](https://help.splunk.com/en/splunk-enterprise/get-data-in/get-started-with-getting-data-in/9.4/get-data-with-http-event-collector/format-events-for-http-event-collector) ### Secrets Required secrets: * `splunk_hec`: required values `SPLUNK_HEC_TOKEN`. ### Input fields Event data to send to Splunk. Can contain any key-value pairs. Example: \{"action": "login", "username": "john", "ip": "192.168.1.100"} Splunk HEC endpoint URL (e.g. [https://localhost:8088](https://localhost:8088) or [https://tracecat.splunkcloud.com:8088](https://tracecat.splunkcloud.com:8088)). Default: `null`. Host field value for the event. Default: `"tracecat.com"`. Splunk index to send the event to. If not specified, uses the default index configured for the HEC token. Default: `null`. Event source identifier (e.g. application name, script name). Default: `"tracecat_workflow"`. Event source type for categorization and parsing rules. Default: `"tracecat_log"`. Whether to verify SSL certificates. Default: `true`. ## Update KV entry Action ID: `tools.splunk.update_kv_entry` Update an existing entry in a KV Store collection in Splunk. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-12](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-12) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection containing the entry. The \_key value of the entry to update in the collection. Example: "5f3a1b2c3d4e5f6a7b8c9d0e" Fields to update in the entry. Only specified fields will be updated. Example: \{"status": "completed", "updated\_at": "2024-01-15"} Splunk app context where the collection resides (e.g. "search" for default). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)). Default: `null`. Splunk namespace owner for access control (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates. Default: `true`. ## Upload CSV to KV Collection Action ID: `tools.splunk.upload_csv_to_kv_collection` Download a CSV file and upload its rows to a Splunk KV Store collection with create, append, or override modes. Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions) ### Secrets Required secrets: * `splunk`: required values `SPLUNK_API_KEY`. ### Input fields Name of the KV Store collection to target. URL pointing to the CSV file to ingest. Splunk app context (e.g. search). Default: `"search"`. Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://example.splunkcloud.com:8089](https://example.splunkcloud.com:8089)). If not provided, falls back to the workspace variable `splunk.base_url`. Default: `null`. Number of CSV rows to send per request. Lower this if you hit payload limits. Default: `500`. Optional HTTP headers for downloading the CSV (e.g. Authorization). Default: `null`. create: new collection, error if it exists. append: add to existing collection, error if missing. override: replace existing collection if present. Default: `"create"`. Allowed values: `create`, `append`, `override`. Splunk namespace owner (use "nobody" for shared access). Default: `"nobody"`. Whether to verify SSL certificates when downloading and uploading. Default: `true`. # Sublime Source: https://docs.tracecat.com/tools/sublime Reference for the Tracecat Sublime integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Analyze EML Action ID: `tools.sublime.analyze_eml` Analyze an EML message against active detection rules and ML attack score in Sublime. Reference: [https://docs.sublime.security/reference/analyzemessage](https://docs.sublime.security/reference/analyzemessage) ### Secrets Required secrets: * `sublime`: required values `SUBLIME_API_KEY`. ### Input fields Base64-encoded EML file. Base URL of the Sublime API. Default: `null`. ## Analyze URL Action ID: `tools.sublime.analyze_url` Analyze a URL with ML link analysis in Sublime. Reference: [https://docs.sublime.security/docs/enrichment-functions#mllink\_analysis](https://docs.sublime.security/docs/enrichment-functions#mllink_analysis) ### Secrets Required secrets: * `sublime`: required values `SUBLIME_API_KEY`. ### Input fields URL to analyze. Base URL of the Sublime API. Default: `null`. ## Attack score for EML Action ID: `tools.sublime.score_eml` Evaluate attack score of an EML message using the Sublime API. Reference: [https://docs.sublime.security/reference/attackscoreforrawmessage](https://docs.sublime.security/reference/attackscoreforrawmessage) ### Secrets Required secrets: * `sublime`: required values `SUBLIME_API_KEY`. ### Input fields Base64-encoded EML file. Base URL of the Sublime API. Default: `"https://platform.sublime.security"`. ## Scan file with BinExplode Action ID: `tools.sublime.scan_file` Scan a file with BinExplode. Returns Reference: [https://docs.sublime.security/reference/postscan-1](https://docs.sublime.security/reference/postscan-1) ### Secrets Required secrets: * `sublime`: required values `SUBLIME_API_KEY`. ### Input fields Base64-encoded file. Name of the file. Base URL of the Sublime API. Default: `null`. # Tavily Source: https://docs.tracecat.com/tools/tavily Reference for the Tracecat Tavily integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Search the web Action ID: `tools.tavily.web_search` Search the web with Tavily for a given search query. Reference: [https://docs.tavily.com/documentation/api-reference/endpoint/search](https://docs.tavily.com/documentation/api-reference/endpoint/search) ### Secrets Required secrets: * `tavily`: required values `TAVILY_API_KEY`. ### Input fields Search query to execute with Tavily. Depth of the search. Allowed values: `basic`, `advanced`. Time range back from the current date to filter results. Allowed values: `day`, `week`, `month`, `year`. Category of the search. Allowed values: `general`, `news`. # Tenable Security Center Source: https://docs.tracecat.com/tools/tenable_sc Reference for the Tracecat Tenable Security Center integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Create active scan Action ID: `tools.tenable_sc.create_active_scan` Create a Tenable Security Center scan using an existing policy and set of assets or targets. Reference: [https://docs.tenable.com/security-center/api/Scan.htm](https://docs.tenable.com/security-center/api/Scan.htm) ### Secrets Required secrets: * `tenable_sc`: required values `TENABLE_SC_ACCESS_KEY`, `TENABLE_SC_SECRET_KEY`. ### Input fields Name of the scan to create. Repository ID targeted by the scan. Asset object IDs that the scan should target. Default: `[]`. Tenable Security Center base URL (e.g. [https://security-center.example.com](https://security-center.example.com)). Default: `null`. Credential objects to use for authenticated scanning. Default: `[]`. Optional scan description shown in Tenable Security Center. Default: `null`. Comma-separated list of additional targets/IP ranges. Default: `null`. Policy ID to associate with the scan (required for policy scans). Default: `null`. Scan type (e.g. policy, discovery, agent). Default: `"policy"`. Whether to verify TLS certificates when calling the API. Default: `true`. ## Run analysis query Action ID: `tools.tenable_sc.run_analysis_query` Execute a Tenable Security Center analysis query (e.g. vuln details for a scan). Reference: [https://docs.tenable.com/security-center/api/Analysis.htm](https://docs.tenable.com/security-center/api/Analysis.htm) ### Secrets Required secrets: * `tenable_sc`: required values `TENABLE_SC_ACCESS_KEY`, `TENABLE_SC_SECRET_KEY`. ### Input fields ID of the scan whose results the query should evaluate. Analysis type to pass to the Analysis API. Default: `"vuln"`. Tenable Security Center base URL (e.g. [https://security-center.example.com](https://security-center.example.com)). Default: `null`. Ending offset for pagination. Default: `100`. Tenable Security Center analysis query block (tool, type, filters, etc.). Default: `{ "tool": "vulndetails", "type": "vuln" }`. Sort direction for the results. Default: `"desc"`. Field to sort results by. Default: `"severity"`. Result source type (e.g. individual, cumulative, lce). Default: `"individual"`. Starting offset for pagination. Default: `0`. Whether to verify TLS certificates when calling the API. Default: `true`. View applied to the result set (e.g. all, exploitable, accepted). Default: `"all"`. # Terraform Cloud Source: https://docs.tracecat.com/tools/terraform Reference for the Tracecat Terraform Cloud integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Apply run Action ID: `tools.terraform.apply_run` Apply a planned Terraform Cloud run to execute infrastructure changes. Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run) ### Secrets Required secrets: * `terraform`: required values `TERRAFORM_API_TOKEN`. ### Input fields The ID of the run to apply. Optional comment explaining why the run is being applied. Default: `null`. ## Create workspace variable Action ID: `tools.terraform.create_workspace_variable` Create a new variable in a Terraform Cloud workspace. Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspace-variables](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspace-variables) ### Secrets Required secrets: * `terraform`: required values `TERRAFORM_API_TOKEN`. ### Input fields The name of the variable. The value of the variable. The ID of the workspace to create the variable in. Whether this is a Terraform variable or environment variable. Default: `"terraform"`. Allowed values: `terraform`, `env`. Whether the value is in HCL format. Default: `false`. Whether the value is sensitive and should be hidden in the UI. Default: `false`. ## Get run details Action ID: `tools.terraform.get_run_details` Get details for a specific Terraform Cloud run. Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run) ### Secrets Required secrets: * `terraform`: required values `TERRAFORM_API_TOKEN`. ### Input fields The ID of the run to get details for. ## Get workspace details Action ID: `tools.terraform.get_workspace_details` Get details for a workspace by ID or by organization and workspace name. Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspaces](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspaces) ### Secrets Required secrets: * `terraform`: required values `TERRAFORM_API_TOKEN`. ### Input fields The organization name. Required if workspace\_id is not provided. Default: `null`. The workspace ID. If provided, organization and workspace\_name are ignored. Default: `null`. The workspace name. Required if workspace\_id is not provided. Default: `null`. ## List projects Action ID: `tools.terraform.list_projects` List all projects in a Terraform Cloud organization. Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/projects](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/projects) ### Secrets Required secrets: * `terraform`: required values `TERRAFORM_API_TOKEN`. ### Input fields The name of the Terraform Cloud organization. The page number to return. Default: `1`. The number of projects to return per page. Default: `20`. ## List runs Action ID: `tools.terraform.list_runs` List all runs for a Terraform Cloud workspace. Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run) ### Secrets Required secrets: * `terraform`: required values `TERRAFORM_API_TOKEN`. ### Input fields The ID of the workspace to list runs for. The page number to return. Default: `1`. The number of runs to return per page. Default: `20`. ## List workspace variables Action ID: `tools.terraform.list_workspace_variables` List all variables configured for a Terraform Cloud workspace. Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspace-variables](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspace-variables) ### Secrets Required secrets: * `terraform`: required values `TERRAFORM_API_TOKEN`. ### Input fields The ID of the workspace to list variables for. ## List workspaces Action ID: `tools.terraform.list_workspaces` List all workspaces in a Terraform Cloud organization, optionally filtered by project. Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspaces](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspaces) ### Secrets Required secrets: * `terraform`: required values `TERRAFORM_API_TOKEN`. ### Input fields The name of the Terraform Cloud organization. The page number to return. Default: `1`. The number of workspaces to return per page. Default: `20`. Optional project ID to filter workspaces by project. Default: `null`. ## Plan run Action ID: `tools.terraform.plan_run` Create a plan-only run in Terraform Cloud to preview infrastructure changes. Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run) ### Secrets Required secrets: * `terraform`: required values `TERRAFORM_API_TOKEN`. ### Input fields The ID of the workspace to create the plan run for. Optional message to describe the purpose of the run. Default: `null`. ## Refresh state Action ID: `tools.terraform.refresh_state` Create a refresh-only run to update Terraform state with real infrastructure. Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run) ### Secrets Required secrets: * `terraform`: required values `TERRAFORM_API_TOKEN`. ### Input fields The ID of the workspace to refresh state for. Optional message to describe the purpose of the refresh. Default: `null`. ## Update workspace variable Action ID: `tools.terraform.update_workspace_variable` Update an existing variable in a Terraform Cloud workspace. Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspace-variables](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspace-variables) ### Secrets Required secrets: * `terraform`: required values `TERRAFORM_API_TOKEN`. ### Input fields The ID of the variable to update. The ID of the workspace containing the variable. Whether the value is in HCL format. Default: `null`. The name of the variable. Only required if changing the key. Default: `null`. Whether the value is sensitive. Default: `null`. The value of the variable. Only required if changing the value. Default: `null`. # Anomali ThreatStream Source: https://docs.tracecat.com/tools/threatstream Reference for the Tracecat Anomali ThreatStream integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Lookup domain Action ID: `tools.threatstream.lookup_domain` Search Anomali ThreatStream for reputation of a domain. ### Secrets Required secrets: * `threatstream`: required values `ANOMALI_USERNAME`, `ANOMALI_API_KEY`. ### Input fields Domain to lookup. ## Lookup email Action ID: `tools.threatstream.lookup_email` Search Anomali ThreatStream for reputation of an email address. ### Secrets Required secrets: * `threatstream`: required values `ANOMALI_USERNAME`, `ANOMALI_API_KEY`. ### Input fields Email address to lookup. ## Lookup File Hash Action ID: `tools.threatstream.lookup_file_hash` Search Anomali ThreatStream for reputation of a file hash. ### Secrets Required secrets: * `threatstream`: required values `ANOMALI_USERNAME`, `ANOMALI_API_KEY`. ### Input fields File hash to lookup. ## Lookup IP address Action ID: `tools.threatstream.lookup_ip_address` Search Anomali ThreatStream for reputation of an IP address. ### Secrets Required secrets: * `threatstream`: required values `ANOMALI_USERNAME`, `ANOMALI_API_KEY`. ### Input fields IP address to lookup. ## Lookup URL Action ID: `tools.threatstream.lookup_url` Search Anomali ThreatStream for reputation of an URL. ### Secrets Required secrets: * `threatstream`: required values `ANOMALI_USERNAME`, `ANOMALI_API_KEY`. ### Input fields URL to lookup. # URLhaus Source: https://docs.tracecat.com/tools/urlhaus Reference for the Tracecat URLhaus integration: registered actions, required secrets, expected inputs, and example workflow usage. ## List URL blocklist Action ID: `tools.urlhaus.list_url_threats` List recent URLs from URLhaus blocklist Reference: [https://urlhaus-api.abuse.ch/#urls-recent](https://urlhaus-api.abuse.ch/#urls-recent) ### Secrets Required secrets: * `abusech`: required values `ABUSECH_API_KEY`. ### Input fields Maximum number of URLs to return. Default: `100`. # URLScan Source: https://docs.tracecat.com/tools/urlscan Reference for the Tracecat URLScan integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Lookup URL Action ID: `tools.urlscan.lookup_url` Lookup a URL using URLScan. Reference: [https://urlscan.io/docs/result/](https://urlscan.io/docs/result/) ### Secrets Required secrets: * `urlscan`: required values `URLSCAN_API_KEY`. ### Input fields URL to lookup. Visibility of the scan. Default: `"private"`. # VirusTotal Source: https://docs.tracecat.com/tools/virustotal Reference for the Tracecat VirusTotal integration: registered actions, required secrets, expected inputs, and example workflow usage. ## List threats Action ID: `tools.virustotal.list_threats` List threats from VirusTotal. Reference: [https://docs.virustotal.com/reference/overview](https://docs.virustotal.com/reference/overview) ### Secrets Required secrets: * `virustotal`: required values `VIRUSTOTAL_API_KEY`. ### Input fields Filter to apply to the list of threats. Maximum number of threats to return. Default: `10`. ## Lookup domain Action ID: `tools.virustotal.lookup_domain` Get VirusTotal report for a domain. Reference: [https://docs.virustotal.com/reference/domain-info](https://docs.virustotal.com/reference/domain-info) ### Secrets Required secrets: * `virustotal`: required values `VIRUSTOTAL_API_KEY`. ### Input fields Domain to lookup. ## Lookup file hash Action ID: `tools.virustotal.lookup_file_hash` Get VirusTotal report for a file hash. Reference: [https://docs.virustotal.com/reference/file-info](https://docs.virustotal.com/reference/file-info) ### Secrets Required secrets: * `virustotal`: required values `VIRUSTOTAL_API_KEY`. ### Input fields File hash to lookup. ## Lookup IP address Action ID: `tools.virustotal.lookup_ip_address` Get VirusTotal report for an IP address. Reference: [https://docs.virustotal.com/reference/ip-info](https://docs.virustotal.com/reference/ip-info) ### Secrets Required secrets: * `virustotal`: required values `VIRUSTOTAL_API_KEY`. ### Input fields IP address to lookup. ## Lookup URL Action ID: `tools.virustotal.lookup_url` Get VirusTotal report for a URL. Reference: [https://docs.virustotal.com/reference/url-info](https://docs.virustotal.com/reference/url-info) ### Secrets Required secrets: * `virustotal`: required values `VIRUSTOTAL_API_KEY`. ### Input fields URL to lookup. # Wazuh Source: https://docs.tracecat.com/tools/wazuh Reference for the Tracecat Wazuh integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Run command Action ID: `tools.wazuh.active_response` Run an Active Response command on Wazuh agents. Reference: [https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.active\_response\_controller.run\_command](https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.active_response_controller.run_command) ### Secrets Required secrets: * `wazuh_wui`: required values `WAZUH_WUI_USERNAME`, `WAZUH_WUI_PASSWORD`. ### Input fields List of agent IDs (separated by comma), all agents selected by default if not specified. Command running in the agent. If this value starts with !, then it refers to a script name instead of a command name. Change the token base duration Default: `900`. URL for the Wazuh WUI API. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. ## Update agents Action ID: `tools.wazuh.update_agents` Identifies outdated Wazuh agents and updates them. Reference: [https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent\_controller.put\_upgrade\_agents](https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.put_upgrade_agents) ### Secrets Required secrets: * `wazuh_wui`: required values `WAZUH_WUI_USERNAME`, `WAZUH_WUI_PASSWORD`. ### Input fields Change the token base duration Default: `900`. URL for the Wazuh WUI API. Default: `null`. If False, disables SSL verification for internal networks. Default: `true`. # Wiz MCP Source: https://docs.tracecat.com/tools/wiz Reference for the Tracecat Wiz MCP integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Wiz MCP Action ID: `tools.wiz.mcp` Use AI to interact with Wiz. Reference: [https://www.wiz.io/blog/introducing-mcp-server-for-wiz](https://www.wiz.io/blog/introducing-mcp-server-for-wiz) ### Secrets Required secrets: * `wiz_mcp_oauth`: OAuth token `WIZ_MCP_USER_TOKEN`. Optional secrets: * `anthropic`: optional values `ANTHROPIC_API_KEY`. * `openai`: optional values `OPENAI_API_KEY`. * `gemini`: optional values `GEMINI_API_KEY`. * `amazon_bedrock`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`, `AWS_SESSION_TOKEN`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_MODEL_ID`, `AWS_INFERENCE_PROFILE_ID`. * `custom-model-provider`: optional values `CUSTOM_MODEL_PROVIDER_API_KEY`, `CUSTOM_MODEL_PROVIDER_MODEL_NAME`, `CUSTOM_MODEL_PROVIDER_BASE_URL`. * `azure_openai`: optional values `AZURE_API_BASE`, `AZURE_API_VERSION`, `AZURE_DEPLOYMENT_NAME`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`. * `azure_ai`: optional values `AZURE_API_BASE`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_API_VERSION`, `AZURE_AI_MODEL_NAME`. * `litellm`: required values `LITELLM_BASE_URL`. ### Input fields Instructions for the agent. User prompt to the agent. Model to use. Pick from the list of models enabled for this workspace. Provide this field, or both deprecated `model_name` and `model_provider`. Default: `null`. Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_provider`. Default: `null`. Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_name`. Default: `null`. # Zendesk Source: https://docs.tracecat.com/tools/zendesk Reference for the Tracecat Zendesk integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Get group users Action ID: `tools.zendesk.get_group_users` Retrieve all users in a specific group. Reference: [https://developer.zendesk.com/api-reference/ticketing/groups/groups/](https://developer.zendesk.com/api-reference/ticketing/groups/groups/) ### Secrets Required secrets: * `zendesk`: required values `ZENDESK_EMAIL`, `ZENDESK_API_TOKEN`. ### Input fields The ID of the group Your Zendesk subdomain (e.g., 'company' for company.zendesk.com) Page number for pagination (1-based) Default: `null`. Number of users per page (max 100) Default: `100`. ## Get groups Action ID: `tools.zendesk.get_groups` Retrieve all groups from Zendesk. Reference: [https://developer.zendesk.com/api-reference/ticketing/groups/groups/](https://developer.zendesk.com/api-reference/ticketing/groups/groups/) ### Secrets Required secrets: * `zendesk`: required values `ZENDESK_EMAIL`, `ZENDESK_API_TOKEN`. ### Input fields Your Zendesk subdomain (e.g., 'company' for company.zendesk.com) Page number for pagination (1-based) Default: `null`. Number of groups per page (max 100) Default: `100`. ## Get ticket Action ID: `tools.zendesk.get_ticket` Retrieve a specific ticket by ID from Zendesk. Reference: [https://developer.zendesk.com/api-reference/ticketing/tickets/tickets/#show-ticket](https://developer.zendesk.com/api-reference/ticketing/tickets/tickets/#show-ticket) ### Secrets Required secrets: * `zendesk`: required values `ZENDESK_EMAIL`, `ZENDESK_API_TOKEN`. ### Input fields Your Zendesk subdomain (e.g., 'company' for company.zendesk.com) The ID of the ticket to retrieve ## Get ticket attachments Action ID: `tools.zendesk.get_ticket_attachments` Retrieve attachments from a specific ticket. Reference: [https://developer.zendesk.com/api-reference/ticketing/tickets/ticket\_comments/](https://developer.zendesk.com/api-reference/ticketing/tickets/ticket_comments/) ### Secrets Required secrets: * `zendesk`: required values `ZENDESK_EMAIL`, `ZENDESK_API_TOKEN`. ### Input fields Your Zendesk subdomain (e.g., 'company' for company.zendesk.com) The ID of the ticket ## Get ticket comments Action ID: `tools.zendesk.get_ticket_comments` Retrieve all comments for a specific ticket. Reference: [https://developer.zendesk.com/api-reference/ticketing/tickets/ticket\_comments/](https://developer.zendesk.com/api-reference/ticketing/tickets/ticket_comments/) ### Secrets Required secrets: * `zendesk`: required values `ZENDESK_EMAIL`, `ZENDESK_API_TOKEN`. ### Input fields Your Zendesk subdomain (e.g., 'company' for company.zendesk.com) The ID of the ticket Page number for pagination (1-based) Default: `null`. Number of comments per page (max 100) Default: `100`. ## Get Twilio recordings Action ID: `tools.zendesk.get_twilio_recordings` Retrieve Twilio call recordings associated with tickets (requires Twilio integration). Reference: [https://developer.zendesk.com/api-reference/voice/talk-api/recordings/](https://developer.zendesk.com/api-reference/voice/talk-api/recordings/) ### Secrets Required secrets: * `zendesk`: required values `ZENDESK_EMAIL`, `ZENDESK_API_TOKEN`. ### Input fields Call ID Your Zendesk subdomain (e.g., 'company' for company.zendesk.com) ## Search Zendesk Action ID: `tools.zendesk.search_tickets` Search Zendesk using search query syntax. Reference: [https://developer.zendesk.com/api-reference/ticketing/ticket-management/search/#list-search-results](https://developer.zendesk.com/api-reference/ticketing/ticket-management/search/#list-search-results) ### Secrets Required secrets: * `zendesk`: required values `ZENDESK_EMAIL`, `ZENDESK_API_TOKEN`. ### Input fields Your Zendesk subdomain (e.g., 'company' for company.zendesk.com) Page number for pagination (1-based) Default: `null`. Number of results per page (max 100) Default: `100`. Search query using Zendesk search syntax. Default type:ticket -status:solved -status:closed Default: `"type:ticket -status:solved -status:closed"`. Field to sort results by (created\_at, updated\_at, priority, status, ticket\_type) Default: `null`. Sort order (asc, desc) Default: `null`.