# AI action
Source: https://docs.tracecat.com/agents/ai-action
Use `ai.action` to run a single LLM call inside a Tracecat workflow: pick a model, pass instructions and inputs, and shape structured output for downstream actions.
Use `ai.action` when you only need a prompt and an output. It runs one model call and does not let the model call tools.
## Capabilities
* Pass task instructions in `instructions` and task data in `user_prompt`.
* Use `output_type` when you need a string, list, or JSON-shaped response for downstream actions.
* Tune provider-specific behavior with `model_settings`.
## Structured outputs
Use `output_type` when a downstream action needs a predictable shape.
* Use a scalar such as `str` or `int` for simple classification or routing.
* Use a JSON schema object when you need named fields.
* Tracecat parses valid JSON before storing it in the action result.
## Reference
### `ai.action`
Call an LLM with a given prompt and model (no tools).
#### Inputs
Name of the model to use.
Provider of the model to use.
User prompt to the agent.
Base URL of the model to use.
Default: `null`.
Instructions for the agent.
Default: `null`.
Maximum number of requests for the agent.
Default: `45`.
Model settings for the agent.
Default: `null`.
Output type for agent responses. Select from a list of supported types or provide a JSONSchema.
Default: `null`.
Number of retries for the agent.
Default: `3`.
#### Examples
**Extract structured fields from an alert**
```yaml theme={null}
- ref: extract_alert
action: ai.action
args:
model_name: gpt-4.1-mini
model_provider: openai
instructions: |
Extract the alert into the requested schema.
Use null for fields that are missing.
user_prompt: |
Parse this alert and normalize the key fields:
${{ TRIGGER.raw_alert }}
output_type:
type: object
properties:
severity:
type: string
user:
type:
- string
- "null"
src_ip:
type:
- string
- "null"
needs_escalation:
type: boolean
required:
- severity
- needs_escalation
```
**Classify an email triage decision**
```yaml theme={null}
- ref: classify_email
action: ai.action
args:
model_name: claude-3-5-sonnet-latest
model_provider: anthropic
instructions: |
Return one of: phishing, benign, spam, unknown.
user_prompt: |
Subject: ${{ TRIGGER.subject }}
Sender: ${{ TRIGGER.sender }}
Body:
${{ TRIGGER.body }}
output_type:
type: string
enum:
- phishing
- benign
- spam
- unknown
```
# AI agent
Source: https://docs.tracecat.com/agents/ai-agent
Use `ai.agent` and `ai.preset_agent` for tool-calling agent runs inside Tracecat workflows: configure tools, secrets, and instructions for autonomous reasoning.
Use `ai.agent` when the model needs tool calls. You give the agent a prompt, instructions, and an allowlist of actions it can call during the run.
## Capabilities
* `ai.agent`: Prompt plus tool calls. Use the `actions` list to control which Tracecat actions the agent can use.
* EE `ai.preset_agent`: Prompt plus a saved agent configuration. Use this when you want reusable instructions, tools, and MCP integrations across workflows.
* `tool_approvals`: Require approval before selected tools run. This is an enterprise feature.
* `max_tool_calls` and `max_requests`: Bound how much work the agent can do in a single run.
## Structured outputs
`ai.agent` also supports `output_type`.
* Use it when the agent should return a final object or typed value after tool use.
* Keep the schema focused on the final answer, not the intermediate tool steps.
## MCP
Enterprise Edition
`ai.agent` does not take MCP servers directly in the workflow action. If you need MCP, save that configuration in an agent preset and run it with `ai.preset_agent`.
`ai.preset_agent` supports both remote and stdio MCP servers.
Internet access is controlled by the root preset for the shared sandbox process. Subagent presets can define their own tools and MCP integrations, but their internet setting does not grant network access unless the root preset also enables it.
See [MCP integrations](/automations/integrations/mcp-integrations) to learn more.
## Reference
### `ai.agent`
AI agent with tool calling capabilities. Returns the output and full message history.
#### Inputs
Name of the model to use.
Provider of the model to use.
User prompt to the agent.
Actions (e.g. 'tools.slack.post\_message') to include in the agent.
Default: `null`.
Base URL of the model to use.
Default: `null`.
Instructions for the agent.
Default: `null`.
Maximum number of requests for the agent.
Default: `45`.
Maximum number of tool calls for the agent.
Default: `15`.
Model settings for the agent.
Default: `null`.
Output type for agent responses. Select from a list of supported types or provide a JSONSchema.
Default: `null`.
Number of retries for the agent.
Default: `3`.
Per-tool approval overrides keyed by action name (e.g. 'core.cases.create\_case'). Use true to require approval, false to allow auto-execution.
Default: `null`.
#### Examples
**Investigate an alert with tools**
```yaml theme={null}
- ref: investigate_alert
action: ai.agent
args:
model_name: gpt-4.1
model_provider: openai
instructions: |
You are a security triage agent.
Review the alert, gather missing context, and write a concise analyst summary.
user_prompt: |
Investigate this alert and explain whether it needs escalation:
${{ TRIGGER.alert }}
actions:
- tools.slack.lookup_users_by_email
- tools.github.search_code
- core.cases.create_comment
max_tool_calls: 6
output_type:
type: object
properties:
verdict:
type: string
summary:
type: string
required:
- verdict
- summary
```
**Require approval for sensitive tools**
```yaml theme={null}
- ref: draft_case_update
action: ai.agent
args:
model_name: claude-3-5-sonnet-latest
model_provider: anthropic
instructions: |
Investigate the incident, then propose the next action.
Create or update records only if the required approval is granted.
user_prompt: |
Review the latest evidence for case ${{ TRIGGER.case_id }} and decide what to do next.
actions:
- core.cases.get
- core.cases.create_comment
- core.cases.update
tool_approvals:
core.cases.update: true
max_tool_calls: 4
```
### `ai.preset_agent`
Enterprise Edition
Run an AI agent using a saved agent preset.
#### Inputs
Preset of the agent to run (e.g. 'security-analyst').
User prompt to the agent.
Optional override for the actions (e.g. 'tools.slack.post\_message') that the agent should be allowed to call.
Default: `null`.
Additional instructions to append to the preset instructions for this run.
Default: `null`.
Maximum number of requests for the agent.
Default: `45`.
Maximum number of tool calls for the agent.
Default: `15`.
Optional preset version number to pin for this run.
Default: `null`.
#### Examples
**Run a saved agent preset**
```yaml theme={null}
- ref: run_security_analyst
action: ai.preset_agent
args:
preset: security-analyst
preset_version: 3
user_prompt: |
Review the incident below and decide whether to escalate it:
${{ TRIGGER.incident }}
max_tool_calls: 8
```
## FAQ
* Use `ai.action` when you only need one model response and no tools.
* Use `ai.agent` when the model must call Tracecat actions during the run.
* Use `ai.preset_agent` when you want a reusable saved configuration, especially for shared instructions, approvals, or MCP integrations.
```yaml Use ai.agent for tool calls theme={null}
- ref: analyze_input
action: ai.agent
args:
model_name: gpt-4.1-mini
model_provider: openai
instructions: |
Investigate the alert and summarize the next step.
user_prompt: |
Review this alert:
${{ TRIGGER.alert }}
actions:
- tools.github.search_code
- core.cases.create_comment
max_tool_calls: 4
```
```yaml Use ai.preset_agent for saved configuration theme={null}
- ref: analyze_with_preset
action: ai.preset_agent
args:
preset: security-analyst
user_prompt: |
Review this alert and write a short analyst summary:
${{ TRIGGER.alert }}
```
MCP integrations are configured on the preset, not on the `ai.agent` workflow action itself.
If the run needs MCP tools, create or update an agent preset, attach the MCP integrations there, and execute it with `ai.preset_agent`.
Use `ai.agent` when Tracecat workflow actions alone are enough.
Use `ai.preset_agent` when the agent needs access to MCP servers in addition to regular Tracecat actions.
# Custom LLM providers
Source: https://docs.tracecat.com/agents/custom-llm-providers
Configure custom OpenAI-compatible model providers for Tracecat agents: add a custom source, discover models, and enable them for presets and defaults.
Use a custom LLM provider when an agent should call your own OpenAI-compatible gateway instead of Tracecat's managed LiteLLM gateway.
Custom providers are managed as custom sources in organization agent settings.
## Routing model
Each agent uses its own model configuration to decide where its LLM requests go.
| Agent model configuration | Request route |
| ----------------------------- | -------------------------------------------- |
| `passthrough: true` | Direct to that agent's configured `base_url` |
| `passthrough: false` or unset | Tracecat's managed LiteLLM gateway |
Root agents and subagents follow the same rule. A root agent can use a custom passthrough gateway while a subagent uses managed LiteLLM, or a subagent can use its own passthrough gateway while the root agent uses managed LiteLLM.
Tracecat strips the trailing version segment from the base URL before forwarding sandbox requests because SDK clients append paths such as `/v1/messages`. This prevents doubled paths such as `/v1/v1/messages`.
## Root agents
For a root agent, Tracecat keys direct passthrough routing by the model string the root agent sends.
```yaml theme={null}
model_name: customer-alias
model_provider: custom-model-provider
base_url: https://customer-litellm.example/v1
passthrough: true
```
Requests with `model: customer-alias` go directly to `https://customer-litellm.example`.
## Subagents
For a subagent, Tracecat keys direct passthrough routing by the subagent's scoped model route. This lets Tracecat route each preset agent independently, even when several agents share the same sandbox process.
```yaml theme={null}
model_name: child-alias
model_provider: custom-model-provider
base_url: https://child-litellm.example/v1
passthrough: true
```
Requests for that subagent go directly to `https://child-litellm.example`. Requests for other subagents fall back to managed LiteLLM unless those subagents also enable passthrough.
## Credentials
Tracecat resolves passthrough credentials from the custom provider selected by the agent's model configuration. If a root agent and subagent use different passthrough providers, each route uses its own provider credentials.
Managed LiteLLM requests keep the sandbox's managed gateway token.
## Add a custom source
Go to Organization settings, open Agent, then go to Custom sources and click Add custom source.
Set the source fields:
* **Name**: A readable label, such as `Local gateway`.
* **Base URL**: The OpenAI-compatible API base URL, e.g. `https://gateway.example/v1`.
* **Auth header**: Leave blank to use `Authorization`.
* **Auth value**: The provider credential. If Auth header is blank, Tracecat sends `Authorization: Bearer `.
* **Passthrough mode**: Enable this to route agent requests directly to this gateway instead of Tracecat's managed LiteLLM. Required for bring-your-own gateways such as LiteLLM, vLLM, and Ollama-compatible endpoints.
Use Advanced > Additional headers only for static non-auth headers. The value must be a JSON object with string keys and string values.
```json theme={null}
{
"X-Custom-Header": "value"
}
```
Click Test connection to verify the source before saving it, then click Add source.
## Discover and enable models
After you save the source, click Refresh.
Tracecat calls the source's `/models` endpoint and adds the returned models to the organization catalog.
Enable the models you want available to agent presets and organization defaults.
If your organization does not have agent add-ons enabled, Tracecat enables discovered custom source models automatically after refresh.
## Use the provider
Choose the enabled custom source model anywhere Tracecat lets you select an agent model, such as the default model selector or a preset agent configuration.
Refresh the source again after you add or remove models from the upstream gateway.
Edit the source when you rotate credentials, change the base URL, or update static headers.
## Related pages
* See [AI agent](/agents/ai-agent) for the `ai.agent` and `ai.preset_agent` action reference.
* See [AI action](/agents/ai-action) for single-call LLM workflow actions.
* See [Secrets and variables](/agents/secrets-variables) for agent secret handling.
* See [MCP servers](/automations/integrations/mcp-integrations) for connecting MCP tools to agents.
# Secrets and variables
Source: https://docs.tracecat.com/agents/secrets-variables
Pass Tracecat secrets and workspace variables to preset agent tool calls securely: scope credentials per agent run and inject values without exposing them to the model.
## Overview
Preset agents can reference secrets and variables using Tracecat expression syntax.
Include `${{ SECRETS.. }}` or `${{ VARS.. }}` in a preset agent's saved instructions so the agent passes them as tool arguments at runtime.
## Security
Preset agent tool calls go through a secure server-side proxy.
The LLM only sees the raw expression placeholder (e.g. `${{ SECRETS.threatintel.API_KEY }}`). The actual secret values are injected server-side at the tool execution layer after the model responds, so the LLM never has access to your credentials.
`ai.action` and `ai.agent` actions do **not** support secure secrets injection. Secret and variable expressions are evaluated immediately in workflow action inputs and will be exposed to the LLM.
## Secrets
Use `${{ SECRETS.. }}` to reference a secret stored in your workspace credentials.
In a workflow action this looks like:
```yaml theme={null}
- ref: triage_alert
action: ai.preset_agent
args:
preset: security-triage
user_prompt: |
Look up the reputation of this IP address:
${{ TRIGGER.source_ip }}
```
Where the `security-triage` preset instructions contain:
```text theme={null}
You are a security triage agent.
When you make HTTP requests to the threat intel API, pass
`${{ SECRETS.threatintel.API_KEY }}` in the Authorization header
as a Bearer token.
Do not print or return secret values in your final answer.
```
## Variables
Use `${{ VARS.. }}` for non-sensitive configuration such as base URLs, project IDs, or channel names.
In a workflow action:
```yaml theme={null}
- ref: triage_alert
action: ai.preset_agent
args:
preset: security-triage
user_prompt: |
Investigate this alert and file a ticket with your findings:
${{ TRIGGER.alert }}
```
Where the `security-triage` preset instructions contain:
```text theme={null}
You are a security triage agent.
When you call the threat intel API, use `${{ VARS.threatintel.base_url }}`
as the base URL.
When you file tickets, use `${{ VARS.ticketing.project_id }}` as the
project ID and `${{ VARS.ticketing.base_url }}` as the base URL.
```
## Secrets and variables
Use secrets for credentials and variables for everything else.
Full workflow example:
```yaml theme={null}
- ref: investigate_and_respond
action: ai.preset_agent
args:
preset: security-triage
user_prompt: |
Investigate this alert:
${{ TRIGGER.alert }}
max_tool_calls: 10
```
Where the `security-triage` preset instructions contain:
```text theme={null}
You are a security triage agent. Investigate the alert, enrich it,
and file a ticket.
Credentials:
- Threat intel API key: `${{ SECRETS.threatintel.API_KEY }}`
- Ticketing API key: `${{ SECRETS.ticketing.API_KEY }}`
Configuration:
- Threat intel base URL: `${{ VARS.threatintel.base_url }}`
- Ticketing base URL: `${{ VARS.ticketing.base_url }}`
- Ticketing project ID: `${{ VARS.ticketing.project_id }}`
Steps:
1. Look up the source IP using the threat intel API.
2. File a ticket with your findings in the ticketing system.
Do not print or return secret values in your final answer.
```
## OAuth secrets
OAuth tokens follow a different naming convention. The secret name is `_oauth` and the key is the provider ID in uppercase plus `_USER_TOKEN` or `_SERVICE_TOKEN`.
```yaml theme={null}
# authorization_code grant (delegated user access)
${{ SECRETS._oauth._USER_TOKEN }}
# client_credentials grant (service-to-service)
${{ SECRETS._oauth._SERVICE_TOKEN }}
```
In a workflow action:
```yaml theme={null}
- ref: query_sentinel
action: ai.preset_agent
args:
preset: sentinel-analyst
user_prompt: |
Query Microsoft Sentinel for recent incidents related to this IP:
${{ TRIGGER.source_ip }}
```
Where the `sentinel-analyst` preset instructions contain:
```text theme={null}
You are a security triage agent.
When you make HTTP requests to the Microsoft Sentinel API, pass
`${{ SECRETS.microsoft_sentinel_oauth.MICROSOFT_SENTINEL_USER_TOKEN }}`
in the Authorization header as a Bearer token.
Do not print or return secret values in your final answer.
```
See [OAuth integrations](/automations/integrations/oauth-integrations) for setup and the full list of built-in providers.
## Related pages
* [Secrets](/automations/core-concepts/secrets) — create and manage workspace secrets
* [Variables](/automations/core-concepts/variables) — create and manage workspace variables
* [Expressions](/automations/core-concepts/expressions) — full expression syntax reference
* [AI agent](/agents/ai-agent) — `ai.agent` and `ai.preset_agent` reference
* [OAuth integrations](/automations/integrations/oauth-integrations) — OAuth setup and providers
# Skills
Source: https://docs.tracecat.com/agents/skills
Create, publish, and attach Tracecat skills to preset agents so reusable instructions and files are available during agent runs.
Enterprise Edition
Skills let you package reusable agent instructions and supporting files.
Attach published skill versions to a preset agent when the agent needs the same playbook, reference material, or helper files across runs.
## Create a skill
Open `Skills` from the workspace navigation.
Click `Create new`, then choose `Skill` to start with an empty working copy or `Upload` to import an existing skill directory.
Skill names use lowercase letters, numbers, and single hyphens.
Tracecat seeds new skills with a root `SKILL.md` file.
## Write SKILL.md
Use `SKILL.md` for the skill metadata and instructions.
The root file must include frontmatter with `name` and `description`.
```md theme={null}
---
name: threat-intel
description: Enrich indicators and summarize threat intelligence findings.
---
# threat-intel
Use this skill when you need to enrich IP addresses, domains, URLs, or file
hashes during alert triage.
```
Tracecat uses the frontmatter `name` as the published skill name.
Keep published skill names unique among skills attached to the same preset agent.
Write the body as instructions the agent can follow during a run.
## Add files
Add supporting files when the agent needs more than instructions.
Use files for examples, checklists, schemas, helper scripts, or reference data.
Editable text files open inline in the skill editor.
Other file types can be replaced, deleted, or downloaded.
## Publish a version
Save the working copy, then click `Publish version`.
Publishing creates an immutable version from the current files and makes the skill available to preset agents.
Publishing requires:
* A root `SKILL.md` file.
* Valid YAML frontmatter in `SKILL.md`.
* A frontmatter `name` that follows the skill name rules.
* No duplicate paths or path conflicts.
## Attach skills to a preset agent
Open the preset agent, then use the `Skills` tab to attach published skills.
Each attachment pins one published skill version.
Only published skills can be attached.
When you publish a new skill version, update the preset if you want future runs to use it.
## How agents load skills
When a preset agent runs, Tracecat stages the pinned skill versions into the agent runtime.
The agent can discover the skill by its `SKILL.md` metadata and use the bundled files during the run.
Use skills for reusable agent behavior.
Use preset instructions for behavior that belongs only to one preset agent.
## Related pages
* See [AI agent](/agents/ai-agent) for the `ai.agent` and `ai.preset_agent` workflow actions.
* See [Secrets and variables](/agents/secrets-variables) to pass credentials and configuration to preset agent tool calls.
* See [MCP integrations](/automations/integrations/mcp-integrations) to attach MCP servers to preset agents.
# Basic
Source: https://docs.tracecat.com/authentication/basic
Authenticate into self-hosted Tracecat with basic email-and-password sign-in: configure user accounts, password policies, and admin bootstrap for small deployments.
In production, use OIDC or SAML SSO. Basic auth is meant for local development only.
## Overview
Basic auth lets you sign in to Tracecat with an email and password.
## Configuration
In your `.env` file, enable the basic auth type:
```bash theme={null}
TRACECAT__AUTH_TYPES=basic
```
You can also combine auth types if you need to:
```bash theme={null}
TRACECAT__AUTH_TYPES=basic,oidc
```
## Minimum password length
When you use basic auth, your password must be at least
`TRACECAT__AUTH_MIN_PASSWORD_LENGTH` characters long. The default minimum is `12`.
# OIDC
Source: https://docs.tracecat.com/authentication/oidc
Authenticate into Tracecat using OpenID Connect: register an OIDC client with your IdP, map claims, and enable SSO sign-in across the platform.
## Configuration
In your `.env` file, enable the OIDC auth type.
```bash theme={null}
TRACECAT__AUTH_TYPES=oidc
```
## Required environment variables
Set the following variables for your provider:
* `TRACECAT__PUBLIC_APP_URL`
* `OIDC_ISSUER`
* `OIDC_CLIENT_ID`
* `OIDC_CLIENT_SECRET`
* `OIDC_SCOPES` (optional, defaults to `openid profile email`)
## Instructions
Register Tracecat as an application with your provider and allow the standard
OpenID Connect scopes needed for sign-in.
Set the provider redirect URI to `/auth/oauth/callback`.
For the local Docker Compose deployment, use `http://localhost/auth/oauth/callback`.
Add the public Tracecat URL, issuer URL, and client credentials to your `.env`
file. Tracecat generates OAuth callback URLs from
`TRACECAT__PUBLIC_APP_URL`, so this must match the external URL users visit.
Example:
```bash theme={null}
TRACECAT__PUBLIC_APP_URL=https://tracecat.example.com
OIDC_ISSUER=https://issuer.example.com
OIDC_CLIENT_ID=tracecat
OIDC_CLIENT_SECRET=replace-me
OIDC_SCOPES="openid profile email"
```
Restart the application so the new auth configuration is loaded.
# SAML SSO
Source: https://docs.tracecat.com/authentication/saml
Authenticate into Tracecat with SAML SSO: configure your identity provider, map attributes, and enable single sign-on for organization-wide access.
## Supported identity providers
* [Okta](#okta)
* [Microsoft Entra ID](#microsoft-entra-id)
* [Authentik](#authentik)
* [Keycloak](#keycloak)
## Configuration
In your `.env` file, make sure you have the following values set.
```bash theme={null}
TRACECAT__AUTH_TYPES=saml
SAML_IDP_METADATA_URL=https://
```
## Access policy
After SAML authentication succeeds, Tracecat allows organization access when at least one of the following is true:
* The user already has membership in the organization.
* The user has a pending invitation for the organization.
* The user is the first-user superadmin bootstrap account in the default organization.
* The user is a platform superadmin (owner).
Tracecat only auto-provisions SAML user accounts for:
* Pending organization invitations.
* First-user superadmin bootstrap (default organization only).
If this is a new deployment, make sure `TRACECAT__AUTH_SUPERADMIN_EMAIL` exactly matches the email claim sent by your IdP for the owner account.
## Instructions
Tracecat always requires signed assertions and signed responses.
If you are using a self-signed certificate for your metadata URL, configure
a base64-encoded CA certificates `.pem` bundle with `SAML_CA_CERTS` in your
deployment environment.
### Okta
Go to **Applications** and select **Add Application**.
Select **SAML 2.0** and click on **Create**.
* Set the **Single sign-on URL**, **Recipient URL**, and **Destination URL** to `https:///auth/saml/acs`.
* Set the **Audience Restriction** to `https://`.
Map `email` to `user.email`
Set the following environment variables in your `.env` file:
* `SAML_IDP_METADATA_URL`: Okta metadata URL
Restart Tracecat to apply the changes.
Navigate to your Tracecat instance and click on the **Login** button.
You should be redirected to Okta for authentication.
### Microsoft Entra ID
You must enable **Sign SAML response and assertion** in your Microsoft SAML app settings.
Microsoft SAML apps only sign assertions by default.
Go to **Enterprise applications** and select the **New application** button.
Find and select the **Microsoft Entra SAML toolkit** app.
* Set the **Reply URL** and **Sign on URL** to `https:///auth/saml/acs`.
* Set **Identifier** to `https:///api`.
* Set **Relay State** to `https://`.
* Make sure that **Sign SAML response and assertion** is enabled.
Map `email` to `user.mail`
### Authentik
Go to **Providers** and select the **Create** button.
Choose **SAML Provider** and select the **Next** button.
* Enter a name and choose an authorization flow
* Set the **ACS URL** to `https:///auth/saml/acs`.
* Set the **Audience** to `https:///api`.
* Expand the **Advanced protocol settings** section.
* Select a **Signing Certificate** and ensure **Sign assertions** is enabled.
* Select **authentik default SAML Mapping: Name** in **Selected User Property Mappings**.
* Click the **\<** button to deselect it.
* Select the **Finish** button.
Go to **Applications** and select the **Create** button.
Fill in the details as desired.
* Select the provider you created previously.
* Select the **Metadata** tab.
* Select the **Copy download URL** button.
Set the following environment variables in your `.env` file:
* `SAML_IDP_METADATA_URL`: Metadata download URL
Restart Tracecat to apply the changes.
Navigate to your Tracecat instance and click on the **Login** button.
You should be redirected to Authentik for authentication.
### Keycloak
* Go to **Clients** and select the **Create client** button.
* Set the **Client type** to **SAML**.
* Set the **Client ID** to `https:///api` and select the **Next** button.
* Set the **Valid redirect URIs** to `https:///auth/saml/acs`.
* Set the **Master SAML Processing URL** to `https:///auth/saml/acs` and select the **Save** button.
* In **Settings** tab scroll down to **Signature and Encryption** section.
* Ensure **Sign documents** is enabled.
* Open **Keys** tab and look into **Signing keys config** section.
* Ensure **Client signature required** is disabled.
* Open **Client scopes** tab and click on client scope `https:///api-dedicated`.
* Create new **User Property** mapper for **email** attribute and click **Save**.
* Go to **Realm Settings** ➤ **General** ➤ **Endpoints**.
* Copy the **SAML 2.0 Identity Provider Metadata** link.
Set the following environment variables in your `.env` file:
* `SAML_IDP_METADATA_URL`: Metadata download URL
Restart Tracecat to apply the changes.
Navigate to your Tracecat instance and click on the **Login** button.
You should be redirected to Keycloak for authentication.
## Environment variables
For standard self-hosted SAML setup, provide your IdP metadata URL in the
deployment environment.
### Protocol configuration
* `SAML_ALLOW_UNSOLICITED`: Whether to allow unsolicited SAML responses (default: `false`)
* `SAML_ACCEPTED_TIME_DIFF`: Time difference in seconds for SAML authentication (default: `3`)
Tracecat always requires signed assertions and signed responses. These checks are
not configurable.
### SSL transport configuration
* `SAML_VERIFY_SSL_ENTITY`: Whether to verify SSL certificates for general SAML entity operations (default: `true`)
* `SAML_VERIFY_SSL_METADATA`: Whether to verify SSL certificates when fetching metadata (default: `true`)
* `SAML_CA_CERTS`: Base64 encoded CA certificates for SSL/TLS transport layer validation
# Actions
Source: https://docs.tracecat.com/automations/actions
Connect Tracecat actions to build workflows: configure inputs and outputs, reference upstream results, and chain core, integration, and custom actions.
You can view all available actions in the `/actions` page.
## Action names
Every Tracecat action has a title, namespace, and name.
Actions IDs are defined as `.`. For example, `tools.slack.post_message` uses the `tools.slack` namespace and the `post_message` name.
## Action types
Tracecat actions are defined in either Python UDFs (user-defined functions) or YAML templates (domain-specific language for actions).
See [Custom actions](/custom-actions/custom-registry) for more details.
## Action toolbar
If you're building workflows in the UI, you can quickly find actions by namespace using the actions toolbar:
* `core` for built-in utilities such as HTTP requests, Python scripts, email, and gRPC actions
* `ai` for non-agent AI actions
* `ai` also powers the separate `Agent` group for actions such as `ai.agent` and `ai.preset_agent`
* `core.workflow` for workflow actions, plus scatter and gather helpers
* `core.transform` for transform actions
* `core.cases` for case actions
* `core.table` for table actions
* `core.sql` and `core.duckdb` for SQL actions
* `tools.*` for installed integrations; this menu also supports search
## Expressions
Expressions use `${{ ... }}`.
Use these references inside expressions:
* `TRIGGER.`
* `ACTIONS.[.result`
* `SECRETS..`
* `VARS..`
* `ENV.`
* `var.`
* `FN.(...)`
See [Expressions](/automations/core-concepts/expressions) for syntax, operators, and literals.
See [JSONPath](/automations/core-concepts/jsonpath) for field access and array access.
See [Functions](/automations/core-concepts/functions) for the full function list.
## Success and error paths
Every action has a success and error path.
The success path, which is represented by the green dot, runs when the action succeeds.
The error path, which is represented by the red dot, runs when the action fails.
]
## Control flow
You can configure how an action runs from the "Control flow" tab in the action panel.
### Mask output
Use `mask_output` to hide an action's result in workflow execution views and execution API responses. Tracecat keeps the object and array shape, but replaces each individual value with `[REDACTED]`.
You can still copy JSONPath references from the displayed structure. `mask_output` only affects display; downstream actions can still use the original result with expressions such as `${{ ACTIONS.lookup_user.result.id }}`.
```yaml theme={null}
- ref: lookup_user
action: core.http_request
mask_output: true
args:
url: "https://api.example.com/users/${{ TRIGGER.user_id }}"
method: GET
```
### Run if
Use `run_if` to execute an action only when a condition evaluates to a truthy value. If the condition is falsy, Tracecat skips the action.
```yaml High severity only theme={null}
- ref: notify_team
action: tools.slack.post_message
run_if: ${{ TRIGGER.severity == "high" }}
args:
channel: ${{ SECRETS.slack.SECURITY_CHANNEL }}
text: "High severity alert: ${{ TRIGGER.alert_id }}"
```
```yaml Status and owner check theme={null}
- ref: escalate_case
action: core.cases.update
run_if: ${{ TRIGGER.status == "open" && TRIGGER.owner != None }}
args:
case_id: ${{ TRIGGER.case_id }}
status: in_progress
```
```yaml Retry on empty result theme={null}
- ref: fetch_user
action: core.http_request
run_if: ${{ ACTIONS.lookup_user.result == None }}
args:
url: "https://api.example.com/users/${{ TRIGGER.user_id }}"
method: GET
```
### For each
Use `for_each` to run the same action once per item in a collection. If `items` contains `N` values, Tracecat runs the action `N` times.
Inside the action inputs, reference the current item with `var.`. For example, `for_each: ${{ for var.user in TRIGGER.users }}` runs the action `len(TRIGGER.users)` times, and each run reads the current item from `var.user`.
```yaml Send one email per user theme={null}
- ref: email_user
action: core.email.send
for_each: ${{ for var.user in TRIGGER.users }}
args:
recipients:
- ${{ var.user.email }}
subject: "Tracecat notification"
body: "Hello ${{ var.user.name }}"
```
```yaml Fetch one record per alert theme={null}
- ref: fetch_alert
action: core.http_request
for_each: ${{ for var.alert in TRIGGER.alerts }}
args:
url: "https://api.example.com/alerts/${{ var.alert.id }}"
method: GET
headers:
Authorization: "Bearer ${{ SECRETS.alerts.API_TOKEN }}"
```
```yaml Create one case comment per finding theme={null}
- ref: comment_on_case
action: core.cases.create_comment
for_each: ${{ for var.finding in ACTIONS.parse_findings.result }}
args:
case_id: ${{ TRIGGER.case_id }}
comment: "Finding: ${{ var.finding.title }}"
```
### Join strategy
`join_strategy` controls how a downstream action waits on multiple upstream branches. Use `all` to wait for every branch, or `any` to continue after the first branch completes.
### Environment
Use `environment` to override which secrets or variables environment an action reads from.
This is useful to target different secrets or variables for the same pre-built action (e.g. different Slack apps for `tools.slack.post_message`).
### Start delay
Use `start_delay` to wait a fixed number of seconds before an action starts.
### Timeout
Use `timeout` to cap how long Tracecat waits for an action attempt to finish.
Defaults to 300 seconds.
### Max attempts
Use `max_attempts` to control how many times Tracecat retries the action if it fails.
Defaults to 1 attempt.
## FAQ
Most validation errors come from expression shape rather than action behavior:
* Wrap the whole expression once as `${{ ... }}`. Do not split one condition across multiple expression blocks.
* `run_if` must evaluate to a boolean value such as `${{ TRIGGER.severity == "high" }}`.
* Use comparison operators such as `==` and `!=`. A single `=` is not a valid comparison.
* `for_each` must use the iteration form `${{ for var.item in ... }}` and the value on the right side must be a list.
```yaml Valid run_if theme={null}
- ref: notify_team
action: tools.slack.post_message
run_if: ${{ TRIGGER.severity == "high" && TRIGGER.status != "closed" }}
args:
channel: ${{ SECRETS.slack.SECURITY_CHANNEL }}
text: "High-severity alert: ${{ TRIGGER.alert_id }}"
```
```yaml Valid for_each theme={null}
- ref: create_comment
action: core.cases.create_comment
for_each: ${{ for var.item in TRIGGER.findings }}
args:
case_id: ${{ TRIGGER.case_id }}
comment: "Finding: ${{ var.item.title }}"
```
# Cases
Source: https://docs.tracecat.com/automations/cases
Track and resolve Tracecat cases: triage alerts, run agents and workflows on case events, manage tasks and comments, and report on outcomes.
Cases give you a shared place to triage, investigate, and resolve work.
You can use them to keep status, evidence, comments, and follow-up work together in one record.
## Features
Create, update, search, assign, tag, and delete cases.
Add comments, replies, and thread lookups.
Upload, list, download, and delete case attachments.
EE
Add todo items with attachable workflows.
EE
Link structured data to cases.
EE
Track custom case metrics.
## Working with cases
Use a case when you need a durable investigation record instead of a single workflow run.
Your workflows can create or update a case, attach evidence, add comments, and move the case forward as new context arrives.
* Track the current owner, severity, priority, and status in one place
* Add comments and replies so analysts and workflows share the same timeline
* Store evidence as attachments instead of passing large blobs between actions
* Link structured rows, tasks, and metrics to keep investigation context organized
## Tags
Tags help you group and find related cases.
You can use them to label incidents by team, detection source, campaign, environment, or any other shared dimension.
Tags work well when you want lightweight organization across many cases.
You can also set tags from workflows with `core.cases.create_case` and `core.cases.update_case`.
## Custom fields
Custom fields let you store case-specific data that does not fit into the default case properties.
You can use them for values such as ticket IDs, affected systems, request metadata, or triage notes.
Use custom fields when you need flexible structured data on a case.
Your workflows can read and update them through the `fields` input on case actions.
Case custom fields use the same storage type family as tables: `TEXT`, `INTEGER`, `NUMERIC`, `BOOLEAN`, `DATE`, `TIMESTAMPTZ`, `JSONB`, `SELECT`, and `MULTI_SELECT`.
In the case field picker, raw `JSONB` is currently surfaced through the case-only `URL` kind, and the picker also exposes `Long text`, which is layered on top of `TEXT`.
## AI copilot in a case
Open source
The AI copilot lets you work inside a case instead of switching to a separate chat tool.
You can use it to summarize activity, answer questions, and draft next steps from the case timeline, linked evidence, and workflow output.
## AI copilot across cases
Enterprise
Enterprise extends the copilot beyond a single case.
You can use it to correlate related cases, compare investigation history, and surface patterns across incidents.
This is useful when you want to:
* Correlate repeated alerts across multiple cases
* Spot shared indicators, assets, or actors
* Find similar investigations before you start a new one
* Build broader investigation context across your case queue
## Dropdowns
Enterprise
Dropdowns add custom top-level case filters alongside built-in filters such as status, priority, and severity.
You can use them to add workspace-specific classifications such as queue, business unit, incident type, or escalation path.
Unlike free-form fields, dropdowns give you a fixed set of options.
This makes them useful when you want consistent filtering, routing, and reporting across your case queue.
## Durations
Enterprise
Durations track elapsed time between case events.
You can use them to measure intervals such as time to triage, time to assign, or time to resolution.
Durations help you understand how cases move through your process.
They are useful when you want operational reporting or workflow triggers based on how long a case has been in a given state.
## Tasks
Enterprise
Tasks let you break an investigation into concrete follow-up work.
They work well for analyst handoffs, evidence requests, and repeatable remediation steps.
Use tasks to:
* Assign work to a person or queue
* Capture checklist-style next steps
* Attach workflows to routine case operations
* Keep completion state visible alongside comments and evidence
## Linked rows
Enterprise
Linked rows connect a case to structured data in tables.
Use them when a case needs more than free-form notes, such as indicators, assets, or external detections.
For example, you can link:
* Related SIEM alerts
* Indicators of compromise (IoCs)
* Affected assets such as hosts, users, or devices
* Threat intelligence matches
* Evidence artifacts such as domains, IPs, or hashes
Linked rows are especially useful when workflows enrich a case over time.
You can insert new rows as evidence arrives or link existing rows that are already part of another workflow or lookup table.
Linked rows use regular tables.
When you create a table for case-linked evidence, use the same `columns` JSON schema documented in [Tables](/automations/tables) and [Table actions](/automations/core-actions/memory-actions/tables).
## Case actions
Use `core.cases.*` actions when you want your workflows to create or update cases.
* [Cases](/automations/core-actions/case-actions/cases) to create, fetch, update, search, and delete cases
* [Comments](/automations/core-actions/case-actions/comments) to add analyst or workflow notes
* [Attachments](/automations/core-actions/case-actions/attachments) to upload and retrieve evidence files
* [Tasks](/automations/core-actions/case-actions/tasks) for case task management in Enterprise
* [Linked rows](/automations/core-actions/case-actions/linked-rows) to connect case records to tables in Enterprise
* [Metrics](/automations/core-actions/case-actions/metrics) for custom case measurements in Enterprise
For example:
```yaml theme={null}
- ref: create_case
action: core.cases.create_case
args:
summary: "Investigate alert ${{ TRIGGER.alert_id }}"
description: "Created from the SIEM alert pipeline."
priority: high
severity: high
tags:
- triage
- ref: add_triage_note
action: core.cases.create_comment
args:
case_id: ${{ ACTIONS.create_case.result.id }}
content: "Automated triage started."
```
# Attachments
Source: https://docs.tracecat.com/automations/core-actions/case-actions/attachments
## `core.cases.upload_attachment`
Upload a file attachment to a case.
### Inputs
The ID of the case to attach the file to.
The file content encoded in base64.
The MIME type of the file (e.g., 'application/pdf').
The original filename.
### Examples
**Work with attachments**
```yaml theme={null}
- ref: upload_attachment
action: core.cases.upload_attachment
args:
case_id: ${{ TRIGGER.case_id }}
file_name: note.txt
content_base64: Zm9yZW5zaWMgbm90ZXM=
content_type: text/plain
- ref: upload_attachment_from_url
action: core.cases.upload_attachment_from_url
args:
case_id: ${{ TRIGGER.case_id }}
url: https://artifacts.example.com/evidence/${{ TRIGGER.alert_id }}
headers:
Authorization: Bearer ${{ SECRETS.artifacts.API_TOKEN }}
file_name: evidence.json
- ref: list_attachments
action: core.cases.list_attachments
args:
case_id: ${{ TRIGGER.case_id }}
- ref: get_attachment
action: core.cases.get_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
- ref: get_download_url
action: core.cases.get_attachment_download_url
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
expiry: 900
- ref: download_attachment
action: core.cases.download_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
- ref: delete_attachment
action: core.cases.delete_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
```
## `core.cases.upload_attachment_from_url`
Upload a file attachment to a case from a URL.
### Inputs
The ID of the case to attach the file to.
The URL of the file to upload.
Filename of the file to upload. If not provided, the filename will be inferred from the URL.
Default: `null`.
The headers to use when downloading the file.
Default: `null`.
### Examples
**Work with attachments**
```yaml theme={null}
- ref: upload_attachment
action: core.cases.upload_attachment
args:
case_id: ${{ TRIGGER.case_id }}
file_name: note.txt
content_base64: Zm9yZW5zaWMgbm90ZXM=
content_type: text/plain
- ref: upload_attachment_from_url
action: core.cases.upload_attachment_from_url
args:
case_id: ${{ TRIGGER.case_id }}
url: https://artifacts.example.com/evidence/${{ TRIGGER.alert_id }}
headers:
Authorization: Bearer ${{ SECRETS.artifacts.API_TOKEN }}
file_name: evidence.json
- ref: list_attachments
action: core.cases.list_attachments
args:
case_id: ${{ TRIGGER.case_id }}
- ref: get_attachment
action: core.cases.get_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
- ref: get_download_url
action: core.cases.get_attachment_download_url
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
expiry: 900
- ref: download_attachment
action: core.cases.download_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
- ref: delete_attachment
action: core.cases.delete_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
```
## `core.cases.list_attachments`
List all attachments for a case.
### Inputs
The ID of the case to list attachments for.
### Examples
**Work with attachments**
```yaml theme={null}
- ref: upload_attachment
action: core.cases.upload_attachment
args:
case_id: ${{ TRIGGER.case_id }}
file_name: note.txt
content_base64: Zm9yZW5zaWMgbm90ZXM=
content_type: text/plain
- ref: upload_attachment_from_url
action: core.cases.upload_attachment_from_url
args:
case_id: ${{ TRIGGER.case_id }}
url: https://artifacts.example.com/evidence/${{ TRIGGER.alert_id }}
headers:
Authorization: Bearer ${{ SECRETS.artifacts.API_TOKEN }}
file_name: evidence.json
- ref: list_attachments
action: core.cases.list_attachments
args:
case_id: ${{ TRIGGER.case_id }}
- ref: get_attachment
action: core.cases.get_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
- ref: get_download_url
action: core.cases.get_attachment_download_url
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
expiry: 900
- ref: download_attachment
action: core.cases.download_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
- ref: delete_attachment
action: core.cases.delete_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
```
## `core.cases.get_attachment`
Get attachment metadata without downloading the content.
### Inputs
The ID of the attachment to get.
The ID of the case containing the attachment.
### Examples
**Work with attachments**
```yaml theme={null}
- ref: upload_attachment
action: core.cases.upload_attachment
args:
case_id: ${{ TRIGGER.case_id }}
file_name: note.txt
content_base64: Zm9yZW5zaWMgbm90ZXM=
content_type: text/plain
- ref: upload_attachment_from_url
action: core.cases.upload_attachment_from_url
args:
case_id: ${{ TRIGGER.case_id }}
url: https://artifacts.example.com/evidence/${{ TRIGGER.alert_id }}
headers:
Authorization: Bearer ${{ SECRETS.artifacts.API_TOKEN }}
file_name: evidence.json
- ref: list_attachments
action: core.cases.list_attachments
args:
case_id: ${{ TRIGGER.case_id }}
- ref: get_attachment
action: core.cases.get_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
- ref: get_download_url
action: core.cases.get_attachment_download_url
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
expiry: 900
- ref: download_attachment
action: core.cases.download_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
- ref: delete_attachment
action: core.cases.delete_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
```
## `core.cases.get_attachment_download_url`
Get a presigned S3 URL for downloading an attachment.
### Inputs
The ID of the attachment.
The ID of the case containing the attachment.
URL expiry time in seconds. If not provided, uses the default from configuration.
Default: `null`.
### Examples
**Work with attachments**
```yaml theme={null}
- ref: upload_attachment
action: core.cases.upload_attachment
args:
case_id: ${{ TRIGGER.case_id }}
file_name: note.txt
content_base64: Zm9yZW5zaWMgbm90ZXM=
content_type: text/plain
- ref: upload_attachment_from_url
action: core.cases.upload_attachment_from_url
args:
case_id: ${{ TRIGGER.case_id }}
url: https://artifacts.example.com/evidence/${{ TRIGGER.alert_id }}
headers:
Authorization: Bearer ${{ SECRETS.artifacts.API_TOKEN }}
file_name: evidence.json
- ref: list_attachments
action: core.cases.list_attachments
args:
case_id: ${{ TRIGGER.case_id }}
- ref: get_attachment
action: core.cases.get_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
- ref: get_download_url
action: core.cases.get_attachment_download_url
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
expiry: 900
- ref: download_attachment
action: core.cases.download_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
- ref: delete_attachment
action: core.cases.delete_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
```
## `core.cases.download_attachment`
Download an attachment's content.
### Inputs
The ID of the attachment to download.
The ID of the case containing the attachment.
### Examples
**Work with attachments**
```yaml theme={null}
- ref: upload_attachment
action: core.cases.upload_attachment
args:
case_id: ${{ TRIGGER.case_id }}
file_name: note.txt
content_base64: Zm9yZW5zaWMgbm90ZXM=
content_type: text/plain
- ref: upload_attachment_from_url
action: core.cases.upload_attachment_from_url
args:
case_id: ${{ TRIGGER.case_id }}
url: https://artifacts.example.com/evidence/${{ TRIGGER.alert_id }}
headers:
Authorization: Bearer ${{ SECRETS.artifacts.API_TOKEN }}
file_name: evidence.json
- ref: list_attachments
action: core.cases.list_attachments
args:
case_id: ${{ TRIGGER.case_id }}
- ref: get_attachment
action: core.cases.get_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
- ref: get_download_url
action: core.cases.get_attachment_download_url
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
expiry: 900
- ref: download_attachment
action: core.cases.download_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
- ref: delete_attachment
action: core.cases.delete_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
```
## `core.cases.delete_attachment`
Delete an attachment from a case.
### Inputs
The ID of the attachment to delete.
The ID of the case containing the attachment.
### Examples
**Work with attachments**
```yaml theme={null}
- ref: upload_attachment
action: core.cases.upload_attachment
args:
case_id: ${{ TRIGGER.case_id }}
file_name: note.txt
content_base64: Zm9yZW5zaWMgbm90ZXM=
content_type: text/plain
- ref: upload_attachment_from_url
action: core.cases.upload_attachment_from_url
args:
case_id: ${{ TRIGGER.case_id }}
url: https://artifacts.example.com/evidence/${{ TRIGGER.alert_id }}
headers:
Authorization: Bearer ${{ SECRETS.artifacts.API_TOKEN }}
file_name: evidence.json
- ref: list_attachments
action: core.cases.list_attachments
args:
case_id: ${{ TRIGGER.case_id }}
- ref: get_attachment
action: core.cases.get_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
- ref: get_download_url
action: core.cases.get_attachment_download_url
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
expiry: 900
- ref: download_attachment
action: core.cases.download_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
- ref: delete_attachment
action: core.cases.delete_attachment
args:
case_id: ${{ TRIGGER.case_id }}
attachment_id: ${{ TRIGGER.attachment_id }}
```
# Cases
Source: https://docs.tracecat.com/automations/core-actions/case-actions/cases
## `core.cases.create_case`
Create a new case.
### Inputs
The description of the case.
The summary of the case.
Dropdown selections to set on the case. Each item must include either definition\_id or definition\_ref, and either option\_id or option\_ref (or null to clear).
Default: `null`.
Custom fields for the case.
Default: `null`.
Payload for the case.
Default: `null`.
The priority of the case.
Default: `"unknown"`.
Allowed values: `unknown`, `low`, `medium`, `high`, `critical`, `other`.
The severity of the case.
Default: `"unknown"`.
Allowed values: `unknown`, `informational`, `low`, `medium`, `high`, `critical`, `fatal`, `other`.
The status of the case.
Default: `"unknown"`.
Allowed values: `unknown`, `new`, `in_progress`, `on_hold`, `resolved`, `closed`, `other`.
List of tag identifiers (IDs or refs) to add to the case.
Default: `null`.
### Examples
**Create and fetch a case**
```yaml theme={null}
- ref: create_case
action: core.cases.create_case
args:
summary: "Investigate alert ${{ TRIGGER.alert_id }}"
description: "Created from workflow trigger."
priority: high
severity: high
tags:
- phishing
- ref: get_case
action: core.cases.get_case
depends_on:
- create_case
args:
case_id: ${{ ACTIONS.create_case.result.id }}
```
## `core.cases.get_case`
Get details of a specific case by ID.
### Inputs
The ID of the case to retrieve.
### Examples
**Create and fetch a case**
```yaml theme={null}
- ref: create_case
action: core.cases.create_case
args:
summary: "Investigate alert ${{ TRIGGER.alert_id }}"
description: "Created from workflow trigger."
priority: high
severity: high
tags:
- phishing
- ref: get_case
action: core.cases.get_case
depends_on:
- create_case
args:
case_id: ${{ ACTIONS.create_case.result.id }}
```
## `core.cases.update_case`
Update an existing case.
### Inputs
The ID of the case to update.
If true, append the provided description to the existing description when it is not empty.
Default: `false`.
The updated description of the case.
Default: `null`.
Dropdown selections to set or clear. Each item must include either definition\_id or definition\_ref, and either option\_id or option\_ref (or null to clear).
Default: `null`.
Updated custom fields for the case.
Default: `null`.
Updated payload for the case.
Default: `null`.
The updated priority of the case.
Default: `null`.
The updated severity of the case.
Default: `null`.
The updated status of the case.
Default: `null`.
The updated summary of the case.
Default: `null`.
List of tag identifiers (IDs or refs) to set on the case. This will replace all existing tags.
Default: `null`.
### Examples
**Update case fields**
```yaml theme={null}
- ref: update_case
action: core.cases.update_case
args:
case_id: ${{ TRIGGER.case_id }}
status: in_progress
priority: critical
append: true
description: |
Analyst note:
- Escalated after credential theft indicators were confirmed.
```
## `core.cases.list_cases`
List all cases.
### Inputs
Pagination cursor used to fetch a specific page when paginate=true.
Default: `null`.
Maximum number of cases to return.
Default: `100`.
The field to order the cases by.
Default: `null`.
If true, return cursor pagination metadata along with items.
Default: `false`.
Reverse pagination direction when paginate=true.
Default: `false`.
The direction to order the cases by.
Default: `null`.
### Examples
**List, search, and inspect case activity**
```yaml theme={null}
- ref: list_cases
action: core.cases.list_cases
args:
limit: 25
order_by: updated_at
sort: desc
- ref: search_cases
action: core.cases.search_cases
args:
search_term: phishing
status:
- new
- in_progress
limit: 25
- ref: case_events
action: core.cases.list_case_events
args:
case_id: ${{ TRIGGER.case_id }}
```
## `core.cases.search_cases`
Search cases based on various criteria.
### Inputs
Filter by assignee ID or 'unassigned'.
Default: `null`.
Pagination cursor used to fetch a specific page when paginate=true.
Default: `null`.
Filter by dropdown values in definition\_ref:option\_ref format.
Default: `null`.
Filter cases created before this time.
Default: `null`.
Maximum number of cases to return.
Default: `100`.
The field to order the cases by.
Default: `null`.
If true, return cursor pagination metadata along with items.
Default: `false`.
Filter by case priority.
Default: `null`.
Reverse pagination direction when paginate=true.
Default: `false`.
Text to search for in case summary and description.
Default: `null`.
Filter by case severity.
Default: `null`.
The direction to order the cases by.
Default: `null`.
Filter cases created after this time.
Default: `null`.
Filter by case status.
Default: `null`.
Filter by tag IDs or refs (AND logic).
Default: `null`.
Filter cases updated after this time.
Default: `null`.
Filter cases updated before this time.
Default: `null`.
### Examples
**List, search, and inspect case activity**
```yaml theme={null}
- ref: list_cases
action: core.cases.list_cases
args:
limit: 25
order_by: updated_at
sort: desc
- ref: search_cases
action: core.cases.search_cases
args:
search_term: phishing
status:
- new
- in_progress
limit: 25
- ref: case_events
action: core.cases.list_case_events
args:
case_id: ${{ TRIGGER.case_id }}
```
## `core.cases.list_case_events`
List all events for a case in chronological order.
### Inputs
The ID of the case to get events for.
### Examples
**List, search, and inspect case activity**
```yaml theme={null}
- ref: list_cases
action: core.cases.list_cases
args:
limit: 25
order_by: updated_at
sort: desc
- ref: search_cases
action: core.cases.search_cases
args:
search_term: phishing
status:
- new
- in_progress
limit: 25
- ref: case_events
action: core.cases.list_case_events
args:
case_id: ${{ TRIGGER.case_id }}
```
## `core.cases.assign_user`
Assign a user to an existing case.
### Inputs
The ID of the user to assign to the case.
The ID of the case to assign a user to.
### Examples
**Assign a case**
```yaml theme={null}
- ref: assign_by_id
action: core.cases.assign_user
args:
case_id: ${{ TRIGGER.case_id }}
assignee_id: ${{ TRIGGER.assignee_id }}
- ref: assign_by_email
action: core.cases.assign_user_by_email
args:
case_id: ${{ TRIGGER.case_id }}
assignee_email: analyst@example.com
```
## `core.cases.assign_user_by_email`
Assign a user to an existing case by email.
### Inputs
The email of the user to assign to the case.
The ID of the case to assign a user to.
### Examples
**Assign a case**
```yaml theme={null}
- ref: assign_by_id
action: core.cases.assign_user
args:
case_id: ${{ TRIGGER.case_id }}
assignee_id: ${{ TRIGGER.assignee_id }}
- ref: assign_by_email
action: core.cases.assign_user_by_email
args:
case_id: ${{ TRIGGER.case_id }}
assignee_email: analyst@example.com
```
## `core.cases.add_case_tag`
Add a tag to a case by tag ID or ref.
### Inputs
The ID of the case to add a tag to.
The tag identifier (ID or ref) to add to the case.
If true, create the tag if it does not exist.
Default: `false`.
### Examples
**Add and remove tags**
```yaml theme={null}
- ref: add_tag
action: core.cases.add_case_tag
args:
case_id: ${{ TRIGGER.case_id }}
tag: credential-theft
create_if_missing: true
- ref: remove_tag
action: core.cases.remove_case_tag
args:
case_id: ${{ TRIGGER.case_id }}
tag: needs-triage
```
## `core.cases.remove_case_tag`
Remove a tag from a case by tag ID or ref.
### Inputs
The ID of the case to remove a tag from.
The tag identifier (ID or ref) to remove from the case.
### Examples
**Add and remove tags**
```yaml theme={null}
- ref: add_tag
action: core.cases.add_case_tag
args:
case_id: ${{ TRIGGER.case_id }}
tag: credential-theft
create_if_missing: true
- ref: remove_tag
action: core.cases.remove_case_tag
args:
case_id: ${{ TRIGGER.case_id }}
tag: needs-triage
```
## `core.cases.delete_case`
Delete a case.
### Inputs
The ID of the case to delete.
### Examples
**Delete a case**
```yaml theme={null}
- ref: close_case
action: core.cases.update_case
args:
case_id: ${{ TRIGGER.case_id }}
status: closed
- ref: delete_case
action: core.cases.delete_case
depends_on:
- close_case
args:
case_id: ${{ TRIGGER.case_id }}
```
# Comments
Source: https://docs.tracecat.com/automations/core-actions/case-actions/comments
## `core.cases.create_comment`
Add a comment to an existing case.
### Inputs
The ID of the case to comment on.
The comment content.
The ID of the parent comment if this is a reply.
Default: `null`.
The ID of the workflow to run when the comment is created.
Default: `null`.
### Examples
**Manage case comments**
```yaml theme={null}
- ref: create_comment
action: core.cases.create_comment
args:
case_id: ${{ TRIGGER.case_id }}
content: "Initial triage started."
- ref: reply_to_comment
action: core.cases.reply_to_comment
depends_on:
- create_comment
args:
case_id: ${{ TRIGGER.case_id }}
parent_comment_id: ${{ ACTIONS.create_comment.result.id }}
content: "Added IOC context."
- ref: update_comment
action: core.cases.update_comment
depends_on:
- create_comment
args:
comment_id: ${{ ACTIONS.create_comment.result.id }}
content: "Initial triage started. Waiting on endpoint data."
- ref: list_comments
action: core.cases.list_comments
args:
case_id: ${{ TRIGGER.case_id }}
- ref: list_comment_threads
action: core.cases.list_comment_threads
args:
case_id: ${{ TRIGGER.case_id }}
- ref: get_comment_thread
action: core.cases.get_comment_thread
depends_on:
- create_comment
args:
comment_id: ${{ ACTIONS.create_comment.result.id }}
```
## `core.cases.reply_to_comment`
Reply to a top-level case comment.
### Inputs
The ID of the case containing the parent comment.
The reply content.
The ID of the top-level comment to reply to.
### Examples
**Manage case comments**
```yaml theme={null}
- ref: create_comment
action: core.cases.create_comment
args:
case_id: ${{ TRIGGER.case_id }}
content: "Initial triage started."
- ref: reply_to_comment
action: core.cases.reply_to_comment
depends_on:
- create_comment
args:
case_id: ${{ TRIGGER.case_id }}
parent_comment_id: ${{ ACTIONS.create_comment.result.id }}
content: "Added IOC context."
- ref: update_comment
action: core.cases.update_comment
depends_on:
- create_comment
args:
comment_id: ${{ ACTIONS.create_comment.result.id }}
content: "Initial triage started. Waiting on endpoint data."
- ref: list_comments
action: core.cases.list_comments
args:
case_id: ${{ TRIGGER.case_id }}
- ref: list_comment_threads
action: core.cases.list_comment_threads
args:
case_id: ${{ TRIGGER.case_id }}
- ref: get_comment_thread
action: core.cases.get_comment_thread
depends_on:
- create_comment
args:
comment_id: ${{ ACTIONS.create_comment.result.id }}
```
## `core.cases.update_comment`
Update an existing case comment.
### Inputs
The ID of the comment to update.
The updated comment content.
### Examples
**Manage case comments**
```yaml theme={null}
- ref: create_comment
action: core.cases.create_comment
args:
case_id: ${{ TRIGGER.case_id }}
content: "Initial triage started."
- ref: reply_to_comment
action: core.cases.reply_to_comment
depends_on:
- create_comment
args:
case_id: ${{ TRIGGER.case_id }}
parent_comment_id: ${{ ACTIONS.create_comment.result.id }}
content: "Added IOC context."
- ref: update_comment
action: core.cases.update_comment
depends_on:
- create_comment
args:
comment_id: ${{ ACTIONS.create_comment.result.id }}
content: "Initial triage started. Waiting on endpoint data."
- ref: list_comments
action: core.cases.list_comments
args:
case_id: ${{ TRIGGER.case_id }}
- ref: list_comment_threads
action: core.cases.list_comment_threads
args:
case_id: ${{ TRIGGER.case_id }}
- ref: get_comment_thread
action: core.cases.get_comment_thread
depends_on:
- create_comment
args:
comment_id: ${{ ACTIONS.create_comment.result.id }}
```
## `core.cases.list_comments`
List all comments for a case.
### Inputs
The ID of the case to get comments for.
### Examples
**Manage case comments**
```yaml theme={null}
- ref: create_comment
action: core.cases.create_comment
args:
case_id: ${{ TRIGGER.case_id }}
content: "Initial triage started."
- ref: reply_to_comment
action: core.cases.reply_to_comment
depends_on:
- create_comment
args:
case_id: ${{ TRIGGER.case_id }}
parent_comment_id: ${{ ACTIONS.create_comment.result.id }}
content: "Added IOC context."
- ref: update_comment
action: core.cases.update_comment
depends_on:
- create_comment
args:
comment_id: ${{ ACTIONS.create_comment.result.id }}
content: "Initial triage started. Waiting on endpoint data."
- ref: list_comments
action: core.cases.list_comments
args:
case_id: ${{ TRIGGER.case_id }}
- ref: list_comment_threads
action: core.cases.list_comment_threads
args:
case_id: ${{ TRIGGER.case_id }}
- ref: get_comment_thread
action: core.cases.get_comment_thread
depends_on:
- create_comment
args:
comment_id: ${{ ACTIONS.create_comment.result.id }}
```
## `core.cases.list_comment_threads`
List comment threads for a case.
### Inputs
The ID of the case to get comment threads for.
### Examples
**Manage case comments**
```yaml theme={null}
- ref: create_comment
action: core.cases.create_comment
args:
case_id: ${{ TRIGGER.case_id }}
content: "Initial triage started."
- ref: reply_to_comment
action: core.cases.reply_to_comment
depends_on:
- create_comment
args:
case_id: ${{ TRIGGER.case_id }}
parent_comment_id: ${{ ACTIONS.create_comment.result.id }}
content: "Added IOC context."
- ref: update_comment
action: core.cases.update_comment
depends_on:
- create_comment
args:
comment_id: ${{ ACTIONS.create_comment.result.id }}
content: "Initial triage started. Waiting on endpoint data."
- ref: list_comments
action: core.cases.list_comments
args:
case_id: ${{ TRIGGER.case_id }}
- ref: list_comment_threads
action: core.cases.list_comment_threads
args:
case_id: ${{ TRIGGER.case_id }}
- ref: get_comment_thread
action: core.cases.get_comment_thread
depends_on:
- create_comment
args:
comment_id: ${{ ACTIONS.create_comment.result.id }}
```
## `core.cases.get_comment_thread`
Get the full thread for a comment ID.
### Inputs
The ID of a comment within the thread.
### Examples
**Manage case comments**
```yaml theme={null}
- ref: create_comment
action: core.cases.create_comment
args:
case_id: ${{ TRIGGER.case_id }}
content: "Initial triage started."
- ref: reply_to_comment
action: core.cases.reply_to_comment
depends_on:
- create_comment
args:
case_id: ${{ TRIGGER.case_id }}
parent_comment_id: ${{ ACTIONS.create_comment.result.id }}
content: "Added IOC context."
- ref: update_comment
action: core.cases.update_comment
depends_on:
- create_comment
args:
comment_id: ${{ ACTIONS.create_comment.result.id }}
content: "Initial triage started. Waiting on endpoint data."
- ref: list_comments
action: core.cases.list_comments
args:
case_id: ${{ TRIGGER.case_id }}
- ref: list_comment_threads
action: core.cases.list_comment_threads
args:
case_id: ${{ TRIGGER.case_id }}
- ref: get_comment_thread
action: core.cases.get_comment_thread
depends_on:
- create_comment
args:
comment_id: ${{ ACTIONS.create_comment.result.id }}
```
# Linked rows
Source: https://docs.tracecat.com/automations/core-actions/case-actions/linked-rows
Linked rows use regular tables.
When you create a table for case-linked evidence, use the same `columns` JSON schema documented in [Tables](/automations/tables) and [Table actions](/automations/core-actions/memory-actions/tables).
## `core.cases.link_row`
Link an existing table row to a case.
### Inputs
Case ID
Row ID
Table ID
### Examples
**Link table rows to a case**
```yaml theme={null}
- ref: link_row
action: core.cases.link_row
args:
case_id: ${{ TRIGGER.case_id }}
table_id: indicators
row_id: ${{ TRIGGER.row_id }}
- ref: unlink_row
action: core.cases.unlink_row
args:
case_id: ${{ TRIGGER.case_id }}
table_id: indicators
row_id: ${{ TRIGGER.row_id }}
- ref: insert_case_row
action: core.cases.insert_row
args:
case_id: ${{ TRIGGER.case_id }}
table_id: indicators
row:
value: ${{ TRIGGER.indicator }}
indicator_type: domain
```
## `core.cases.unlink_row`
Remove a linked table row from a case.
### Inputs
Case ID
Row ID
Table ID
### Examples
**Link table rows to a case**
```yaml theme={null}
- ref: link_row
action: core.cases.link_row
args:
case_id: ${{ TRIGGER.case_id }}
table_id: indicators
row_id: ${{ TRIGGER.row_id }}
- ref: unlink_row
action: core.cases.unlink_row
args:
case_id: ${{ TRIGGER.case_id }}
table_id: indicators
row_id: ${{ TRIGGER.row_id }}
- ref: insert_case_row
action: core.cases.insert_row
args:
case_id: ${{ TRIGGER.case_id }}
table_id: indicators
row:
value: ${{ TRIGGER.indicator }}
indicator_type: domain
```
## `core.cases.insert_row`
Insert a row into a table and link it to a case.
### Inputs
Case ID
Row values
Table ID
### Examples
**Link table rows to a case**
```yaml theme={null}
- ref: link_row
action: core.cases.link_row
args:
case_id: ${{ TRIGGER.case_id }}
table_id: indicators
row_id: ${{ TRIGGER.row_id }}
- ref: unlink_row
action: core.cases.unlink_row
args:
case_id: ${{ TRIGGER.case_id }}
table_id: indicators
row_id: ${{ TRIGGER.row_id }}
- ref: insert_case_row
action: core.cases.insert_row
args:
case_id: ${{ TRIGGER.case_id }}
table_id: indicators
row:
value: ${{ TRIGGER.indicator }}
indicator_type: domain
```
# Metrics
Source: https://docs.tracecat.com/automations/core-actions/case-actions/metrics
## `core.cases.get_case_metrics`
Get case metrics as OTEL-aligned time-series for the provided case IDs.
Enterprise Edition
### Inputs
List of case IDs to get case metrics for.
### Examples
**Read case metrics**
```yaml theme={null}
- ref: case_metrics
action: core.cases.get_case_metrics
args:
case_ids:
- ${{ TRIGGER.case_id }}
- ${{ TRIGGER.related_case_id }}
```
# Tasks
Source: https://docs.tracecat.com/automations/core-actions/case-actions/tasks
## `core.cases.create_task`
Create a new task for a case.
Enterprise Edition
### Inputs
The ID of the case to create a task for.
The title of the task.
The ID of the user to assign the task to.
Default: `null`.
The default trigger values for the task.
Default: `null`.
The description of the task.
Default: `null`.
The priority of the task (unknown, low, medium, high, critical).
Default: `"unknown"`.
The status of the task (todo, in\_progress, blocked, completed).
Default: `"todo"`.
The ID of the workflow associated with this task.
Default: `null`.
### Examples
**Manage case tasks**
```yaml theme={null}
- ref: create_task
action: core.cases.create_task
args:
case_id: ${{ TRIGGER.case_id }}
title: Collect email headers
description: Pull the original message from the mail gateway.
priority: high
status: todo
- ref: get_task
action: core.cases.get_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
- ref: list_tasks
action: core.cases.list_tasks
args:
case_id: ${{ TRIGGER.case_id }}
- ref: update_task
action: core.cases.update_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
status: in_progress
- ref: delete_task
action: core.cases.delete_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
```
## `core.cases.get_task`
Get a specific case task by ID.
Enterprise Edition
### Inputs
The ID of the task to retrieve.
### Examples
**Manage case tasks**
```yaml theme={null}
- ref: create_task
action: core.cases.create_task
args:
case_id: ${{ TRIGGER.case_id }}
title: Collect email headers
description: Pull the original message from the mail gateway.
priority: high
status: todo
- ref: get_task
action: core.cases.get_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
- ref: list_tasks
action: core.cases.list_tasks
args:
case_id: ${{ TRIGGER.case_id }}
- ref: update_task
action: core.cases.update_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
status: in_progress
- ref: delete_task
action: core.cases.delete_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
```
## `core.cases.list_tasks`
List all tasks for a case.
Enterprise Edition
### Inputs
The ID of the case to list tasks for.
### Examples
**Manage case tasks**
```yaml theme={null}
- ref: create_task
action: core.cases.create_task
args:
case_id: ${{ TRIGGER.case_id }}
title: Collect email headers
description: Pull the original message from the mail gateway.
priority: high
status: todo
- ref: get_task
action: core.cases.get_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
- ref: list_tasks
action: core.cases.list_tasks
args:
case_id: ${{ TRIGGER.case_id }}
- ref: update_task
action: core.cases.update_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
status: in_progress
- ref: delete_task
action: core.cases.delete_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
```
## `core.cases.update_task`
Update an existing case task.
Enterprise Edition
### Inputs
The ID of the task to update.
The ID of the user to assign the task to.
Default: `null`.
The default trigger values for the task.
Default: `null`.
The updated description of the task.
Default: `null`.
The updated priority of the task (unknown, low, medium, high, critical).
Default: `null`.
The updated status of the task (todo, in\_progress, blocked, completed).
Default: `null`.
The updated title of the task.
Default: `null`.
The ID of the workflow associated with this task.
Default: `null`.
### Examples
**Manage case tasks**
```yaml theme={null}
- ref: create_task
action: core.cases.create_task
args:
case_id: ${{ TRIGGER.case_id }}
title: Collect email headers
description: Pull the original message from the mail gateway.
priority: high
status: todo
- ref: get_task
action: core.cases.get_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
- ref: list_tasks
action: core.cases.list_tasks
args:
case_id: ${{ TRIGGER.case_id }}
- ref: update_task
action: core.cases.update_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
status: in_progress
- ref: delete_task
action: core.cases.delete_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
```
## `core.cases.delete_task`
Delete a case task.
Enterprise Edition
### Inputs
The ID of the task to delete.
### Examples
**Manage case tasks**
```yaml theme={null}
- ref: create_task
action: core.cases.create_task
args:
case_id: ${{ TRIGGER.case_id }}
title: Collect email headers
description: Pull the original message from the mail gateway.
priority: high
status: todo
- ref: get_task
action: core.cases.get_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
- ref: list_tasks
action: core.cases.list_tasks
args:
case_id: ${{ TRIGGER.case_id }}
- ref: update_task
action: core.cases.update_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
status: in_progress
- ref: delete_task
action: core.cases.delete_task
depends_on:
- create_task
args:
task_id: ${{ ACTIONS.create_task.result.id }}
```
# Filesystem
Source: https://docs.tracecat.com/automations/core-actions/memory-actions/filesystem
Filesystem actions are in private beta. Contact
[founders@tracecat.com](mailto:founders@tracecat.com) to learn more.
Give your agents a persistent filesystem to store files and data as memory.
Share these filesystems between agent runs and other agents.
# Tables
Source: https://docs.tracecat.com/automations/core-actions/memory-actions/tables
Tables are the built-in structured data store behind `core.table.*`.
Use them when your workflows need durable, queryable records such as asset inventories, user allowlists, enrichment results, or investigation evidence.
## What tables are good for
* Persisting enrichment data across workflow runs
* Looking up records by a known field such as hostname, email, or indicator
* Searching and exporting structured data for analysts
* Attaching case context to reusable datasets
## Common workflow pattern
Most table workflows follow the same lifecycle:
1. Create the table once with a schema that fits your data.
2. Insert or upsert rows as new events arrive.
3. Look up, search, or export rows later from another workflow step.
```yaml theme={null}
- ref: ensure_inventory_table
action: core.table.create_table
args:
name: asset_inventory
columns:
- name: hostname
type: TEXT
- name: owner
type: TEXT
- name: last_seen
type: TIMESTAMPTZ
raise_on_duplicate: false
- ref: upsert_asset
action: core.table.insert_row
args:
table: asset_inventory
upsert: true
row_data:
hostname: ${{ TRIGGER.hostname }}
owner: ${{ TRIGGER.owner }}
last_seen: ${{ FN.now() }}
- ref: find_asset
action: core.table.lookup
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
```
## Column schema
`core.table.create_table` takes `columns` as a JSON array of column objects.
This is the same schema you use for tables that you later link to cases.
* `name`: Required string. Use letters, numbers, and underscores, and start with a letter or underscore.
* `type`: Required uppercase string. Use `TEXT`, `INTEGER`, `NUMERIC`, `BOOLEAN`, `DATE`, `TIMESTAMPTZ`, `JSONB`, `SELECT`, or `MULTI_SELECT`.
* `nullable`: Optional boolean. Defaults to `true`.
* `default`: Optional value. It must match the column type.
* `options`: Optional array of strings. Required for `SELECT` and `MULTI_SELECT`, and invalid for other types.
The documented `type` values match the custom tables picker.
Case custom fields use the same storage type family: `TEXT`, `INTEGER`, `NUMERIC`, `BOOLEAN`, `DATE`, `TIMESTAMPTZ`, `JSONB`, `SELECT`, and `MULTI_SELECT`.
In the case field picker, raw `JSONB` is currently surfaced through the `URL` kind, and `Long text` is layered on top of `TEXT`.
## Notes
* Use `lookup` or `is_in` when you already know the column and value you need.
* Use `search_rows` when you need broader text search or paginated results.
* Use `download` when you want to export rows as JSON, NDJSON, CSV, or Markdown.
## FAQ
`core.table.insert_rows` is best for batch inserts, but you should split large imports into smaller batches first.
Create batches upstream, then run one `insert_rows` action per batch.
```yaml theme={null}
- ref: insert_batch
action: core.table.insert_rows
for_each: ${{ for var.batch in TRIGGER.row_batches }}
args:
table: asset_inventory
rows_data: ${{ var.batch }}
```
Each `var.batch` should be a list of rows that stays within your chosen batch size.
This keeps imports predictable and makes retry behavior easier to reason about.
Use the documented uppercase type names: `TEXT`, `INTEGER`, `NUMERIC`, `BOOLEAN`, `DATE`, `TIMESTAMPTZ`, `JSONB`, `SELECT`, and `MULTI_SELECT`.
* Use `SELECT` and `MULTI_SELECT` only when you also provide `options`.
* Use `TEXT` or `JSONB` for flexible payloads.
* Case-linked custom fields follow the same storage type family as tables.
```yaml theme={null}
- ref: create_table
action: core.table.create_table
args:
name: asset_inventory
columns:
- name: hostname
type: TEXT
- name: first_seen_at
type: TIMESTAMPTZ
- name: owner_team
type: SELECT
options:
- secops
- platform
- it
```
## `core.table.create_table`
Create a new lookup table with optional columns.
### Inputs
The name of the table to create.
List of column definitions. Each item is a JSON object with required `name` and uppercase `type`, plus optional `nullable`, `default`, and `options` fields. Use `options` only with `SELECT` or `MULTI_SELECT`.
Default: `null`.
If true, raise an error if the table already exists.
Default: `true`.
### Examples
**Create and inspect a table**
```yaml theme={null}
- ref: create_table
action: core.table.create_table
args:
name: asset_inventory
columns:
- name: hostname
type: TEXT
- name: owner
type: TEXT
raise_on_duplicate: false
- ref: list_tables
action: core.table.list_tables
- ref: table_metadata
action: core.table.get_table_metadata
args:
name: asset_inventory
```
## `core.table.list_tables`
Get a list of all available tables in the workspace.
### Inputs
This action does not take input fields.
### Examples
**Create and inspect a table**
```yaml theme={null}
- ref: create_table
action: core.table.create_table
args:
name: asset_inventory
columns:
- name: hostname
type: TEXT
- name: owner
type: TEXT
raise_on_duplicate: false
- ref: list_tables
action: core.table.list_tables
- ref: table_metadata
action: core.table.get_table_metadata
args:
name: asset_inventory
```
## `core.table.get_table_metadata`
Get a table's metadata by name. This includes the columns and whether they are indexed.
### Inputs
The name of the table to get.
### Examples
**Create and inspect a table**
```yaml theme={null}
- ref: create_table
action: core.table.create_table
args:
name: asset_inventory
columns:
- name: hostname
type: TEXT
- name: owner
type: TEXT
raise_on_duplicate: false
- ref: list_tables
action: core.table.list_tables
- ref: table_metadata
action: core.table.get_table_metadata
args:
name: asset_inventory
```
## `core.table.lookup`
Get a single row from a table corresponding to the given column and value.
### Inputs
The column to lookup the value in.
The table to lookup the value in.
The value to lookup.
### Examples
**Look up rows**
```yaml theme={null}
- ref: lookup_row
action: core.table.lookup
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
- ref: row_exists
action: core.table.is_in
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
- ref: lookup_many_rows
action: core.table.lookup_many
args:
table: asset_inventory
column: owner
value: secops
limit: 25
```
## `core.table.is_in`
Check if a value exists in a table column.
### Inputs
The column to check in.
The table to check.
The value to check for.
### Examples
**Look up rows**
```yaml theme={null}
- ref: lookup_row
action: core.table.lookup
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
- ref: row_exists
action: core.table.is_in
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
- ref: lookup_many_rows
action: core.table.lookup_many
args:
table: asset_inventory
column: owner
value: secops
limit: 25
```
## `core.table.lookup_many`
Get multiple rows from a table corresponding to the given column and values.
### Inputs
The column to lookup the value in.
The table to lookup the value in.
The value to lookup.
The maximum number of rows to return.
Default: `100`.
### Examples
**Look up rows**
```yaml theme={null}
- ref: lookup_row
action: core.table.lookup
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
- ref: row_exists
action: core.table.is_in
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
- ref: lookup_many_rows
action: core.table.lookup_many
args:
table: asset_inventory
column: owner
value: secops
limit: 25
```
## `core.table.search_rows`
Search for rows in a table with optional filtering.
### Inputs
The table to search in.
Cursor for pagination.
Default: `null`.
Filter rows created before this time.
Default: `null`.
The maximum number of rows to return.
Default: `100`.
If true, return cursor pagination metadata along with items.
Default: `false`.
Reverse pagination direction.
Default: `false`.
Text to search for across all text and JSONB columns.
Default: `null`.
Filter rows created after this time.
Default: `null`.
Filter rows updated after this time.
Default: `null`.
Filter rows updated before this time.
Default: `null`.
### Examples
**Search table rows**
```yaml theme={null}
- ref: search_rows
action: core.table.search_rows
args:
table: asset_inventory
search_term: database
limit: 50
paginate: true
```
## `core.table.insert_row`
Insert a row into a table.
### Inputs
The data to insert into the row.
The table to insert the row into.
If true, update the row if it already exists (based on primary key).
Default: `false`.
### Examples
**Insert, update, and delete rows**
```yaml theme={null}
- ref: insert_row
action: core.table.insert_row
args:
table: asset_inventory
row_data:
hostname: app-01
owner: secops
- ref: insert_rows
action: core.table.insert_rows
args:
table: asset_inventory
rows_data:
- hostname: app-02
owner: secops
- hostname: app-03
owner: platform
- ref: update_row
action: core.table.update_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
row_data:
owner: incident-response
- ref: delete_row
action: core.table.delete_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
```
## `core.table.insert_rows`
Insert multiple rows into a table.
### Inputs
The list of data to insert into the table.
The table to insert the rows into.
If true, update the rows if they already exist (based on primary key).
Default: `false`.
### Examples
**Insert, update, and delete rows**
```yaml theme={null}
- ref: insert_row
action: core.table.insert_row
args:
table: asset_inventory
row_data:
hostname: app-01
owner: secops
- ref: insert_rows
action: core.table.insert_rows
args:
table: asset_inventory
rows_data:
- hostname: app-02
owner: secops
- hostname: app-03
owner: platform
- ref: update_row
action: core.table.update_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
row_data:
owner: incident-response
- ref: delete_row
action: core.table.delete_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
```
## `core.table.update_row`
Update a row in a table.
### Inputs
The new data for the row.
The ID of the row to update.
The table to update the row in.
### Examples
**Insert, update, and delete rows**
```yaml theme={null}
- ref: insert_row
action: core.table.insert_row
args:
table: asset_inventory
row_data:
hostname: app-01
owner: secops
- ref: insert_rows
action: core.table.insert_rows
args:
table: asset_inventory
rows_data:
- hostname: app-02
owner: secops
- hostname: app-03
owner: platform
- ref: update_row
action: core.table.update_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
row_data:
owner: incident-response
- ref: delete_row
action: core.table.delete_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
```
## `core.table.delete_row`
Delete a row from a table.
### Inputs
The ID of the row to delete.
The table to delete the row from.
### Examples
**Insert, update, and delete rows**
```yaml theme={null}
- ref: insert_row
action: core.table.insert_row
args:
table: asset_inventory
row_data:
hostname: app-01
owner: secops
- ref: insert_rows
action: core.table.insert_rows
args:
table: asset_inventory
rows_data:
- hostname: app-02
owner: secops
- hostname: app-03
owner: platform
- ref: update_row
action: core.table.update_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
row_data:
owner: incident-response
- ref: delete_row
action: core.table.delete_row
args:
table: asset_inventory
row_id: ${{ TRIGGER.row_id }}
```
## `core.table.download`
Download a table's data by name as list of dicts, JSON string, NDJSON string, CSV or Markdown.
### Inputs
The name of the table to download.
The format to download the table data in.
Default: `null`.
The maximum number of rows to download.
Default: `1000`.
### Examples
**Export table data**
```yaml theme={null}
- ref: export_table
action: core.table.download
args:
name: asset_inventory
format: csv
limit: 1000
```
# Email
Source: https://docs.tracecat.com/automations/core-actions/request-actions/email
## `core.send_email_smtp`
Send email using SMTP.
### Secrets
Required secrets:
* `smtp`: required values `SMTP_HOST`, `SMTP_PORT`, `SMTP_USER`, `SMTP_PASS`.
### Inputs
Body content of the email
List of recipient email addresses
Email address of the sender
Subject of the email
Key-value pairs of allowed attributes to add to the email body. e.g. \{'\*': \['style']}. This allows all tags to have a style attribute
Default: `null`.
Recipient(s) to be copied in the BCC field
Default: `null`.
Recipient(s) to be copied in the CC field
Default: `null`.
Email content type ('text/plain' or 'text/html'). Defaults to 'text/plain'.
Default: `"text/plain"`.
Allowed values: `text/plain`, `text/html`.
Enable SMTP authentication
Default: `false`.
Enable SSL for secure connection
Default: `false`.
Enable STARTTLS for secure connection
Default: `false`.
Additional email headers
Default: `null`.
Ignore SSL certificate errors
Default: `false`.
Email address(es) to be used in the Reply-To field
Default: `null`.
Email address prefix of the sender
Default: `null`.
Timeout for SMTP operations in seconds
Default: `null`.
### Examples
**Send a notification**
```yaml theme={null}
- ref: notify_team
action: core.send_email_smtp
args:
sender: no-reply@example.com
recipients:
- secops@example.com
subject: "Tracecat alert ${{ TRIGGER.alert_id }}"
body: "Severity: ${{ TRIGGER.severity }}"
content_type: text/plain
enable_starttls: true
enable_auth: true
```
# gRPC
Source: https://docs.tracecat.com/automations/core-actions/request-actions/grpc
## `core.grpc.request`
Call a gRPC method using a runtime-compiled protobuf definition.
### Secrets
Optional secrets:
* `grpc_mtls`: required values `TLS_CERTIFICATE`, `TLS_PRIVATE_KEY`.
* `grpc_ca_cert`: required values `CA_CERTIFICATE`.
### Inputs
gRPC method name (e.g., 'Query').
Inline .proto definition.
gRPC service name (e.g., 'API').
gRPC server address in host:port format.
Use an insecure plaintext channel. Defaults to False (TLS channel).
Default: `false`.
Request payload as a dict matching the protobuf schema.
Default: `null`.
Timeout in seconds for the RPC. Defaults to no timeout.
Default: `null`.
### Examples
**Call a gRPC service**
```yaml theme={null}
- ref: grpc_query
action: core.grpc.request
args:
target: grpc.example.com:443
service_name: Alerts
method_name: GetAlert
proto: |
syntax = "proto3";
package alerts;
service Alerts {
rpc GetAlert (GetAlertRequest) returns (AlertResponse);
}
message GetAlertRequest {
string id = 1;
}
message AlertResponse {
string id = 1;
string severity = 2;
}
payload:
id: ${{ TRIGGER.alert_id }}
```
# HTTP
Source: https://docs.tracecat.com/automations/core-actions/request-actions/http
## `core.http_request`
Perform a HTTP request to a given URL.
### Secrets
Optional secrets:
* `mtls`: required values `TLS_CERTIFICATE`, `TLS_PRIVATE_KEY`.
* `ca_cert`: required values `CA_CERTIFICATE`.
### Inputs
HTTP request method
Allowed values: `GET`, `POST`, `PUT`, `PATCH`, `DELETE`, `HEAD`, `OPTIONS`.
The destination of the HTTP request
Basic auth credentials with `username` and `password` keys
Default: `null`.
Base64 encode the raw response body before returning. Use this for binary downloads to prevent corruption from text decoding.
Default: `false`.
Files to upload using multipart/form-data. The dictionary key is the form field name. The value can be a simple base64 encoded string (filename defaults to form field name), or a dictionary with 'filename', 'content\_base64', and optional 'content\_type'.
Default: `null`.
Follow HTTP redirects
Default: `false`.
Form encoded data in request body (POST, PUT, and PATCH)
Default: `null`.
HTTP request headers
Default: `null`.
If specified, these status codes will not be treated as errors. Defaults to None.
Default: `null`.
Maximum number of redirects
Default: `20`.
URL query parameters
Default: `null`.
JSON serializable data in request body (POST, PUT, and PATCH)
Default: `null`.
Timeout in seconds
Default: `10.0`.
Verify SSL certificates. Defaults to True, disable at own risk.
Default: `true`.
### Examples
**Basic request**
```yaml theme={null}
- ref: fetch_alert
action: core.http_request
args:
url: https://api.example.com/alerts/${{ TRIGGER.alert_id }}
method: GET
headers:
Authorization: Bearer ${{ SECRETS.alerts.API_TOKEN }}
```
## `core.http_poll`
Perform a HTTP request to a given URL with optional polling.
### Secrets
Optional secrets:
* `mtls`: required values `TLS_CERTIFICATE`, `TLS_PRIVATE_KEY`.
* `ca_cert`: required values `CA_CERTIFICATE`.
### Inputs
HTTP request method
Allowed values: `GET`, `POST`, `PUT`, `PATCH`, `DELETE`, `HEAD`, `OPTIONS`.
The destination of the HTTP request
Basic auth credentials with `username` and `password` keys
Default: `null`.
Follow HTTP redirects
Default: `false`.
Form encoded data in request body (POST, PUT, and PATCH)
Default: `null`.
HTTP request headers
Default: `null`.
Maximum number of redirects
Default: `20`.
URL query parameters
Default: `null`.
JSON serializable data in request body (POST, PUT, and PATCH)
Default: `null`.
Python lambda function when evaluated to True, stops polling. The function receives a dict with `headers`, `data`, and `status_code` fields.
Default: `null`.
Interval in seconds between polling attempts. If not specified, defaults to polling with exponential wait.
Default: `null`.
Maximum number of polling attempts. If set to 0, the action will poll indefinitely (until timeout).
Default: `10`.
Status codes on which the action will retry. Ignored if `poll_condition` is provided. If neither are specified, an error will be raised.
Default: `null`.
Timeout in seconds
Default: `10.0`.
Verify SSL certificates. Defaults to True, disable at own risk.
Default: `true`.
### Examples
**Poll until complete**
```yaml theme={null}
- ref: wait_for_export
action: core.http_poll
args:
url: https://api.example.com/exports/${{ TRIGGER.export_id }}
method: GET
headers:
Authorization: Bearer ${{ SECRETS.exports.API_TOKEN }}
poll_interval: 5
poll_max_attempts: 24
poll_condition: "lambda response: response['data'].get('status') == 'completed'"
```
## `core.http_paginate`
Paginate through a HTTP response.
### Inputs
HTTP request method
Allowed values: `GET`, `POST`, `PUT`, `PATCH`, `DELETE`, `HEAD`, `OPTIONS`.
Python lambda function that returns the next request as a JSON of `url`, `method`, `headers`, `params`, `payload`, `form_data` to paginate to. The function receives a dict with `headers`, `data`, and `status_code` fields.
Python lambda function that determines when pagination should STOP. The function receives a dict with `headers`, `data`, and `status_code` fields.
The destination of the HTTP request
Basic auth credentials with `username` and `password` keys
Default: `null`.
Follow HTTP redirects
Default: `false`.
Form encoded data in request body (POST, PUT, and PATCH)
Default: `null`.
HTTP request headers
Default: `null`.
JSONPath expression that evaluates to the items to paginate through.
Default: `null`.
Maximum number of items to paginate through. Defaults to 1000.
Default: `1000`.
Maximum number of redirects
Default: `20`.
URL query parameters
Default: `null`.
JSON serializable data in request body (POST, PUT, and PATCH)
Default: `null`.
Timeout in seconds
Default: `10.0`.
Verify SSL certificates. Defaults to True, disable at own risk.
Default: `true`.
### Examples
**Follow next page links**
```yaml theme={null}
- ref: list_findings
action: core.http_paginate
args:
url: https://api.example.com/findings
method: GET
headers:
Authorization: Bearer ${{ SECRETS.findings.API_TOKEN }}
params:
limit: 100
items_jsonpath: $.items[*]
stop_condition: "lambda response: response['data'].get('next_cursor') is None"
next_request: "lambda response: {'url': 'https://api.example.com/findings', 'method': 'GET', 'headers': {'Authorization': 'Bearer ${{ SECRETS.findings.API_TOKEN }}'}, 'params': {'limit': 100, 'cursor': response['data']['next_cursor']}}"
```
# SQL
Source: https://docs.tracecat.com/automations/core-actions/request-actions/sql
## `core.sql.execute_query`
Execute a parameterized SQL query on an external database.
### Secrets
Required secrets:
* `sql`: required values `CONNECTION_URL`.
### Inputs
SQL query to execute. Use :param\_name syntax for bound parameters. Do NOT use Tracecat expressions in the query string.
Bound query parameters as a dictionary (injected with :param\_name syntax). Supply dynamic values here, NOT within the query string. This is required for safe, parameterized SQL queries.
Default: `null`.
Return a single row instead of a list of rows. Defaults to False, which fetches all rows.
Default: `false`.
Maximum number of rows to return. Default 200. Prevents accidentally returning huge result sets.
Default: `200`.
### Examples
**Query an external database**
```yaml theme={null}
- ref: recent_logins
action: core.sql.execute_query
args:
query: |
SELECT user_email, last_login_at
FROM user_logins
WHERE last_login_at >= :cutoff
ORDER BY last_login_at DESC
bound_params:
cutoff: ${{ TRIGGER.cutoff }}
max_rows: 100
```
## `core.duckdb.execute_sql`
Execute SQL in an in-process DuckDB engine
### Secrets
Optional secrets:
* `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`.
### Inputs
SQL to execute in an in-process DuckDB connection.
### Examples
**Run in-process SQL**
```yaml theme={null}
- ref: aggregate_results
action: core.duckdb.execute_sql
args:
sql: |
WITH findings(id, severity) AS (
VALUES (1, 'high'), (2, 'low'), (3, 'high')
)
SELECT severity, count(*) AS count
FROM findings
GROUP BY severity
ORDER BY count DESC
```
**Read from S3**
```yaml theme={null}
# Attach the amazon_s3 secret (static keys or AWS_ROLE_ARN for AssumeRole).
- ref: read_s3
action: core.duckdb.execute_sql
args:
sql: |
SELECT *
FROM read_parquet('s3://my-bucket/findings/*.parquet')
```
# SSH
Source: https://docs.tracecat.com/automations/core-actions/request-actions/ssh
## `core.ssh.execute_command`
Execute a command over SSH and return stdout, stderr, and exit status.
### Secrets
Required secrets:
* `ssh`: required values `PRIVATE_KEY`.
### Inputs
Command to execute on the remote host.
SSH host to connect to.
Expected public host key for the target host in '\ \' format. For non-22 ports, the entry is stored as \[host]:port.
SSH username.
Password for the SSH user.
Default: `null`.
SSH port. Defaults to 22.
Default: `22`.
Timeout in seconds for connection and command execution.
Default: `30.0`.
### Examples
**Execute a remote command**
```yaml theme={null}
- ref: collect_uptime
action: core.ssh.execute_command
args:
host: 10.0.10.15
port: 22
username: tracecat
host_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEXAMPLEHOSTKEY"
command: uptime
timeout_seconds: 20
```
# Data transforms
Source: https://docs.tracecat.com/automations/core-actions/transform-actions/data-transforms
## `core.transform.apply`
Apply a Python lambda function to a value.
### Inputs
Python lambda function as a string (e.g. `"lambda x: x.get('name')"`).
Value to apply the lambda function to.
### Examples
**Filter, transform, and compact**
```yaml theme={null}
- ref: normalize_hostname
action: core.transform.apply
args:
value: ${{ TRIGGER.hostname }}
python_lambda: "lambda value: value.strip().lower()"
- ref: keep_open_findings
action: core.transform.filter
args:
items: ${{ TRIGGER.findings }}
python_lambda: "lambda finding: finding.get('status') == 'open'"
- ref: finding_ids
action: core.transform.map
args:
items: ${{ ACTIONS.keep_open_findings.result }}
python_lambda: "lambda finding: finding.get('id')"
- ref: compact_ids
action: core.transform.drop_nulls
args:
items: ${{ ACTIONS.finding_ids.result }}
```
## `core.transform.filter`
Filter a collection using a Python lambda function.
### Inputs
Items to filter.
Filter condition as a Python lambda expression (e.g. `"lambda x: x > 2"`).
### Examples
**Filter, transform, and compact**
```yaml theme={null}
- ref: normalize_hostname
action: core.transform.apply
args:
value: ${{ TRIGGER.hostname }}
python_lambda: "lambda value: value.strip().lower()"
- ref: keep_open_findings
action: core.transform.filter
args:
items: ${{ TRIGGER.findings }}
python_lambda: "lambda finding: finding.get('status') == 'open'"
- ref: finding_ids
action: core.transform.map
args:
items: ${{ ACTIONS.keep_open_findings.result }}
python_lambda: "lambda finding: finding.get('id')"
- ref: compact_ids
action: core.transform.drop_nulls
args:
items: ${{ ACTIONS.finding_ids.result }}
```
## `core.transform.map`
Map a Python lambda function to each item in a list.
### Inputs
Items to map the lambda function to.
Python lambda function as a string (e.g. `"lambda x: x.get('name')"`).
### Examples
**Filter, transform, and compact**
```yaml theme={null}
- ref: normalize_hostname
action: core.transform.apply
args:
value: ${{ TRIGGER.hostname }}
python_lambda: "lambda value: value.strip().lower()"
- ref: keep_open_findings
action: core.transform.filter
args:
items: ${{ TRIGGER.findings }}
python_lambda: "lambda finding: finding.get('status') == 'open'"
- ref: finding_ids
action: core.transform.map
args:
items: ${{ ACTIONS.keep_open_findings.result }}
python_lambda: "lambda finding: finding.get('id')"
- ref: compact_ids
action: core.transform.drop_nulls
args:
items: ${{ ACTIONS.finding_ids.result }}
```
## `core.transform.drop_nulls`
Remove null values from a list.
### Inputs
List of items to filter.
### Examples
**Filter, transform, and compact**
```yaml theme={null}
- ref: normalize_hostname
action: core.transform.apply
args:
value: ${{ TRIGGER.hostname }}
python_lambda: "lambda value: value.strip().lower()"
- ref: keep_open_findings
action: core.transform.filter
args:
items: ${{ TRIGGER.findings }}
python_lambda: "lambda finding: finding.get('status') == 'open'"
- ref: finding_ids
action: core.transform.map
args:
items: ${{ ACTIONS.keep_open_findings.result }}
python_lambda: "lambda finding: finding.get('id')"
- ref: compact_ids
action: core.transform.drop_nulls
args:
items: ${{ ACTIONS.finding_ids.result }}
```
## `core.transform.is_in`
Filters items in a list based on whether they are in a collection.
### Inputs
Collection of hashable items to check against.
Items to filter.
Python lambda applied to each item before checking membership (e.g. `"lambda x: x.get('name')"`). Similar to `key` in the Python `sorted` function.
Default: `null`.
### Examples
**Keep or exclude matching items**
```yaml theme={null}
- ref: keep_known_users
action: core.transform.is_in
args:
items: ${{ TRIGGER.users }}
collection:
- alice@example.com
- bob@example.com
python_lambda: "lambda user: user.get('email')"
- ref: remove_known_users
action: core.transform.not_in
args:
items: ${{ TRIGGER.users }}
collection:
- alice@example.com
- bob@example.com
python_lambda: "lambda user: user.get('email')"
```
## `core.transform.not_in`
Filters items in a list based on whether they are not in a collection.
### Inputs
Collection of hashable items to check against.
Items to filter.
Python lambda applied to each item before checking membership (e.g. `"lambda x: x.get('name')"`). Similar to `key` in the Python `sorted` function.
Default: `null`.
### Examples
**Keep or exclude matching items**
```yaml theme={null}
- ref: keep_known_users
action: core.transform.is_in
args:
items: ${{ TRIGGER.users }}
collection:
- alice@example.com
- bob@example.com
python_lambda: "lambda user: user.get('email')"
- ref: remove_known_users
action: core.transform.not_in
args:
items: ${{ TRIGGER.users }}
collection:
- alice@example.com
- bob@example.com
python_lambda: "lambda user: user.get('email')"
```
## `core.transform.deduplicate`
Deduplicate a JSON object or a list of JSON objects given a list of keys. Returns a list of deduplicated JSON objects.
### Inputs
JSON object or list of JSON objects to deduplicate.
List of JSONPath keys to deduplicate by. Supports dot notation for nested keys (e.g. `['user.id']`).
Time to live for the deduplicated items in seconds. Defaults to 1 hour.
Default: `3600`.
Whether to persist deduplicated items across calls. If True, deduplicates across calls. If False, deduplicates within the current call only.
Default: `true`.
### Examples
**Deduplicate by a stable key**
```yaml theme={null}
- ref: deduplicate_findings
action: core.transform.deduplicate
args:
items: ${{ TRIGGER.findings }}
keys:
- finding_id
persist: true
expire_seconds: 3600
- ref: finding_seen
action: core.transform.is_duplicate
args:
item: ${{ TRIGGER.finding }}
keys:
- finding_id
expire_seconds: 3600
```
## `core.transform.is_duplicate`
Check if a JSON object was recently seen.
### Inputs
JSON object to check.
List of JSONPath keys to check.
Time to live for the deduplicated items in seconds. Defaults to 1 hour.
Default: `3600`.
### Examples
**Deduplicate by a stable key**
```yaml theme={null}
- ref: deduplicate_findings
action: core.transform.deduplicate
args:
items: ${{ TRIGGER.findings }}
keys:
- finding_id
persist: true
expire_seconds: 3600
- ref: finding_seen
action: core.transform.is_duplicate
args:
item: ${{ TRIGGER.finding }}
keys:
- finding_id
expire_seconds: 3600
```
## `core.transform.flatten_json`
Flatten a JSON object into a single level of fields.
### Inputs
JSON object to flatten.
### Examples
**Flatten and query JSON**
```yaml theme={null}
- ref: flatten_alert
action: core.transform.flatten_json
args:
json: ${{ TRIGGER.alert }}
- ref: extract_fields
action: core.transform.eval_jsonpaths
args:
json: ${{ TRIGGER.alert }}
jsonpaths:
user: $.actor.email
source_ip: $.network.source.ip
```
## FAQ
Expressions support Tracecat literals, operators, and `FN.*` helper functions.
Python lambda functions are not part of the expression language, so they must be passed as strings to actions such as `core.transform.apply`, `core.transform.filter`, or `core.transform.map`.
Use `FN.*` for short inline transforms, and use `core.transform.*` when you need Python-style per-item logic.
```yaml theme={null}
- ref: extract_ids
action: core.transform.map
args:
items: ${{ TRIGGER.findings }}
python_lambda: "lambda finding: finding.get('id')"
```
Add a small debug reshape step first.
This lets you confirm whether you have a list or object, inspect a count, and verify the field path you plan to iterate over.
```yaml theme={null}
- ref: inspect_findings
action: core.transform.reshape
args:
value:
result_type: ${{ FN.typeof(ACTIONS.fetch_findings.result) }}
findings_type: ${{ FN.typeof(ACTIONS.fetch_findings.result.findings) if ACTIONS.fetch_findings.result != None else None }}
findings_count: ${{ FN.length(ACTIONS.fetch_findings.result.findings) if ACTIONS.fetch_findings.result != None else 0 }}
```
## `core.transform.eval_jsonpaths`
Eval multiple JSONPath expressions on an object.
### Inputs
JSON object to eval JSONPath expressions on.
JSONPath expressions to eval.
### Examples
**Flatten and query JSON**
```yaml theme={null}
- ref: flatten_alert
action: core.transform.flatten_json
args:
json: ${{ TRIGGER.alert }}
- ref: extract_fields
action: core.transform.eval_jsonpaths
args:
json: ${{ TRIGGER.alert }}
jsonpaths:
user: $.actor.email
source_ip: $.network.source.ip
```
# Python script
Source: https://docs.tracecat.com/automations/core-actions/transform-actions/python-script
## `core.script.run_python`
Execute a Python script.
### Inputs
Python script to execute. Must contain at least one function. If multiple functions are defined, one must be named 'main'. Returns the output of the function.
Whether to allow network access during script execution. Default is False. Note: package installation always has network access.
Default: `false`.
Optional list of Python package dependencies to install via pip. Packages are cached between executions for performance.
Default: `null`.
Environment variables to set in the sandbox. Use this to inject secrets or configuration.
Default: `null`.
Input data passed as function arguments to the main function. Keys must match the parameter names in the function signature. Missing parameters will receive `None`.
Default: `null`.
Maximum execution time in seconds. Default is 300 seconds (5 minutes).
Default: `300`.
### Examples
**Enrich a payload**
```yaml theme={null}
- ref: normalize_findings
action: core.script.run_python
args:
inputs:
findings: ${{ TRIGGER.findings }}
script: |
def main(findings):
return [
{
"id": finding["id"],
"severity": str(finding["severity"]).lower(),
}
for finding in findings
]
timeout_seconds: 60
```
# Require
Source: https://docs.tracecat.com/automations/core-actions/transform-actions/require
## `core.require`
Evaluate a conditional expression and returns the boolean result.
### Inputs
Conditional expression(s) to evaluate. All must be true for the result to be true.
If `True`, the function will raise an error if the condition is false. If `False`, the function will return `False` instead.
Default: `true`.
If `True`, all conditions must be true for the result to be true. If `False`, only one condition must be true.
Default: `true`.
### Examples
**Stop when prerequisites are not met**
```yaml theme={null}
- ref: require_inputs
action: core.require
args:
conditions:
- ${{ TRIGGER.case_id != None }}
- ${{ TRIGGER.severity in ["high", "critical"] }}
require_all: true
raise_error: true
```
# Reshape
Source: https://docs.tracecat.com/automations/core-actions/transform-actions/reshape
## `core.transform.reshape`
Define the exact scalar, object, or list output you want from workflow data.
`core.transform.reshape` evaluates expressions anywhere in the input
value. Use it to extract fields, rename keys, hardcode values, and
compose new objects or lists from trigger data and earlier actions.
### Inputs
The value to reshape
### Examples
**Return one value**
```yaml theme={null}
- ref: extract_owner_email
action: core.transform.reshape
args:
value: ${{ ACTIONS.get_alert.result.data.owner.email }}
```
**Build a new object or list**
```yaml theme={null}
- ref: build_summary
action: core.transform.reshape
args:
value:
alert_id: ${{ TRIGGER.alert_id }}
severity: ${{ TRIGGER.severity }}
owner: ${{ TRIGGER.owner.email }}
labels:
- triage
- security
```
**Use expressions and functions inline**
```yaml theme={null}
- ref: normalize_alert
action: core.transform.reshape
args:
value:
id: ${{ TRIGGER.alert_id }}
title: ${{ TRIGGER.title || "Untitled alert" }}
severity: ${{ FN.lowercase(TRIGGER.severity) }}
source_ip_version: ${{ FN.check_ip_version(TRIGGER.source_ip) }}
created_at: ${{ FN.to_isoformat(TRIGGER.created_at) }}
```
# Run subflow
Source: https://docs.tracecat.com/automations/core-actions/workflow-actions/run-subflow
## `core.workflow.execute`
Execute a workflow by alias.
### Inputs
Alias of the subflow to execute. Must be provided.
Number of subflows to execute in parallel.
Default: `32`.
Subflow's target execution environment. This is used to isolate secrets across different environments.If not provided, the subflow's default environment is used.
Default: `null`.
Fail strategy to use when a subflow fails.
Default: `"isolated"`.
Allowed values: `isolated`, `all`.
Execution strategy to use for the subflow.
Default: `"batch"`.
Allowed values: `parallel`, `batch`, `sequential`.
Maximum number of seconds to wait for the subflow to complete. If not provided, the subflow's default timeout is used.
Default: `null`.
Inputs to pass to the subflow (arbitrary JSON).
Default: `null`.
Version of the subflow definition, if any.
Default: `null`.
Wait strategy to use when waiting for subflows to complete. In `wait` mode, this action will wait for all subflows to complete before returning. Any subflow failures will be reported as an error. In `detach` mode, this action will return immediately after the subflows are created. A failing subflow will not affect the parent.
Default: `"detach"`.
Allowed values: `wait`, `detach`.
### Examples
**Run a subflow**
```yaml theme={null}
- ref: run_subflow
action: core.workflow.execute
args:
workflow_alias: enrich_case
trigger_inputs:
case_id: ${{ TRIGGER.case_id }}
severity: ${{ TRIGGER.severity }}
wait_strategy: wait
timeout: 300
```
## `core.workflow.get_status`
Get the status of a workflow execution.
### Inputs
The workflow execution ID to check.
### Examples
**Check an execution**
```yaml theme={null}
- ref: launch_subflow
action: core.workflow.execute
args:
workflow_alias: collect_evidence
trigger_inputs:
case_id: ${{ TRIGGER.case_id }}
- ref: subflow_status
action: core.workflow.get_status
depends_on:
- launch_subflow
args:
wf_exec_id: ${{ ACTIONS.launch_subflow.result.wf_exec_id }}
```
# Scatter-gather loops
Source: https://docs.tracecat.com/automations/core-actions/workflow-actions/scatter-gather-loops
## `core.transform.scatter`
Transform a collection of items into parallel execution streams, where each item is processed independently.
### Inputs
The collection to scatter. Each item in the collection will be processed independently in its own execution stream. This should be a JSONPath expression to a collection or a list of items.
The interval in seconds between each scatter task.
Default: `null`.
### Examples
**Fan out and collect results**
```yaml theme={null}
- ref: scatter_hosts
action: core.transform.scatter
args:
collection: ${{ TRIGGER.hosts }}
- ref: check_host
action: core.http_request
depends_on:
- scatter_hosts
args:
url: https://scanner.example.com/hosts/${{ ACTIONS.scatter_hosts.result.id }}
method: GET
- ref: gather_results
action: core.transform.gather
depends_on:
- check_host
args:
items: ${{ ACTIONS.check_host.result }}
drop_nulls: true
error_strategy: partition
```
## `core.transform.gather`
Collect the results of a list of execution streams into a single list.
### Inputs
The JSONPath expression referencing the item to gather in the current execution stream.
Whether to drop null values from the final result. If True, any null values encountered during the gather operation will be omitted from the output list.
Default: `false`.
Controls how errors are handled when gathering. "partition" puts successful results in `.result` and errors in `.error`. "include" puts errors in `.result` as JSON objects. "drop" removes errors from `.result`. "raise" fails the gather if any branch errors.
Default: `"partition"`.
Allowed values: `partition`, `include`, `drop`, `raise`.
### Examples
**Fan out and collect results**
```yaml theme={null}
- ref: scatter_hosts
action: core.transform.scatter
args:
collection: ${{ TRIGGER.hosts }}
- ref: check_host
action: core.http_request
depends_on:
- scatter_hosts
args:
url: https://scanner.example.com/hosts/${{ ACTIONS.scatter_hosts.result.id }}
method: GET
- ref: gather_results
action: core.transform.gather
depends_on:
- check_host
args:
items: ${{ ACTIONS.check_host.result }}
drop_nulls: true
error_strategy: partition
```
# While loops
Source: https://docs.tracecat.com/automations/core-actions/workflow-actions/while-loops
## `core.loop.start`
Open a do-while control-flow region.
### Inputs
This action does not take input fields.
### Examples
**Repeat until a condition is met**
```yaml theme={null}
- ref: loop_start
action: core.loop.start
- ref: check_status
action: core.http_request
depends_on:
- loop_start
args:
url: https://api.example.com/jobs/${{ TRIGGER.job_id }}
method: GET
- ref: loop_end
action: core.loop.end
depends_on:
- check_status
args:
condition: ${{ ACTIONS.check_status.result.data.status != "completed" }}
max_iterations: 20
```
## `core.loop.end`
Close a do-while control-flow region and evaluate whether execution should loop back to the matching `core.loop.start`.
### Inputs
Expression evaluated after the loop body; truthy values continue looping.
Maximum number of loop iterations before failing.
Default: `100`.
### Examples
**Repeat until a condition is met**
```yaml theme={null}
- ref: loop_start
action: core.loop.start
- ref: check_status
action: core.http_request
depends_on:
- loop_start
args:
url: https://api.example.com/jobs/${{ TRIGGER.job_id }}
method: GET
- ref: loop_end
action: core.loop.end
depends_on:
- check_status
args:
condition: ${{ ACTIONS.check_status.result.data.status != "completed" }}
max_iterations: 20
```
# Expressions
Source: https://docs.tracecat.com/automations/core-concepts/expressions
Syntax reference for Tracecat expressions: contexts, operators, functions, and JSONPath access patterns used inside workflow and agent definitions.
## Overview
Tracecat expressions let you build values from trigger data, action results, secrets, variables, and functions.
Expressions use `${{ ... }}`.
## Where expressions are used
You can use expressions in:
* Action inputs
* `run_if`
* `for_each`
* Action `environment`
* Workflow environment
* Output schema
Use `var.` in action inputs for actions that run with `for_each`.
## Expression contexts
Use these references inside expressions:
* `TRIGGER.`
* `ACTIONS.[.result`
* `SECRETS..`
* `VARS..`
* `ENV.`
* `var.`
* `FN.(...)`
## Operators
Expressions support literals and operators.
### Literals
* String literals such as `"high"` and `'prod'`
* Numeric literals such as `1` and `3.14`
* Boolean literals such as `True` and `False`
* Null literals such as `None`
* List literals such as `["a", "b"]`
* Object literals with string keys such as `{"severity": "high"}`
### Operators
* Logical operators: `||` and `&&`
* Comparison operators such as `==`, `!=`, `<`, `<=`, `>`, `>=`
* Arithmetic operators such as `+`, `-`, `*`, `/`, `%`
* Ternary expressions such as `${{ "p1" if TRIGGER.severity == "high" else "p3" }}`
Python-style `or` / `and` and SQL-style `OR` / `AND` are not supported.
## Examples
Basic trigger reference:
```yaml Expression theme={null}
text: "Alert ${{ TRIGGER.alert_id }}"
```
```json Result theme={null}
{
"text": "Alert al-123"
}
```
Action result reference:
```yaml Expression theme={null}
value: ${{ ACTIONS.fetch_alert.result }}
```
```json Result theme={null}
{
"value": {
"id": "al-123",
"status": "open"
}
}
```
Secret reference:
```yaml Expression theme={null}
token: ${{ SECRETS.github.GITHUB_TOKEN }}
```
```json Result theme={null}
{
"token": "ghp_xxxxx"
}
```
Variable reference:
```yaml Expression theme={null}
team: ${{ VARS.routing.team }}
```
```json Result theme={null}
{
"team": "secops"
}
```
Conditional execution:
```yaml Expression theme={null}
run_if: ${{ FN.is_equal(TRIGGER.severity, "high") }}
```
```json Result theme={null}
{
"run_if": true
}
```
Iteration:
```yaml Expression theme={null}
for_each: ${{ for var.alert in TRIGGER.alerts }}
```
```json Result theme={null}
[
{
"var.alert": {
"id": "al-1",
"severity": "high"
}
},
{
"var.alert": {
"id": "al-2",
"severity": "low"
}
}
]
```
Using `var.` in action inputs:
```yaml Expression theme={null}
title: ${{ var.alert.title }}
severity: ${{ var.alert.severity }}
```
```json Result theme={null}
{
"title": "Suspicious login",
"severity": "high"
}
```
Ternary:
```yaml Expression theme={null}
priority: ${{ "p1" if TRIGGER.severity == "high" else "p3" }}
```
```json Result theme={null}
{
"priority": "p1"
}
```
Function call:
```yaml Expression theme={null}
created_at: ${{ FN.to_datetime(TRIGGER.created_at) }}
```
```json Result theme={null}
{
"created_at": "2026-03-18T09:00:00"
}
```
Nested list literal:
```yaml Expression theme={null}
value: ${{ [1, [2, 3], {"severity": "high", "flags": [True, False, None]}] }}
```
```json Result theme={null}
{
"value": [
1,
[2, 3],
{
"severity": "high",
"flags": [true, false, null]
}
]
}
```
Nested object literal:
```yaml Expression theme={null}
value: ${{ {"alert": {"id": "al-123", "tags": ["auth", "critical"]}, "ok": True, "meta": None} }}
```
```json Result theme={null}
{
"value": {
"alert": {
"id": "al-123",
"tags": ["auth", "critical"]
},
"ok": true,
"meta": null
}
}
```
## FAQ
Some actions only return data in certain conditions. For example, a hash enrichment might find no matches in your threat intel source. When a field does not exist, the expression resolves to `None` — no error is raised.
Use `run_if` with a `!= None` check to skip downstream actions when the data is missing, or use a ternary to supply a fallback value.
```yaml Skip an action when the result is missing theme={null}
- ref: check_hash
action: tools.virustotal.get_file_report
args:
hash: ${{ TRIGGER.file_hash }}
- ref: escalate_alert
action: tools.slack.post_message
depends_on:
- check_hash
run_if: ${{ ACTIONS.check_hash.result != None && ACTIONS.check_hash.result.malicious_count != None }}
args:
channel: ${{ SECRETS.slack.SECURITY_CHANNEL }}
text: "Hash ${{ TRIGGER.file_hash }} flagged by ${{ ACTIONS.check_hash.result.malicious_count }} vendors"
```
```yaml Supply a fallback value theme={null}
- ref: build_summary
action: core.transform.reshape
depends_on:
- check_hash
args:
value:
verdict: ${{ ACTIONS.check_hash.result.verdict if ACTIONS.check_hash.result != None else "unknown" }}
is_known_bad: ${{ ACTIONS.check_hash.result.malicious_count > 0 if ACTIONS.check_hash.result.malicious_count != None else False }}
```
## Related pages
* See [Workflow definition](/automations/core-concepts/workflow-definition) for where expressions appear in workflow YAML.
* See [JSONPath](/automations/core-concepts/jsonpath) for field access, arrays, and filters.
* See [Functions](/automations/core-concepts/functions) for the full function reference.
# Functions
Source: https://docs.tracecat.com/automations/core-concepts/functions
Inline utility functions for Tracecat expressions: transform strings, dates, numbers, lists, and JSON inside workflow and agent definitions.
## Overview
Tracecat expressions can call built-in functions with the `FN.(...)` syntax.
Function results support bracket indexing such as `FN.range(0, 3)[0]`.
Function results do not support JSONPath wildcards or filters such as `FN.range(0, 3)[*]`.
Use in-line functions for one-line data transforms in action inputs.
For more complex logic, use a Python script or a custom UDF instead.
## Examples
Build a prompt or short string:
```yaml Expression theme={null}
prompt: ${{ FN.format("Investigate alert {0} with severity {1}", TRIGGER.alert_id, TRIGGER.severity) }}
```
```json Result theme={null}
{
"prompt": "Investigate alert al-123 with severity high"
}
```
Time manipulation for alert search windows:
```yaml Expression theme={null}
start_time: ${{ FN.to_isoformat(FN.now() - FN.minutes(15)) }}
end_time: ${{ FN.to_isoformat(FN.now()) }}
```
```json Result theme={null}
{
"start_time": "2026-03-18T12:45:00",
"end_time": "2026-03-18T13:00:00"
}
```
## Related pages
* See the [Functions cheatsheet](/cheatsheets/functions) for the full function reference and more examples.
* See [Expressions](/automations/core-concepts/expressions) for expression syntax and contexts.
# JSONPath
Source: https://docs.tracecat.com/automations/core-concepts/jsonpath
Path access reference for Tracecat expressions: navigate trigger payloads, action results, secrets, and variables with JSONPath syntax.
## Overview
JSONPath is used inside expression contexts such as `TRIGGER` and `ACTIONS.][.result` to access nested fields and arrays.
## Field access
Use dot notation for nested fields.
```yaml Expression theme={null}
theme: ${{ TRIGGER.data.settings.theme }}
status: ${{ ACTIONS.fetch_alert.result.status }}
```
```json Result theme={null}
{
"theme": "dark",
"status": "open"
}
```
Use quoted field names when the field contains special characters.
```yaml Expression theme={null}
value: ${{ TRIGGER.data."alert.sample.data" }}
dash_value: ${{ TRIGGER.data."field-with-dashes" }}
```
```json Result theme={null}
{
"value": "sample-1",
"dash_value": "ok"
}
```
## Array access
Use brackets to access array items.
```yaml Expression theme={null}
first_item: ${{ TRIGGER.items[0] }}
last_item: ${{ TRIGGER.items[-1] }}
first_name: ${{ ACTIONS.lookup_users.result.users[0].name }}
```
```json Result theme={null}
{
"first_item": {"id": "a1"},
"last_item": {"id": "a3"},
"first_name": "Alice"
}
```
## Wildcards
Use `[*]` to select all items in an array.
```yaml Expression theme={null}
ids: ${{ TRIGGER.items[*].id }}
names: ${{ ACTIONS.lookup_users.result.users[*].name }}
```
```json Result theme={null}
{
"ids": ["a1", "a2", "a3"],
"names": ["Alice", "Bob", "Carol"]
}
```
Wildcard expressions return a list.
## Filters
Use filters to select matching items.
```yaml Expression theme={null}
active_users: ${{ ACTIONS.lookup_users.result.users[?(@.active == true)] }}
high_scores: ${{ ACTIONS.lookup_users.result.users[?(@.score >= 90)] }}
matching_alerts: ${{ TRIGGER.alerts[?(@.severity == "high")] }}
```
```json Result theme={null}
{
"active_users": [{"name": "Alice", "active": true}],
"high_scores": [{"name": "Alice", "score": 96}],
"matching_alerts": [{"id": "al-1", "severity": "high"}]
}
```
Filter expressions return a list.
## Missing fields
Accessing a field that does not exist returns `None`. No error is raised.
```yaml Expression theme={null}
value: ${{ ACTIONS.check_hash.result.id }}
```
```json Result (field does not exist) theme={null}
{
"value": null
}
```
Guard against `None` with a null check before dereferencing deeper fields.
```yaml theme={null}
run_if: ${{ ACTIONS.check_hash.result != None && ACTIONS.check_hash.result.id != None }}
```
## Related pages
* See the [JSONPath cheatsheet](/cheatsheets/jsonpath) for detailed filter patterns, return behavior, and more examples.
* See [Expressions](/automations/core-concepts/expressions) for expression syntax and contexts.
* See [Functions](/automations/core-concepts/functions) for helper functions you can use alongside JSONPath access.
# Secrets
Source: https://docs.tracecat.com/automations/core-concepts/secrets
Create, scope, and reference Tracecat secrets in workflows and agents: store API keys safely and inject them into actions through expressions.
## Overview
Secrets store sensitive values. Create them in `/credentials`.
]
## Using secrets in expressions
Access a secret in expressions with:
```yaml theme={null}
${{ SECRETS.. }}
```
## Secret types
Tracecat supports these workspace secret types:
| Type | Value | Description |
| -------------- | --------- | ---------------------------------------- |
| Custom | `custom` | Arbitrary key-value credentials |
| SSH key | `ssh_key` | A single SSH private key |
| mTLS | `mtls` | A TLS client certificate and private key |
| CA certificate | `ca_cert` | A CA certificate bundle |
### Custom credentials
Custom credentials store arbitrary key-value pairs. Any keys can be used.
### Structured secret types
SSH key, mTLS, and CA certificate secrets use fixed key names.
The credentials UI renders a specialized form for each type (e.g. a PEM textarea for SSH keys instead of generic key-value inputs).
| Type | Required keys |
| -------------- | ------------------------------------ |
| SSH key | `PRIVATE_KEY` |
| mTLS | `TLS_CERTIFICATE`, `TLS_PRIVATE_KEY` |
| CA certificate | `CA_CERTIFICATE` |
Structured secret types cannot have `optional_keys`. The key set is fixed by the type.
## SQL action credentials
`core.sql.execute_query` uses a secret named `sql` with one required key: `CONNECTION_URL`.
Set `CONNECTION_URL` as a SQLAlchemy database URL:
```text theme={null}
postgresql+psycopg://user:pass@db.example.com:5432/app
```
Common engine examples:
* PostgreSQL (psycopg3): `postgresql+psycopg://user:pass@db.example.com:5432/app`
* MySQL: `mysql+pymysql://user:pass@db.example.com:3306/app`
* ClickHouse: `clickhouse+http://user:pass@clickhouse.example.com:8123/default`
See SQLAlchemy Database URLs for supported dialect and driver formats:
[https://docs.sqlalchemy.org/20/core/engines.html#database-urls](https://docs.sqlalchemy.org/20/core/engines.html#database-urls)
## AWS credentials
### Protected secret names
`aws` and `amazon_s3` are **protected** secret names.
When a secret with either name contains `AWS_ROLE_ARN`, Tracecat automatically performs STS `AssumeRole` on the host before sandbox entry and injects temporary session credentials.
This applies to any registry action (built-in or custom) that declares a secret with one of these names.
`tools.aws_boto3` actions use the `aws` secret. `tools.amazon_s3` actions use the `amazon_s3` secret. Both follow the same key schema.
### Supported keys
* `AWS_ROLE_ARN` — recommended; Tracecat assumes the role on the host
* `AWS_ROLE_SESSION_NAME` — optional audit session label
* `AWS_ACCESS_KEY_ID`
* `AWS_SECRET_ACCESS_KEY`
* `AWS_SESSION_TOKEN`
* `AWS_REGION`
### Credential resolution order
1. `AWS_ROLE_ARN` (STS AssumeRole with auto-injected `TRACECAT_AWS_EXTERNAL_ID`)
2. `AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY` + `AWS_SESSION_TOKEN`
3. `AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY`
## Secret environments
Every secret belongs to a Workflow environment.
* Default source: the workflow default environment in [Workflows](/automations/workflows).
* Override: per action in [Actions](/automations/actions) control flow.
* Fallback: `default`.
Examples:
* Different CrowdStrike tenants for `prod`, `staging`, or `lab`
* Multiple Slack apps for separate workspaces or business units
* Separate sandbox and production API credentials for the same vendor
## Access secrets in agents
Agents can use secret expressions in tool arguments and integration configuration. Secret values are resolved during tool execution and are not sent to the LLM provider.
```text theme={null}
When you call Slack tools, use `${{ SECRETS.slack.SLACK_BOT_TOKEN }}`.
When you call Jira tools, use `${{ SECRETS.jira.JIRA_API_TOKEN }}`.
Do not print secret values in the final answer.
```
## Custom registry actions
Authors of [Python UDFs](/custom-actions/python-udf) and [YAML templates](/custom-actions/yaml-template) declare required secrets in the registry (including OAuth and structured secret types). The same `${{ SECRETS... }}` syntax applies; see [Use OAuth tokens in expressions](/automations/integrations/oauth-integrations#use-oauth-tokens-in-expressions) on the OAuth page for token paths, `RegistryOAuthSecret` and YAML `type: oauth`, and Custom OAuth `provider_id` rules.
## Related pages
* See [Pre-built credentials](/automations/integrations/prebuilt-credentials) for provider-specific credential templates for built-in integrations.
* See [OAuth](/automations/integrations/oauth-integrations) for integrations that authenticate with OAuth flows.
* See [MCP](/automations/integrations/mcp-integrations) for MCP integrations and secure environment-based settings.
* See [Expressions](/automations/core-concepts/expressions) for how expressions work across triggers, actions, secrets, and variables.
# Variables
Source: https://docs.tracecat.com/automations/core-concepts/variables
Create and reference reusable Tracecat workspace variables in workflows and agents: share configuration and constants across automations without duplicating values.
## Overview
Variables store reusable non-secret values.
## Using variables in expressions
Access a variable in expressions with:
```yaml theme={null}
${{ VARS.. }}
```
## Variable fields
Each variable has these fields:
* Name: a lowercase snake case name such as `jira` or `api_config`
* Values: one or more key-value pairs
* Environment: the Workflow environment where the variable applies
## When to use variables
Use variables for non-sensitive values such as:
* Base URLs
* Project IDs
* Queue names
* Routing rules
* Tenant-specific defaults
Use a [secret](/automations/core-concepts/secrets) for sensitive values.
## Variable environments
Every variable belongs to a Workflow environment.
* Default source: the workflow default environment in [Workflows](/automations/workflows).
* Override: per action in [Actions](/automations/actions) control flow.
* Fallback: `default`.
## Access variables in agents
Agents can use variable expressions in tool arguments and integration configuration. Values are resolved during tool execution and are not fetched directly by the LLM provider.
```text theme={null}
When you call Jira tools, use `${{ VARS.jira.base_url }}` as the base URL and `${{ VARS.jira.project_key }}` as the default project key.
```
## Related pages
* See [Secrets](/automations/core-concepts/secrets) for sensitive values such as API keys, passwords, and certificates.
* See [Expressions](/automations/core-concepts/expressions) for how expressions work across triggers, actions, secrets, and variables.
# Workflow definition
Source: https://docs.tracecat.com/automations/core-concepts/workflow-definition
YAML reference for Tracecat workflow definitions: triggers, actions, inputs, outputs, control flow, and schema fields used to author and version workflows.
This page was written for advanced builders who want to review and edit workflows in code.
## Overview
Workflows in Tracecat are defined as YAML workflow definitions.
## Workflow schema
The workflow body uses these top-level fields:
```yaml theme={null}
title:
description:
entrypoint:
config:
triggers:
error_handler:
actions:
returns:
```
A minimal workflow looks like this:
```yaml theme={null}
title: "Minimal workflow"
description: "Return a static value"
entrypoint:
expects: {}
actions:
- ref: build_result
action: core.transform.reshape
args:
value:
status: ok
returns: ${{ ACTIONS.build_result.result }}
```
## Top-level fields
Workflow name.
Workflow description.
Input schema. Use `expects` to define trigger inputs in the workflow definition.
Workflow settings. Supported fields are `environment` and `timeout`.
Optional trigger definitions. Trigger types are `webhook` and `schedule`.
Workflow alias to run when the workflow fails.
Workflow actions.
Output schema. Use `returns` to define the workflow output in the workflow definition.
Example input schema:
```yaml theme={null}
entrypoint:
expects:
alert_id:
type: str
description: The alert to investigate
severity:
type: enum["low", "medium", "high"]
default: medium
```
Example output schema:
```yaml theme={null}
returns:
finding_count: ${{ FN.length(ACTIONS.gather_results.result) }}
findings: ${{ ACTIONS.gather_results.result }}
```
## Actions schema
Unique action identifier. It must be unique within the workflow and match Tracecat's slug format.
Fully qualified action name such as `core.http_request`, `core.transform.reshape`, `core.transform.scatter`, `core.loop.end`, or `tools.slack.post_message`.
Action inputs. The valid keys depend on the action type.
Dependencies for this action.
Use `upstream_ref` for a success edge, `upstream_ref.success` for an explicit success edge, and `upstream_ref.error` for an error edge. Any other suffix is invalid.
Conditional expression. If it evaluates to a falsy value, the action is skipped.
Run the action once per item in a collection. Inside the action, access the current item through `var.`.
Example: `for_each: ${{ for var.alert in TRIGGER.alerts }}`.
Retry configuration with `max_attempts` and `timeout`.
Delay in seconds before the action starts.
Join behavior for downstream actions. Use `all` to wait for all upstream branches, or `any` to allow a downstream join to complete once any upstream branch completes.
Per-action override for the secrets environment.
Redacts this action's result in workflow execution views and execution API responses. Tracecat keeps object and array structure but replaces each individual value, so JSONPath references remain visible. Downstream actions still receive the original result.
Marks an action as interactive. `interaction` cannot be combined with `for_each`.
Example action:
```yaml theme={null}
- ref: fetch_alert
action: core.http_request
args:
url: "https://api.example.com/alerts/${{ TRIGGER.alert_id }}"
method: GET
headers:
Authorization: "Bearer ${{ SECRETS.alerting.API_TOKEN }}"
retry_policy:
max_attempts: 3
timeout: 60
```
## Expressions
Expressions use `${{ ... }}`.
Use these references inside expressions:
* `TRIGGER.`
* `ACTIONS.[.result`
* `SECRETS..`
* `VARS..`
* `ENV.`
* `var.`
* `FN.(...)`
See [Expressions](/automations/core-concepts/expressions) for syntax, operators, and literals.
See [JSONPath](/automations/core-concepts/jsonpath) for field access and array access.
See [Functions](/automations/core-concepts/functions) for the full function list.
## Control-flow primitives
### Conditional execution with `run_if`
```yaml theme={null}
title: "Conditional workflow"
description: "Only notify on high severity"
entrypoint:
expects:
severity:
type: str
actions:
- ref: build_message
action: core.transform.reshape
args:
value: "Severity is ${{ TRIGGER.severity }}"
- ref: notify
action: tools.slack.post_message
depends_on:
- build_message
run_if: ${{ FN.is_equal(TRIGGER.severity, "high") }}
args:
channel: ${{ SECRETS.slack.SLACK_CHANNEL }}
text: ${{ ACTIONS.build_message.result }}
```
### Scatter and gather
Use `core.transform.scatter` to fan out a collection into parallel streams, then `core.transform.gather` to collect results back into a list.
```yaml theme={null}
title: "Scatter gather workflow"
description: "Fetch details for each item"
entrypoint:
expects:
items:
type: list[dict[str, Any]]
actions:
- ref: scatter_items
action: core.transform.scatter
args:
collection: ${{ TRIGGER.items }}
- ref: fetch_item
action: core.http_request
depends_on:
- scatter_items
args:
url: "https://api.example.com/items/${{ ACTIONS.scatter_items.result.id }}"
method: GET
- ref: gather_results
action: core.transform.gather
depends_on:
- fetch_item
args:
items: ${{ ACTIONS.fetch_item.result }}
drop_nulls: true
error_strategy: partition
returns: ${{ ACTIONS.gather_results.result }}
```
Within a scatter region, each downstream action reads the current item through `ACTIONS..result`.
### Do-while loops
Use `core.loop.start` to open a loop region and `core.loop.end` to decide whether to continue.
```yaml theme={null}
title: "Loop workflow"
description: "Retry until the third iteration"
entrypoint:
expects: {}
actions:
- ref: loop_start
action: core.loop.start
- ref: body
action: core.transform.reshape
depends_on:
- loop_start
args:
value:
iteration: ${{ ACTIONS.loop_start.result.iteration }}
- ref: loop_end
action: core.loop.end
depends_on:
- body
args:
condition: ${{ ACTIONS.loop_start.result.iteration < 2 }}
max_iterations: 10
- ref: after_loop
action: core.transform.reshape
depends_on:
- loop_end
args:
value: ${{ ACTIONS.loop_end.result.continue }}
returns: ${{ ACTIONS.after_loop.result }}
```
Loop-specific behavior:
* `core.loop.start` exposes `ACTIONS..result.iteration`
* `core.loop.end` requires `condition`
* `max_iterations` defaults to `100`
### Subflows
Use `core.workflow.execute` to run a subflow.
```yaml theme={null}
title: "Subflow launcher"
description: "Execute a subflow for each alert"
entrypoint:
expects:
alerts:
type: list[dict[str, Any]]
actions:
- ref: run_subflow
action: core.workflow.execute
for_each: ${{ for var.alert in TRIGGER.alerts }}
args:
workflow_id: wf-fee9abc1cc88417bbccb73433646e2c6
trigger_inputs:
alert: ${{ var.alert }}
returns: null
```
The subflow target is usually provided through `workflow_id`. Trigger data is passed through `trigger_inputs`.
## Validation rules
These are the main workflow rules:
* All action refs must be unique.
* Every dependency in `depends_on` must reference a real action.
* Cycles in the action graph are invalid.
* `interaction` cannot be combined with `for_each`.
* Outer scopes cannot reference actions inside a nested scatter or loop scope.
* Inner scopes can reference actions in parent scopes.
* `core.transform.gather` must close the scatter scope it depends on.
* `core.loop.end` must close the loop scope it depends on.
## Workflow definition schema
Workflow definitions may also use this outer schema:
```yaml theme={null}
definition:
title: "Imported workflow"
description: "This is the executable workflow DSL"
entrypoint:
expects: {}
actions:
- ref: a
action: core.transform.reshape
args:
value: ok
returns: ${{ ACTIONS.a.result }}
layout:
trigger:
x: 0
y: 0
viewport:
x: 0
y: 0
zoom: 1
actions:
- ref: a
x: 0
y: 160
schedules:
- cron: "0 * * * *"
status: online
webhook:
methods:
- POST
status: online
case_trigger:
status: offline
event_types: []
tag_filters: []
```
# MCP servers
Source: https://docs.tracecat.com/automations/integrations/mcp-integrations
Connect remote and stdio MCP servers to Tracecat agents: register tools, scope authentication, and call third-party MCP tools from agent runs.
## Overview
Tracecat supports two MCP integration types:
* Remote MCP over URL (`HTTP` or `SSE`)
* Local MCP over `stdio`
Agents attach MCP integrations from the preset builder.
]
## Remote MCP
Use remote MCP when the server is exposed over a URL.
Authentication modes:
* No Authentication
* Custom
* OAuth
### OAuth for remote MCP
For remote MCP with OAuth, link the MCP integration to an existing OAuth integration. Tracecat refreshes the token and sets the `Authorization` header automatically.
For a custom remote MCP server, first create a custom OAuth provider in [OAuth](/automations/integrations/oauth-integrations), then attach it to the MCP integration.
### Custom headers for remote MCP
`Custom` authentication stores request headers as JSON.
```json theme={null}
{
"Authorization": "Bearer token123",
"X-API-Key": "abc123"
}
```
Remote MCP custom header JSON does not resolve `${{ SECRETS.* }}` or `${{ VARS.* }}`. Header values are sent as literal strings.
## Stdio MCP
Use `stdio` MCP when Tracecat should launch a local command such as `npx`, `uvx`, or a custom binary.
`stdio` environment variables support Tracecat expressions.
```json theme={null}
{
"GITHUB_TOKEN": "${{ SECRETS.github.TOKEN }}",
"GITHUB_HOST": "${{ VARS.github.host }}"
}
```
Tracecat resolves those expressions from the workflow default environment unless overridden in action control flow.
## Secrets and variables in MCP configuration
Expression support differs by MCP integration type:
* `stdio` environment variables support `${{ SECRETS.* }}` and `${{ VARS.* }}`.
* Remote MCP OAuth mode does not need secret expressions for the bearer token because Tracecat injects the OAuth token automatically.
* Remote MCP custom header JSON does not currently resolve `${{ SECRETS.* }}` or `${{ VARS.* }}`.
## Related pages
* See [OAuth](/automations/integrations/oauth-integrations) for custom OAuth providers and OAuth token expressions.
* See [Secrets](/automations/core-concepts/secrets) for environment-scoped secret resolution.
* See [Variables](/automations/core-concepts/variables) for non-secret values used in `stdio` environment variables.
# OAuth
Source: https://docs.tracecat.com/automations/integrations/oauth-integrations
Connect OAuth providers to Tracecat and reference managed OAuth tokens in expressions: configure scopes, refresh credentials, and call APIs from actions and agents.
## Overview
Tracecat supports built-in OAuth integrations and custom OAuth providers. OAuth integrations expose tokens through secret expressions.
## Grant types
OAuth grant types:
* Delegated access (`authorization_code`): Tracecat stores a user token after a user completes the OAuth login flow.
* Client credentials (`client_credentials`): Tracecat stores a service token for server-to-server access.
## Configure a provider
Built-in OAuth integrations are listed on the Integrations page. For custom OAuth, use Add integration → OAuth provider (or Add custom OAuth provider under Custom OAuth).
Most providers require these fields:
* Client ID
* Client secret
* Authorization endpoint
* Token endpoint
* Scopes
After you save a custom provider, connect it (complete the OAuth flow) when using delegated access so Tracecat can issue tokens.
## Use OAuth tokens in expressions
Use the same `${{ SECRETS... }}` syntax as workflow actions.
Custom secrets (API keys, SSH, mTLS, CA bundles, and so on):
```yaml theme={null}
${{ SECRETS.. }}
```
OAuth tokens live under `_oauth`. The key is the provider ID in uppercase plus `_USER_TOKEN` or `_SERVICE_TOKEN`:
* `authorization_code`: `${{ SECRETS._oauth._USER_TOKEN }}`
* `client_credentials`: `${{ SECRETS._oauth._SERVICE_TOKEN }}`
```yaml theme={null}
${{ SECRETS.slack_oauth.SLACK_USER_TOKEN }}
${{ SECRETS.google_docs_oauth.GOOGLE_DOCS_SERVICE_TOKEN }}
```
Optional fallback when either grant type is allowed:
```yaml theme={null}
${{ SECRETS.microsoft_sentinel_oauth.MICROSOFT_SENTINEL_USER_TOKEN || SECRETS.microsoft_sentinel_oauth.MICROSOFT_SENTINEL_SERVICE_TOKEN }}
```
## Python UDFs
Declare credentials in `@registry.register(..., secrets=[...])`.
* `RegistrySecret`: static keys; set `secret_type` to `ssh_key`, `mtls`, or `ca_cert` when needed ([secret types](/automations/core-concepts/secrets)). Optional: `optional`, `optional_keys`.
* `RegistryOAuthSecret`: declares a dependency on an existing OAuth integration. Pass the `provider_id` and `grant_type` that match the integration in your workspace (a mismatch — for example declaring `authorization_code` when the integration uses `client_credentials` — will not resolve).
Read values with `secrets.get("")` (key only, e.g. `GOOGLE_DRIVE_USER_TOKEN`), not a `SECRETS.` path.
```python theme={null}
from tracecat_registry import RegistryOAuthSecret, RegistrySecret, registry, secrets
api = RegistrySecret(name="exa", keys=["EXA_API_KEY"])
oauth = RegistryOAuthSecret(
provider_id="google_drive",
grant_type="authorization_code",
)
```
## YAML
Under `definition`, set a `secrets` list (same validator as Python).
Custom (optional `secret_type` for structured secrets):
```yaml theme={null}
definition:
secrets:
- name: exa
keys: ["EXA_API_KEY"]
- name: ansible
keys: ["PRIVATE_KEY"]
secret_type: ssh_key
```
OAuth:
```yaml theme={null}
definition:
secrets:
- type: oauth
provider_id: microsoft_teams
grant_type: authorization_code
```
The `provider_id` and `grant_type` must match an integration already configured in your workspace. Use `${{ SECRETS._oauth. }}` in `args`. Set `optional: true` on an OAuth entry when it is not always required.
## Example providers
See [`integrations/google_drive.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/google_drive.py) and [`integrations/slack_sdk.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/slack_sdk.py) for UDFs that use OAuth credentials. See [`tracecat_registry/core/ssh.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/core/ssh.py) for an `ssh_key` secret example.
For YAML templates, see [`microsoft_teams/send_message.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/microsoft_teams/send_message.yml) (`authorization_code`), [`google_docs/create_document.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/google_docs/create_document.yml) (`client_credentials`), and [`microsoft_sentinel/.../get_alert_rule_template.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/microsoft_sentinel/alert_rules/get_alert_rule_template.yml) (optional dual grant). See [`templates/tools/exa/search.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/exa/search.yml) for a simple API key template.
For the full list of built-in provider IDs, see [`tracecat/integrations/providers/__init__.py`](https://github.com/TracecatHQ/tracecat/blob/main/tracecat/integrations/providers/__init__.py).
## OAuth and actions
Registry actions reference OAuth integrations but do not create them. Configure a built-in or custom provider in Integrations first, then declare `RegistryOAuthSecret` (Python) or `type: oauth` (YAML) so the action requires that integration at runtime. Syntax and examples are in [Use OAuth tokens in expressions](#use-oauth-tokens-in-expressions) above.
## OAuth and MCP
Remote MCP integrations can use an existing OAuth integration. For custom remote MCP servers:
1. Create a custom OAuth provider.
2. Connect that provider.
3. Create an MCP integration and attach the connected OAuth integration.
## FAQ
When you save a custom provider, Tracecat derives a provider ID from the display name or the ID you enter (slugified). If that value does not already start with `custom_`, the server prepends `custom_` so it does not collide with [built-in providers](https://github.com/TracecatHQ/tracecat/blob/main/tracecat/integrations/providers/__init__.py). If the ID is already taken, a numeric suffix is added.
No. `RegistryOAuthSecret` and YAML `type: oauth` entries declare that the action *requires* an existing OAuth integration — they do not register one. Create the integration from [Configure a provider](#configure-a-provider) (or [contribute a built-in provider](#how-do-i-contribute-a-built-in-oauth-provider)). Once it exists, your action can reference its tokens via `${{ SECRETS._oauth... }}`.
Out-of-the-box providers are implemented in the Tracecat app and get stable IDs (for example `slack`, `google_drive`) without the UI `custom_` rule.
1. Subclass `AuthorizationCodeOAuthProvider` or `ClientCredentialsOAuthProvider` under [`tracecat/integrations/providers/`](https://github.com/TracecatHQ/tracecat/tree/main/tracecat/integrations/providers). See [`slack/oauth.py`](https://github.com/TracecatHQ/tracecat/blob/main/tracecat/integrations/providers/slack/oauth.py) for a full example.
2. Register the class in [`_PROVIDER_CLASSES`](https://github.com/TracecatHQ/tracecat/blob/main/tracecat/integrations/providers/__init__.py).
3. Keep the [registry package](https://github.com/TracecatHQ/tracecat/tree/main/packages/tracecat-registry) aligned: same `provider_id` and `grant_type` in `RegistryOAuthSecret` (Python) and `type: oauth` entries (YAML) so actions resolve the same integration as the UI.
## Related pages
* See [Prebuilt credentials](/automations/integrations/prebuilt-credentials) for static credentials such as API keys and bot tokens.
* See [Secrets](/automations/core-concepts/secrets) for how secret expressions are resolved at runtime.
* See [Python UDFs](/custom-actions/python-udf) and [YAML templates](/custom-actions/yaml-template) for custom registry actions.
* See [MCP servers](/automations/integrations/mcp-integrations) for remote and `stdio` MCP setup.
# Prebuilt credentials
Source: https://docs.tracecat.com/automations/integrations/prebuilt-credentials
Configure prebuilt credentials for Tracecat's built-in integrations: define secret schemas, scope values per workspace, and reuse them across actions and agents.
## Overview
Pre-built credentials pre-fill the secret name and keys for built-in integrations.
## How pre-built credentials work
Built-in integrations expect fixed secret names and keys.
For example, Slack SDK actions use `slack` and `SLACK_BOT_TOKEN`.
`${{ SECRETS.slack.SLACK_BOT_TOKEN }}` resolves from the workflow default environment unless overridden in action control flow.
## Use environments
Store the same credential name in different Workflow environments:
* `slack` in `default` for one Slack app
* `slack` in `staging` for a second Slack app
* `slack` in `customer_acme` for a customer-specific Slack app
Then set the Workflow environment in [Workflows](/automations/workflows#environments) or override it on a specific action in [Actions](/automations/actions#environment):
```yaml theme={null}
${{ SECRETS.slack.SLACK_BOT_TOKEN }}
```
## Configure a credential
In `/Credentials`, click `Configure` for the credential. Tracecat pre-fills the keys.
## FAQ
Check these in order:
* Use prebuilt credentials for fixed secret names and keys such as `${{ SECRETS.slack.SLACK_BOT_TOKEN }}`.
* Use OAuth integrations when the provider issues managed tokens such as `${{ SECRETS.microsoft_teams_oauth.MICROSOFT_TEAMS_USER_TOKEN }}`.
* Use custom secrets when an action expects your own secret name and keys.
* Make sure the secret exists in the same environment that the workflow or action is using.
* Make sure the expression path matches the configured secret name and key exactly.
For example, this action reads the `slack` credential from the `customer_acme` environment, not from `default`:
```yaml theme={null}
- ref: notify_customer
action: tools.slack.post_message
environment: customer_acme
args:
channel: ${{ SECRETS.slack.ALERTS_CHANNEL }}
text: "New finding: ${{ TRIGGER.finding_id }}"
```
If `slack` only exists in `default`, the action will not resolve it while running in `customer_acme`.
## Related pages
* See [Secrets](/automations/core-concepts/secrets) for the core secret model and secret expression syntax.
* See [OAuth](/automations/integrations/oauth-integrations) for integrations that issue managed OAuth tokens instead of static keys, and for the same `${{ SECRETS... }}` patterns in custom registry actions.
* See [MCP servers](/automations/integrations/mcp-integrations) for MCP-specific integration setup and secret-backed `stdio` configuration.
# Tables
Source: https://docs.tracecat.com/automations/tables
Store and manage structured data inside Tracecat: define tables, query rows from workflows and agents, and link records to cases and workflow runs.
## Tables
Tables let you store structured data in your workspace.
You can use them from the UI or from `core.table.*` actions in a workflow definition.
Use tables when you want to:
* Keep durable records across workflow runs
* Look up known values such as users, hosts, or indicators
* Search and export structured data for investigation or reporting
* Reuse the same dataset across multiple workflows
## Columns
Each table has a schema that defines its columns.
Choose column types based on the data you want to store and query.
When you define columns in the UI or in `core.table.create_table`, use the same uppercase `type` values exposed in the custom tables picker:
You can create tables with the following column types:
* TEXT
* INTEGER
* NUMERIC
* BOOLEAN
* DATE
* TIMESTAMPTZ
* JSONB
* SELECT
* MULTI\_SELECT
Use `TEXT`, `INTEGER`, `NUMERIC`, and `BOOLEAN` for simple fields.
Use `DATE` or `TIMESTAMPTZ` for time-based values, `JSONB` for nested structured data, and `SELECT` or `MULTI_SELECT` when the value must come from a fixed list.
Case custom fields use the same storage type family: `TEXT`, `INTEGER`, `NUMERIC`, `BOOLEAN`, `DATE`, `TIMESTAMPTZ`, `JSONB`, `SELECT`, and `MULTI_SELECT`.
In the case field picker, raw `JSONB` is currently surfaced through the `URL` kind, and `Long text` is layered on top of `TEXT`.
## Rows
Rows hold the actual records in a table.
You can insert, update, delete, look up, and search rows as your workflows process new events.
This works well for data such as:
* Asset inventories
* User allowlists
* Enrichment results
* Investigation evidence
* External system references
If you already know the field and value you want, use `core.table.lookup`.
If you need broader filtering or text search, use `core.table.search_rows`.
For example, use `core.table.lookup` when you know the exact value:
```yaml theme={null}
- ref: lookup_asset
action: core.table.lookup
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
```
For example, use `core.table.search_rows` when you want to search across rows:
```yaml theme={null}
- ref: search_assets
action: core.table.search_rows
args:
table: asset_inventory
search_term: production
limit: 25
```
## Index and upsert
You'll often need to deduplicate data or require all values in a column to be unique.
You can do that by creating an index and then using `core.table.insert_row` with `upsert: true`.
For example:
* One row per hostname
* One row per email address
* One row per alert ID
* One row per hash value
A unique index enforces that rule, and `core.table.insert_row` with `upsert: true` updates the existing row instead of creating a duplicate.
## Table actions
Use `core.table.*` actions when you want your workflows to work with tables directly.
* [Tables](/automations/core-actions/memory-actions/tables) to create tables, inspect metadata, insert rows, search rows, and export data
* Use `core.table.insert_row` with `upsert: true` when you want to update an existing row that matches a unique index
`core.table.create_table` takes `columns` as a JSON array of column objects.
This is the same schema you use for tables that you later link to cases.
* `name`: Required string. Use letters, numbers, and underscores, and start with a letter or underscore.
* `type`: Required uppercase string. Use `TEXT`, `INTEGER`, `NUMERIC`, `BOOLEAN`, `DATE`, `TIMESTAMPTZ`, `JSONB`, `SELECT`, or `MULTI_SELECT`.
* `nullable`: Optional boolean. Defaults to `true`.
* `default`: Optional value. It must match the column type.
* `options`: Optional array of strings. Required for `SELECT` and `MULTI_SELECT`, and invalid for other types.
For example:
```yaml theme={null}
- ref: ensure_inventory_table
action: core.table.create_table
args:
name: asset_inventory
columns:
- name: hostname
type: TEXT
- name: owner
type: TEXT
raise_on_duplicate: false
- ref: upsert_asset
action: core.table.insert_row
args:
table: asset_inventory
upsert: true
row_data:
hostname: ${{ TRIGGER.hostname }}
owner: ${{ TRIGGER.owner }}
- ref: lookup_asset
action: core.table.lookup
args:
table: asset_inventory
column: hostname
value: ${{ TRIGGER.hostname }}
```
For example, this upserts one row per alert ID:
```yaml theme={null}
- ref: upsert_alert
action: core.table.insert_row
args:
table: alerts
upsert: true
row_data:
alert_id: ${{ TRIGGER.alert_id }}
status: ${{ TRIGGER.status }}
severity: ${{ TRIGGER.severity }}
```
# Tracecat MCP
Source: https://docs.tracecat.com/automations/tracecat-mcp
Drive Tracecat from your own agent harness over MCP: build, edit, and run workflows and cases through Claude, Cursor, ChatGPT, or any MCP client.
Tracecat works best with agentic coding tools (Claude Code, Cursor, Codex, OpenCode).
Agents connected to Tracecat MCP gain the ability to build and orchestrate core Tracecat resources:
* Agents
* Workflows
* Tables (local and remote)
* Integrations (HTTP, gRPC, SQL)
* Scripts (Python, docker run)
* Cases (local and remote)
Tracecat MCP turns any coding agent into a security automation architect and engineer.
## Setup
If you are **self-hosted**, replace `https://platform.tracecat.com` with your
`PUBLIC_APP_URL` (e.g. `http://localhost` or `https://tracecat.example.com`).
Authentication uses a built-in OIDC provider—your agent is redirected to sign in
through the browser on first connection. For clients or environments that cannot
complete a browser sign-in, authenticate with a
[personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens) instead.
Sign in with OAuth:
```bash theme={null}
claude mcp add -t http tracecat https://platform.tracecat.com/mcp
claude
/mcp
```
Or authenticate with a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens).
Set `TRACECAT_MCP_PAT` in your environment and reference it with **single
quotes** so the variable (not the token) is written to the saved config:
```bash theme={null}
claude mcp add --transport http tracecat https://platform.tracecat.com/mcp \
--header 'Authorization: Bearer ${TRACECAT_MCP_PAT}'
```
Sign in with OAuth:
```bash theme={null}
codex mcp add tracecat --url https://platform.tracecat.com/mcp
codex mcp login tracecat
```
Or authenticate with a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens).
Set `TRACECAT_MCP_PAT` in your environment, then reference it by name:
```bash theme={null}
codex mcp add tracecat --url https://platform.tracecat.com/mcp \
--bearer-token-env-var TRACECAT_MCP_PAT
```
```bash theme={null}
copilot
/mcp add
# Server Name: tracecat
# Server Type: HTTP
# URL: https://platform.tracecat.com/mcp
# Tools: *
```
Follow [GitHub Copilot MCP setup](https://docs.github.com/en/copilot/how-tos/copilot-cli/customize-copilot/add-mcp-servers) for the latest CLI prompts.
Or add this server to `~/.copilot/mcp-config.json`:
```json theme={null}
{
"mcpServers": {
"tracecat": {
"type": "http",
"url": "https://platform.tracecat.com/mcp",
"tools": ["*"]
}
}
}
```
To use a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens) instead of
OAuth, add an `Authorization` header (`${TRACECAT_MCP_PAT}` is read from your
environment):
```json theme={null}
"headers": {
"Authorization": "Bearer ${TRACECAT_MCP_PAT}"
}
```
On Tracecat Cloud, click [Add Tracecat to Cursor](https://cursor.com/en-US/install-mcp?name=tracecat\&config=eyJ1cmwiOiJodHRwczovL3BsYXRmb3JtLnRyYWNlY2F0LmNvbS9tY3AifQ)
to add it in one click. Otherwise configure `.cursor/mcp.json` manually:
```json theme={null}
{
"mcpServers": {
"tracecat": {
"url": "https://platform.tracecat.com/mcp"
}
}
}
```
To use a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens) instead of
OAuth, add an `Authorization` header (Cursor resolves `${env:TRACECAT_MCP_PAT}`
from your environment):
```json theme={null}
"headers": {
"Authorization": "Bearer ${env:TRACECAT_MCP_PAT}"
}
```
## Personal access tokens
OAuth is the default. For clients or environments that cannot complete a browser
sign-in (CI, headless runners, shared dev containers), authenticate with a
workspace-scoped personal access token (PAT) instead. PATs work the same on
self-hosted and Tracecat Cloud.
1. In your workspace, go to **Settings → MCP** and create a token. Set a name and
expiration.
2. Copy the token when it is shown. It is only displayed once and cannot be
retrieved again.
3. Pass it as a bearer header from your MCP client — see the **PAT** option in
each [Setup](#setup) tab above for Claude Code, Codex, Copilot, and Cursor.
Treat the PAT like a secret. It grants MCP access scoped to the workspace it
was created in. Always send it in the `Authorization` header—never in the URL
or a query string, where it leaks into server, proxy, and browser logs. Keep it
out of command output and application logs, and supply it through an environment
variable or secrets vault rather than hardcoding it in a config file. Revoke it
from **Settings → MCP** if it is exposed, and prefer short expirations.
## Starter prompts
Recreate a security automation based on a blog post.
Review the following examples and ask me if I have a specific one in mind, or if I'd like to implement one of these:
* Slack's Distributed Security Alerting ([https://slack.engineering/distributed-security-alerting/](https://slack.engineering/distributed-security-alerting/))
* AWS Incident Response Playbooks ([https://github.com/aws-samples/aws-incident-response-playbooks](https://github.com/aws-samples/aws-incident-response-playbooks))
* GitLab SIRT Incident Response ([https://handbook.gitlab.com/handbook/security/security-operations/sirt/sec-incident-response/](https://handbook.gitlab.com/handbook/security/security-operations/sirt/sec-incident-response/))
* Reddit's Threat Detection ([https://www.reddit.com/r/RedditEng/comments/1riyeam/how\_reddit\_does\_threat\_detection/](https://www.reddit.com/r/RedditEng/comments/1riyeam/how_reddit_does_threat_detection/))
Once we've selected a post:
1. Analyze the post to identify the core workflow logic, required data tables, and integration points.
2. Design and implement the necessary Tracecat workflows and tables.
3. Question any assumptions in the original post that might not apply to a modern cloud-native environment.
4. Ask clarifying questions about my specific environment, such as preferred communication channels or existing security stack.
Audit my existing Tracecat workflows, tables, and cases.
Goal:
1. Suggest improvements for efficiency, reliability, and security.
2. Identify missing components, with a specific focus on SLAs, reporting, and observability.
3. Question assumptions about my current data retention and alerting thresholds.
4. Ask clarifying questions about my team's response requirements and reporting stakeholders.
Build a security automation for automated alert triage and response.
Tasks:
1. Create a workflow triggered by a webhook that receives inbound security alerts.
2. Ask me if I have a SIEM or central log repository (like Splunk or Sentinel) that should be the primary alert source.
3. Implement an AI analysis step using `ai.action` or `ai.agent` to interpret the alert context.
4. Ask which enrichment integrations (such as VirusTotal or urlscan.io) I'd like to include for reputation checks.
5. Ensure the workflow creates a case for any alert that meets a specific risk threshold.
6. Question assumptions about alert fidelity and whether automated actions should be taken without human review.
7. Ask clarifying questions about my data schemas, expected alert volume, and specific response SLAs.
Build an automated response for user-reported phishing emails.
Tasks:
1. Design a workflow that triggers when a user submits a suspicious email to our phishing reporting mailbox.
2. Use a script or AI step to extract all URLs, domains, and attachments from the email body.
3. Perform reputation checks and sandboxing using my available security tools (e.g., URLScan, Joe Sandbox, or CrowdStrike).
4. Ask which email service (Microsoft 365 or Google Workspace) I'd like to integrate with for automated deletion or quarantine.
5. Create a case to notify the SOC if the email is confirmed malicious.
6. Question assumptions about whether automated deletion should happen for "suspicious" but not "confirmed" hits.
7. Ask clarifying questions about our internal whitelist of trusted senders and domains.
## MCP tools
List all workspaces accessible to the authenticated user.
Returns paginated workspace summaries including workspace id/name and the owning org\_id/org\_slug. Multi-org users may receive workspaces from more than one organization in a single response.
Create a new workflow in a workspace.
Get metadata for a specific workflow.
Edit a draft workflow using RFC 6902 JSON Patch.
Update workflow metadata and optional inline YAML.
List workflows in a workspace.
List workflow folders and workflows under a path.
Create a workflow folder by absolute path.
Rename a workflow folder by absolute path.
Move a workflow folder under a new parent path.
Delete a workflow folder by absolute path.
Move workflows into or out of a folder.
This tool is best-effort and non-atomic. If one workflow fails to move, the remaining workflow moves still proceed.
Search or browse available actions and return compact context metadata.
Supports three usage modes:
-> **Search**: provide `query` to search by name/description across all `namespaces`. Example: list\_actions(workspace\_id, query="send message")
-> **Browse by `namespace`**: provide `namespace` without `query` to list all actions in a `namespace`. Example: list\_actions(workspace\_id, namespace="core")
-> **Browse all**: omit both to list all available actions.
Common `namespaces`: `core`, `tools`, `ai`.
Sync the organization's custom action registry from its remote git repository.
Pulls the latest code from the custom registry repo registered in the caller's organization, builds a versioned tarball, and makes the synced actions available to agents and workflows. Use this after pushing changes to the custom integrations repo, or to roll forward/back to a specific commit. Existing published workflows must be republished to pick up newly synced action versions.
Get full schema and configuration context for a single action.
Use this after discovering an action via `list_actions` to get the complete parameter schema needed to write the `args:` block in a workflow definition.
Example action names: "core.http\_request", "core.script.run\_python", "core.transform.reshape".
Get compact workflow authoring context for selected actions.
Returns everything needed to write a workflow definition: action schemas, available secrets, and workspace variables. Use this before calling `create_workflow` or `update_workflow`.
Two input modes (provide one or neither):
-> **By name**: pass `actions` with an `action_names` list.
-> **By search**: pass `query` to search for actions by name/description
Validate a workflow's draft state.
Checks that the workflow DSL is structurally sound and that arguments are valid.
Prepare a staged template YAML upload for remote `/mcp` clients.
Validate a template action YAML file.
Validates YAML parsing, template schema correctness, step action references, argument schemas, and expression references.
Publish (commit) a workflow, creating a new versioned definition.
This validates the workflow, freezes registry dependencies, and creates a new workflow definition version.
Run a workflow from its draft state or a published definition.
By default runs the current draft (unpublished edits) so changes can be tested before publishing. Set `use_draft=False` to run a published version instead.
List recent executions for a workflow.
Use this to see run history, check which runs succeeded or failed, and find execution IDs for deeper inspection with `get_workflow_execution`.
Get status and details of a specific workflow execution.
Returns execution metadata (status, timing) and a compact event timeline showing each action's status, timing, and any errors. Use this to debug failed runs or check the progress of running workflows.
Get webhook configuration for a workflow.
Update webhook configuration for a workflow.
Get case trigger configuration for a workflow.
Update an existing case trigger for a workflow.
List workflow tag definitions in a workspace.
Returns a JSON array of tag objects with `id`, `name`, `ref`, and `color`.
Create a workflow tag definition.
Update a workflow tag definition.
Delete a workflow tag definition.
List tags attached to a workflow.
Returns a JSON array of tag objects with `id`, `name`, `ref`, and `color`.
Attach an existing workflow tag definition to a workflow.
Remove a workflow tag association from a workflow.
List cases in a workspace with default sorting.
Search cases with filtering and sorting.
Get a specific case with full details including fields, tags, and description.
Create a new case.
Update a case. Only provided fields are changed.
List all comments for a case.
List comment threads for a case. Each thread contains the root comment and its replies.
Create a new comment on a case. Provide `parent_id` to reply to an existing comment.
Update an existing comment on a case.
Delete a comment from a case.
List all tasks for a case.
Get a specific case task by ID.
Create a new task on a case.
Update a case task. Only provided fields are changed.
Run the workflow associated with a case task.
Fetches the task's `workflow_id` and `default_trigger_values`, merges them with `case_id` and `task_id` context (plus any caller-supplied overrides), then executes the latest published version of the workflow.
List activity events for a case. Events are system-generated audit entries that track every change to a case — status changes, priority changes, assignee changes, comments, tasks, tags, field changes, etc.
List case tag definitions in a workspace.
Returns a JSON array of tag objects with `id`, `name`, `ref`, and `color`.
Create a case tag definition.
Update a case tag definition.
Delete a case tag definition.
List tags attached to a case.
Returns a JSON array of tag objects with `id`, `name`, `ref`, and `color`.
Attach a case tag to a case.
Remove a case tag association from a case.
List case field definitions in a workspace.
Returns a JSON array of field objects with `id`, `type`, `description`, `nullable`, `default`, `reserved`, `options`, and optional `kind`.
Create a case field definition.
Supports optional create-only `kind`: `LONG_TEXT` requires `type="TEXT"` and `URL` requires `type="JSONB"`.
Update a case field definition.
List case dropdown definitions in a workspace. Requires the case add-ons entitlement.
Returns a paginated JSON array of dropdown objects with `id`, `name`, `ref`, `icon_name`, `is_ordered`, `required_on_closure`, `position`, and embedded `options`.
Create a case dropdown definition with optional initial options. Requires the case add-ons entitlement.
Update a case dropdown definition. Only provided fields are changed. Requires the case add-ons entitlement.
Delete a case dropdown definition along with all its options and per-case values. Requires the case add-ons entitlement.
Add an option to a case dropdown definition. Requires the case add-ons entitlement.
Update an option within a case dropdown definition. Only provided fields are changed. Requires the case add-ons entitlement.
Delete an option from a case dropdown definition. Requires the case add-ons entitlement.
Set or clear a dropdown value on a case. Provide exactly one of `definition_id` or `definition_ref`, and at most one of `option_id` or `option_ref`; omit both option arguments to clear the value. Requires the case add-ons entitlement.
List workspace tables.
Create a table with optional columns.
Get table definition and index metadata.
Update table metadata.
Insert a table row.
Insert multiple table rows.
Update a table row.
Update multiple table rows with the same values.
Search rows in a table.
Export table data as a staged download URL.
Create a unique index on a table column. Only one unique index per table is allowed.
Drop the unique index on a table column.
List workspace variables.
Get a workspace variable.
List secret metadata without secret values.
Get secret metadata by name without secret values.
List workspace integrations useful for workflow and preset authoring.
Get models, integrations, `output_type` guidance, and other preset authoring context.
Create an agent preset in the selected workspace.
Use `skills` to attach published skill versions. Each binding requires `skill_id` and `skill_version_id` from `list_skills` and `publish_skill`.
Update an existing agent preset in the selected workspace.
Use `skills` to replace attached published skill-version bindings. Each binding requires `skill_id` and `skill_version_id`. Omit `skills` to leave bindings unchanged, or pass an empty list to detach all skills.
List agent folders and presets under a path.
Create an agent folder by absolute path.
Rename an agent folder by absolute path.
Move an agent folder under a new parent path.
Delete an agent folder by absolute path.
Move agent presets into or out of a folder by preset slug.
List workspace skills with IDs, names, and current published versions.
Use this before updating, publishing, or attaching skills to agent presets.
Upload a local skill directory into Tracecat as a workspace skill.
This creates a new logical skill. Use `update_skill` when replacing an existing skill draft to avoid duplicate skill rows with the same name.
Agents should read the local directory themselves, preserve relative paths, include the root `SKILL.md` file, and pass every file in `files` using `content_base64`.
Replace an existing skill draft with a local skill directory.
This does not publish the draft. Call `publish_skill` after the update if the skill should be attachable to agent presets.
Publish a skill draft into an immutable skill version.
Only published skill versions can be attached to agent presets.
List saved agent preset slugs and names.
Use `get_agent_preset` for the full preset definition.
Get the full configuration for a saved agent preset by slug.
Run an agent preset with a prompt and return text or approval status.
Creates an ephemeral session, triggers the agent workflow, and waits for the response. The agent has access to all tools configured on the preset.
# Case triggers
Source: https://docs.tracecat.com/automations/triggers/case-triggers
Start Tracecat workflows from case events: react to case creation, status changes, and field updates to drive automated triage and response.
## Overview
Case triggers start a workflow when selected case events happen.
## Trigger payload
Case trigger data is available under `${{ TRIGGER }}`.
Fields:
* `${{ TRIGGER.case_id }}`: case ID.
* `${{ TRIGGER.event }}`: event details.
* `${{ TRIGGER.tags }}`: case tags.
* `${{ TRIGGER.workspace_id }}`: workspace ID.
Example payload:
```json theme={null}
{
"case_id": "case_01abc",
"event": {
"id": "evt_01abc",
"type": "comment_created",
"data": {
"comment_id": "cmt_01abc"
},
"created_at": "2026-03-19T14:22:00+00:00",
"user_id": "usr_01abc",
"wf_exec_id": null
},
"tags": [
{
"id": "tag_01abc",
"ref": "triage",
"name": "Triage",
"color": null
}
],
"workspace_id": "ws_01abc"
}
```
## Case events
One or more case events must be selected before the trigger is enabled. Supported event families include:
* Case events such as create, update, close, reopen, and view.
* Comment events such as comment and reply activity.
* Field changes such as status, priority, severity, assignee, and payload changes.
* Tag events such as tag add and remove.
* Task events such as task create, delete, and workflow or assignee changes.
* Attachment events such as add and remove.
* Dropdown changes.
## Tag allowlist
Restrict runs to cases with matching tags. If the allowlist is empty, no tag filtering is applied. Matching uses the case's current tags.
## Important behavior
Workflow-originated case events are ignored to avoid loops.
# Comment triggers
Source: https://docs.tracecat.com/automations/triggers/comment-triggers
Run Tracecat workflows from case comments and replies: parse comment text, route directives to actions and agents, and bridge analyst chat into automation.
## Overview
You can start a workflow from a case comment or reply by selecting it in the comment composer.
## Trigger payload
Comment trigger data is available under `${{ TRIGGER }}`.
Fields:
* `${{ TRIGGER.case_id }}`: case ID.
* `${{ TRIGGER.comment_id }}`: comment ID.
* `${{ TRIGGER.parent_id }}`: parent comment ID.
* `${{ TRIGGER.text }}`: comment text.
* `${{ TRIGGER.triggered_by }}`: actor details.
* `${{ TRIGGER.event }}`: event details.
* `${{ TRIGGER.tags }}`: case tags.
Example payload:
```json theme={null}
{
"case_id": "case_01abc",
"comment_id": "cmt_01abc",
"parent_id": null,
"text": "Escalating to the IAM workflow.",
"workspace_id": "ws_01abc",
"triggered_by": {
"type": "user",
"user_id": "usr_01abc",
"service_id": null
},
"event": {
"id": "evt_01abc",
"type": "comment_created",
"created_at": "2026-03-19T14:22:00+00:00",
"user_id": "usr_01abc"
},
"tags": [
{
"id": "tag_01abc",
"ref": "triage",
"name": "Triage",
"color": null
}
]
}
```
# Error workflows
Source: https://docs.tracecat.com/automations/triggers/error-workflows
Run a Tracecat workflow whenever another workflow fails: forward error context, alert on-call, and centralize incident-handling logic across automations.
## Overview
Error workflows run when another workflow fails with an application error.
## Trigger payload
The failed run is passed into the error workflow under `${{ TRIGGER }}`.
Fields:
* `${{ TRIGGER.message }}`: the top-level failure message.
* `${{ TRIGGER.orig_wf_id }}`: the failed workflow ID.
* `${{ TRIGGER.orig_wf_exec_id }}`: the failed workflow execution ID.
* `${{ TRIGGER.orig_wf_exec_url }}`: the failed workflow execution URL, if available.
* `${{ TRIGGER.orig_wf_title }}`: the failed workflow title.
* `${{ TRIGGER.trigger_type }}`: the original trigger type.
* `${{ TRIGGER.errors }}`: structured action error details, if available.
Example payload:
```json theme={null}
{
"message": "Action failed",
"handler_wf_id": "wf_4itKqkgCZrLhgYiq5L211X",
"orig_wf_id": "wf_3mYp8JkL2nQr7sTu9vWx0Z",
"orig_wf_exec_id": "wf_3mYp8JkL2nQr7sTu9vWx0Z/exec_7aBcDeFgHiJkLmNoPqRsTu",
"orig_wf_exec_url": "https://platform.tracecat.com/workspaces/ws_2xYzAbCdEfGhJkLmNoPqRs/workflows/wf_3mYp8JkL2nQr7sTu9vWx0Z/executions/exec_7aBcDeFgHiJkLmNoPqRsTu",
"orig_wf_title": "Investigate alert",
"trigger_type": "webhook",
"errors": [
{
"ref": "fetch_alert",
"message": "Request returned 500",
"type": "HTTPError"
}
]
}
```
## Configure an error workflow
Set `Error workflow` in the workflow settings panel. Use a workflow ID or alias.
## Publish behavior
The workflow must be published for the committed error workflow setting to apply to published runs and schedules.
# Schedules
Source: https://docs.tracecat.com/automations/triggers/schedules
Run Tracecat workflows on a time-based cadence: configure cron schedules, fixed intervals, and trigger payloads for recurring automations.
## Overview
Schedules run a workflow on a time-based cadence. The workflow must be saved before a schedule can be created.
## Schedule types
Schedule types:
* Interval schedules use `every`.
* Cron schedules use `cron`.
Cron uses standard 5-field or 6-field expressions.
## Schedule fields
* Status: `online` or `offline`.
* Start time: optional.
* End time: optional.
* Timeout: optional, and `0` means no timeout.
* Offset: interval-only, using an ISO 8601 duration.
## When to use schedules
Use schedules for:
* Polling an external system on a fixed cadence.
* Running cleanup or maintenance workflows on a timer.
* Syncing data or refreshing enrichments throughout the day.
# Task triggers
Source: https://docs.tracecat.com/automations/triggers/task-triggers
Run Tracecat workflows from case tasks: trigger automations as tasks are created, assigned, completed, or updated to keep response work moving.
## Overview
You can start a workflow from a case task. Set the workflow on the task, then start it from the task UI. If the workflow has an Input schema, the dialog asks for inputs. Otherwise, Tracecat shows generated case inputs.
## Trigger payload
Task trigger data is available under `${{ TRIGGER }}`.
Fields:
* `${{ TRIGGER.case_id }}`: case ID.
* `${{ TRIGGER.task_id }}`: task ID.
Example payload:
```json theme={null}
{
"case_id": "case_01abc",
"task_id": "task_01abc"
}
```
# Webhooks
Source: https://docs.tracecat.com/automations/triggers/webhooks
Trigger Tracecat workflows from external systems with webhooks: configure secret URLs, parse JSON or form payloads, and validate inbound requests.
## Overview
Webhooks start a workflow from an external system. The URL includes the webhook secret. `POST` is the primary method. `GET` also works for verification flows. The workflow must be published before the webhook runs.
## Using webhook payloads
The request body becomes `TRIGGER`, for example `${{ TRIGGER.alert_id }}`.
## Supported request formats
Parsing:
* Empty body: no trigger payload is created.
* JSON by default: the body is parsed as JSON and becomes `TRIGGER`.
* Form payloads with `application/x-www-form-urlencoded`: the body is parsed as a dictionary. Form field names become keys on `TRIGGER`.
* NDJSON payloads with `application/x-ndjson`, `application/jsonlines`, and `application/jsonl`: Tracecat starts one workflow run per JSON line. `TRIGGER` is that line, not the full request body.
## Securing webhooks
### Allowed HTTP methods
Allowed methods can be `GET`, `POST`, or both. Requests that use a method outside the allowed list are rejected.
### API key authentication
Webhook API keys are optional. If configured, the sender must include `x-tracecat-api-key`. The UI supports generate, rotate, revoke, and delete. A revoked key blocks requests until a new key is generated or API key protection is removed.
### IP allowlist
Requests can be restricted to specific IPs or CIDR ranges. The allowlist is IPv4-only.
## Response
Default response:
```json theme={null}
{
"message": "Workflow execution created",
"wf_id": "wf_3mYp8JkL2nQr7sTu9vWx0Z",
"wf_exec_id": "wf_3mYp8JkL2nQr7sTu9vWx0Z/exec_7aBcDeFgHiJkLmNoPqRsTu"
}
```
Query parameters:
* `echo=true`: add the original request body to the response under `payload`.
* `empty_echo=true`: return an empty `200` with no body. Implies `echo=true`.
* `vendor=okta`: handle Okta verification challenges. See [Okta verification](#okta-verification).
## Synchronous execution with /wait
Use `POST /webhooks/{workflow_id}/{secret}/wait` to run a workflow and receive its `return` value in the response. The request blocks until the workflow finishes. The workflow must be published. The request body becomes `TRIGGER` exactly as with the default webhook.
This endpoint is designed for workflows-as-APIs: the caller treats the workflow like a synchronous HTTP handler.
### Response schema
The response is an envelope with a `kind` discriminator:
```json theme={null}
{
"kind": "value",
"value": { "status": "ok" }
}
```
```json theme={null}
{
"kind": "download_file",
"download_url": "https://...",
"expires_in_seconds": 10,
"content_type": "application/json",
"size_bytes": 262144
}
```
### Kinds
* `value`: inline result. The body has `value` set to the workflow's `return` value.
* `download_file`: externalized result. The body has a presigned `download_url`, plus `expires_in_seconds`, `content_type`, and `size_bytes`.
* `download_export`: materialized collection result. Same fields as `download_file`; `content_type` is always `application/json`.
Results over `TRACECAT__RESULT_EXTERNALIZATION_THRESHOLD_BYTES` (default 128 KiB) are stored in object storage and returned as a short-lived presigned URL (default 10-second expiry). This keeps the webhook response small and predictable, so synchronous callers never stream megabytes of workflow state through a single HTTP response.
### Query parameters
* `unwrap=true`: return the workflow's `return` value directly as the response body, with no envelope. Requires the result to fit inline.
If the result was externalized (kind `download_file` or `download_export`), `/wait?unwrap=true` returns `413 Payload Too Large` with the download envelope under `detail`, so the caller can still fetch the data.
Example:
```bash theme={null}
curl -X POST "https:///webhooks///wait?unwrap=true" \
-H "Content-Type: application/json" \
-d '{"alert_id": "A-001"}'
# 200 OK
# {"status": "ok"}
```
If the workflow returns a result larger than the externalization threshold:
```json theme={null}
{
"detail": {
"kind": "download_file",
"download_url": "https://...",
"expires_in_seconds": 10,
"content_type": "application/json",
"size_bytes": 262144
}
}
```
## Slack event subscriptions
Slack event subscription verification uses `?echo=true`.
## Slack modal close and fast acknowledgements
Slack interactive flows that need a fast empty acknowledgement use `?echo=true&empty_echo=true`.
## Okta verification
Okta verification requests use `vendor=okta`. Tracecat reads `x-okta-verification-challenge` and returns:
```json theme={null}
{
"verification": ""
}
```
# Workflows
Source: https://docs.tracecat.com/automations/workflows
Build, run, and manage Tracecat workflows: connect triggers and actions, version definitions, and orchestrate automations across cases and agents.
## Creating workflows
View and create workflows in the Tracecat UI under the `/workflows` page.
## Run workflows manually
You can run a workflow manually by clicking the `Run` button in the top right corner of the workflow builder.
## Triggers
Workflows can be triggered by:
* [Webhooks](/automations/triggers/webhooks)
* [Schedules](/automations/triggers/schedules)
* [Subflow run action](/automations/core-actions/workflow-actions/run-subflow)
* [Case triggers](/automations/triggers/case-triggers) Enterprise
* [Task triggers](/automations/triggers/task-triggers) Enterprise
* [Comment triggers](/automations/triggers/comment-triggers) Enterprise
## Trigger inputs
You can specify trigger inputs in the workflow builder.
These inputs are passed to the workflow as `${{ TRIGGER }}` expressions.
## View workflow runs
There are three views for workflow runs:
* Events panel: most recent run in the left part of the workflow builder
* Runs view: all runs for a specific workflow
* Enterprise History view: all runs across all workflows
## Tag workflow
Right click on a workflow in the workflows table then hover over the "Tags" menu item.
## Draft workflows
Draft workflows are workflows that are currently being edited.
You can run draft workflows manually by clicking the `Run` button in the top right corner of the workflow builder.
## Published workflows
To deploy a workflow, you must publish it.
Webhooks, schedules, subflows, and other workflow triggers always run the latest published workflow version.
## Workflow settings
Click on the workflow canvas to open the workflow settings panel.
### Workflow alias
Workflow aliases are used to reference the workflow in subflows and error workflows.
Keep aliases short, descriptive, and snake\_case.
You must define a workflow alias in order to trigger it as a subflow or error workflow.
### Error workflows
You can specify an error workflow to run when a workflow fails.
Information about the failed workflow run is passed to the error workflow under the `${{ TRIGGER }}` expression.
See [Error workflows](/automations/triggers/error-workflows) for more information.
### Input schema
You can specify an input schema to validate the trigger inputs to the workflow.
Define the input schema as YAML or JSON-compatible YAML, where each top-level key is an input name.
Each input supports these fields:
* `type` is a Tracecat type expression such as `str`, `int`, `bool`, `float`, `datetime`, `duration`, `list[int]`, `dict[str, Any]`, `str | None`, or `enum["low", "high"]`
* `description` is an optional description of the input
* `default` is an optional default value; if you set it, the input becomes optional
For example:
```yaml theme={null}
my_param:
type: str
description: This is a string
default: My default value
my_list:
type: list[int]
description: This is a list of integers without a default value
my_union:
type: str | int | None
description: This is a union of a string, an integer, and None
```
### Output schema
Workflows return `null` by default.
You can specify a return value for the workflow as an output schema.
Output schemas support all Tracecat expressions.
For example, assume a workflow has three actions `whoami`, `location`, and `contact`.
The actions return the following results:
* `whoami`: `{ "name": "John", "age": 30 }`
* `location`: `{ "city": "New York", "country": "USA" }`
* `contact`: `{ "email": "john@example.com", "phone": "1234567890" }`
The output schema can be defined as:
```php theme={null}
name: ${{ ACTIONS.whoami.result.name }}
city: ${{ ACTIONS.location.result.city }}
email: ${{ ACTIONS.contact.result.email }}
```
### Environments
You can specify a default environment to use for the workflow.
Actions without an environment override will use the default environment to pull secrets and variables from.
## Export / import workflows
Enterprise users should use Tracecat's Git sync feature to push and pull their workflow definitions directly from a remote Git repository.
Open Source users can export and import workflows directly from the Tracecat UI.
Exported workflows are called workflow definitions and are saved as YAML files.
Right click on a workflow in the `/workflows` page to export the draft or published workflow definition:
Exported workflows can be imported via the "Create new" button in the `/workflows` page:
## Cancel / terminate / reset runs
The Temporal UI exposes all your workflow runs. Do not expose it to the public internet unless you have OIDC SSO enabled.
Open Source Open up the Temporal UI to view and control all workflow runs.
Expose port `8081` in the `temporal_ui` service in the `docker-compose.yml` file and run `docker compose up`.
Then access the Temporal UI at `http://localhost:8081`.
Set the following Terraform variables:
* `disable_temporal_ui` to `false`
* `temporal_auth_provider_url` to your identity provider's URL
* `temporal_auth_client_id` to the OIDC client ID
* `temporal_auth_client_secret` to the OIDC client secret
Then run `terraform apply`. Access the Temporal UI at `http:///temporal-admin`.
Enterprise You can view, cancel, terminate, and reset all workflow runs directly from the Tracecat UI under the `/runs` page.
## Copy actions to clipboard
Hover over any action in the events panel or runs view.
You'll see two icons: Link and Copy next to the action key-value.
The link icon copies the JSONPath reference to the action result. For example, `${{ ACTIONS.first_action.result }}`.
The copy icon copies the value of the action result itself.
When an action uses `mask_output`, the workflow execution UI keeps object and array structure but shows `[REDACTED]` for each individual value. You can still copy JSONPath references from the displayed shape, and downstream actions still receive the original result.
## Workflow definition
All workflows are stored, exported, and versioned as YAML-based workflow definitions.
See [Workflow definition](/automations/core-concepts/workflow-definition) for the full specification.
# Functions
Source: https://docs.tracecat.com/cheatsheets/functions
Quick reference for every Tracecat expression function and operator, with signatures and examples for transforming data inside workflows and agents.
## Examples
Build a prompt or short string:
```yaml Expression theme={null}
prompt: ${{ FN.format("Investigate alert {0} with severity {1}", TRIGGER.alert_id, TRIGGER.severity) }}
```
```json Result theme={null}
{
"prompt": "Investigate alert al-123 with severity high"
}
```
Time manipulation for alert search windows:
```yaml Expression theme={null}
start_time: ${{ FN.to_isoformat(FN.now() - FN.minutes(15)) }}
end_time: ${{ FN.to_isoformat(FN.now()) }}
```
```json Result theme={null}
{
"start_time": "2026-03-18T12:45:00",
"end_time": "2026-03-18T13:00:00"
}
```
Deserialize or serialize JSON:
```yaml Expression theme={null}
parsed: ${{ FN.deserialize_json(TRIGGER.raw_json) }}
serialized: ${{ FN.serialize_json({"status": "ok", "count": 3}) }}
```
```json Result theme={null}
{
"parsed": {
"status": "open",
"count": 3
},
"serialized": "{\"status\":\"ok\",\"count\":3}"
}
```
Format rows into a Markdown table:
```yaml Expression theme={null}
table: ${{ FN.to_markdown_table(ACTIONS.list_findings.result) }}
```
```json Result theme={null}
{
"table": "| id | severity |\n| --- | --- |\n| f-1 | high |\n| f-2 | medium |"
}
```
Count or reshape a small value:
```yaml Expression theme={null}
count: ${{ FN.length(ACTIONS.gather_results.result) }}
unique_tags: ${{ FN.unique(TRIGGER.tags) }}
```
```json Result theme={null}
{
"count": 3,
"unique_tags": ["auth", "critical"]
}
```
This page is generated from `tracecat/expressions/functions.py`.
## Function reference
`FN.add(a: float | int, b: float | int) -> float | int`
Add two numbers together.
`FN.and(a: bool, b: bool) -> bool`
Logical AND operation.
`FN.at(sequence: Sequence[Any], index: int) -> Any`
Return the element at the given index.
`FN.capitalize(x: str) -> str`
Capitalize a string.
`FN.check_ip_version(ip: str) -> int`
Get IP address version (4 or 6).
`FN.compact(x: list[Any]) -> list[Any]`
Drop null values from a list. Similar to compact function in Terraform.
`FN.concat(*items: str) -> str`
Concatenate multiple strings.
`FN.contains(item: Any, container: Sequence[Any]) -> bool`
Check if item exists in a sequence.
Aliases: `FN.is_in`
`FN.contains_any_of(a: Sequence[Any], b: Sequence[Any]) -> bool`
Check if any of the elements of the first sequence exist in the second sequence.
`FN.contains_none_of(a: Sequence[Any], b: Sequence[Any]) -> bool`
Check if all of of the elements of the first sequence don't exist in the second sequence.
`FN.datetime(year: int, month: int, day: int, hour: int = 0, minute: int = 0, second: int = 0) -> datetime`
Create datetime from year, month, day, hour, minute, and second.
`FN.days(x: int) -> timedelta`
Create timedelta with specified days.
`FN.days_between(start: datetime | str, end: datetime | str) -> float`
Days between two datetimes.
`FN.deserialize_json(obj, /)`
Deserialize JSON to Python objects.
`FN.deserialize_ndjson(x: str) -> list[dict[str, Any]]`
Parse newline-delimited JSON string into list of objects.
`FN.deserialize_yaml(x: str) -> Any`
Deserialize YAML string to object.
`FN.difference(a: Sequence[Any], b: Sequence[Any]) -> list[Any]`
Return a list of elements that are in the first sequence but not in the second.
`FN.div(a: float | int, b: float | int) -> float`
Divide first number by second number.
`FN.does_not_contain(item: Any, container: Sequence[Any]) -> bool`
Check if item does not exist in a sequence.
Aliases: `FN.is_not_in`, `FN.not_in`
`FN.drop_nulls(items: list[Any]) -> list[Any]`
Remove all null or empty string values from a list.
`FN.endswith(x: str, suffix: str) -> bool`
Check if a string ends with a specified suffix.
`FN.extract_asns(text: str) -> list[str]`
Extract Autonomous System Numbers, e.g. AS1234, from a string.
`FN.extract_cves(text: str) -> list[str]`
Extract CVE IDs, such as CVE-2021-34527, from a string.
`FN.extract_domains(text: str, include_defanged: bool = False) -> list[str]`
Extract domain names from a string.
`FN.extract_emails(text: str, normalize: bool = False) -> list[str]`
Extract unique emails from a string. When `normalize` is True, lowercases the email and strips the subaddress (the `+...` part before `@`).
`FN.extract_ip(text: str, include_defanged: bool = False) -> list[str]`
Extract unique IPv4 and IPv6 addresses from a string.
`FN.extract_ipv4(text: str, include_defanged: bool = False) -> list[str]`
Extract unique IPv4 addresses from a string.
`FN.extract_ipv6(text: str, include_defanged: bool = False) -> list[str]`
Extract unique IPv6 addresses from a string. Includes defanged variants as an option.
`FN.extract_mac(text: str) -> list[str]`
Extract MAC addresses from a string.
`FN.extract_md5(text: str) -> list[str]`
Extract MD5 hashes from a string.
`FN.extract_sha1(text: str) -> list[str]`
Extract SHA1 hashes from a string.
`FN.extract_sha256(text: str) -> list[str]`
Extract SHA256 hashes from a string.
`FN.extract_sha512(text: str) -> list[str]`
Extract SHA512 hashes from a string.
`FN.extract_urls(text: str, http_only: bool = False, include_defanged: bool = False) -> list[str]`
Extract URLs from text, optionally including defanged ones.
`FN.flatten(iterables: Sequence[Sequence[Any]]) -> list[Any]`
Flatten nested sequences into a single list.
`FN.flatten_dict(x: str | dict[str, Any] | list[Any], max_depth: int = 100) -> dict[str, Any]`
Return object with single level of keys (as jsonpath) and values.
`FN.format(template: str, *values: Any) -> str`
Format a string with the given arguments.
`FN.format_datetime(x: datetime | str, format: str) -> str`
Format datetime into specified format (e.g. '%Y-%m-%d %H:%M:%S').
`FN.from_base64(x: str) -> str`
Decode base64 string to string.
`FN.from_base64url(x: str) -> str`
Decode URL-safe base64 string to string.
`FN.from_timestamp(x: float | int | str, unit: str = s) -> datetime`
Convert timestamp in milliseconds ('ms') or seconds ('s') to datetime.
`FN.get_day(x: datetime | str) -> int`
Get day of month (1-31) from datetime.
`FN.get_day_of_week(x: datetime | str, format: "Literal[number, full, short]" = number) -> int | str`
Extract day of week from datetime. Returns 0-6 (Mon-Sun) or day name if format is "full" or "short".
`FN.get_hour(x: datetime | str) -> int`
Get hour (0-23) from datetime.
`FN.get_interaction() -> dict[str, str] | None`
Get the interaction context from the current action in the workflow execution.
`FN.get_minute(x: datetime | str) -> int`
Get minute (0-59) from datetime.
`FN.get_month(x: datetime | str, format: "Literal[number, full, short]" = number) -> int | str`
Extract month from datetime. Returns 1-12 or month name if format is "full" or "short".
`FN.get_second(x: datetime | str) -> int`
Get second (0-59) from datetime.
`FN.get_year(x: datetime | str) -> int`
Get year from datetime.
`FN.greater_than(a: Any, b: Any) -> bool`
Check if a is greater than b.
`FN.greater_than_or_equal(a: Any, b: Any) -> bool`
Check if a is greater than or equal to b.
`FN.hash_md5(x: str | bytes) -> str`
Generate MD5 hash of input string or bytes.
`FN.hash_sha1(x: str | bytes) -> str`
Generate SHA1 hash of input string or bytes.
`FN.hash_sha256(x: str | bytes) -> str`
Generate SHA256 hash of input string or bytes.
`FN.hash_sha512(x: str | bytes) -> str`
Generate SHA512 hash of input string or bytes.
`FN.hours(x: int) -> timedelta`
Create timedelta with specified hours.
`FN.hours_between(start: datetime | str, end: datetime | str) -> float`
Hours between two datetimes.
`FN.intersection(a: Sequence[Any], b: Sequence[Any]) -> list[Any]`
Return a list containing the intersection of elements from two sequences.
`FN.ipv4_in_subnet(ipv4: str, subnet: str) -> bool`
Check if IPv4 address is in the given subnet.
`FN.ipv4_is_public(ipv4: str) -> bool`
Check if IPv4 address is public/global.
`FN.ipv6_in_subnet(ipv6: str, subnet: str) -> bool`
Check if IPv6 address is in the given subnet.
`FN.ipv6_is_public(ipv6: str) -> bool`
Check if IPv6 address is public/global.
`FN.is_empty(x: Sequence[Any]) -> bool`
Check if sequence has length 0.
`FN.is_equal(a: Any, b: Any) -> bool`
Check if a is equal to b.
`FN.is_in(item: Any, container: Sequence[Any]) -> bool`
Check if item exists in a sequence.
Aliases: `FN.contains`
`FN.is_json(x: str) -> bool`
Check if a string is valid JSON.
`FN.is_not_empty(x: Sequence[Any]) -> bool`
Check if sequence has length greater than 0.
Aliases: `FN.not_empty`
`FN.is_not_equal(a: Any, b: Any) -> bool`
Check if a is not equal to b.
Aliases: `FN.not_equal`
`FN.is_not_in(item: Any, container: Sequence[Any]) -> bool`
Check if item does not exist in a sequence.
Aliases: `FN.does_not_contain`, `FN.not_in`
`FN.is_not_null(x: Any) -> bool`
Check if value is not None.
Aliases: `FN.not_null`
`FN.is_null(x: Any) -> bool`
Check if value is None.
`FN.is_working_hours(x: datetime | str, start: str, end: str, include_weekends: bool = False, timezone: str | None = None) -> bool`
Check if datetime is between two times (HH:MM or HH:MM:SS strings).
`FN.iter_product(*iterables: Sequence[Any]) -> list[tuple[Any, ...]]`
Generate cartesian product of sequences.
`FN.join(items: Sequence[str], sep: str) -> str`
Join sequence of strings with separator.
`FN.length(obj, /)`
Return the number of items in a container.
`FN.less_than(a: Any, b: Any) -> bool`
Check if a is less than b.
`FN.less_than_or_equal(a: Any, b: Any) -> bool`
Check if a is less than or equal to b.
`FN.lookup(d: dict[Any, Any], k: Any) -> Any`
Safely get value from an object.
`FN.lowercase(x: str) -> str`
Convert string to lowercase.
`FN.map_keys(x: dict[str, Any], keys: dict[str, str]) -> dict[str, Any]`
Map keys in an object to new keys.
`FN.max(a: Any, b: Any) -> Any`
Return the maximum of two values.
`FN.merge(x: list[dict[Any, Any]]) -> dict[Any, Any]`
Merge list of objects. Similar to merge function in Terraform.
`FN.min(a: Any, b: Any) -> Any`
Return the minimum of two values.
`FN.minutes(x: int) -> timedelta`
Create timedelta with specified minutes.
`FN.minutes_between(start: datetime | str, end: datetime | str) -> float`
Minutes between two datetimes.
`FN.mod(a: float | int, b: float | int) -> float | int`
Calculate modulo (remainder) of first number divided by second.
`FN.mul(a: float | int, b: float | int) -> float | int`
Multiply two numbers together.
`FN.normalize_email(email: str) -> str`
Convert sub-addressed email to a normalized email address.
`FN.not(x: bool) -> bool`
Logical NOT operation.
`FN.not_empty(x: Sequence[Any]) -> bool`
Check if sequence has length greater than 0.
Aliases: `FN.is_not_empty`
`FN.not_equal(a: Any, b: Any) -> bool`
Check if a is not equal to b.
Aliases: `FN.is_not_equal`
`FN.not_in(item: Any, container: Sequence[Any]) -> bool`
Check if item does not exist in a sequence.
Aliases: `FN.does_not_contain`, `FN.is_not_in`
`FN.not_null(x: Any) -> bool`
Check if value is not None.
Aliases: `FN.is_not_null`
`FN.now(as_isoformat: bool = False, timespec: str = auto) -> datetime | str`
Return workflow logical time (local, naive) or current time if outside workflow.
`FN.or(a: bool, b: bool) -> bool`
Logical OR operation.
`FN.parse_csv(x: str) -> list[dict[str, Any]]`
Parse CSV string into list of objects.
`FN.parse_datetime(x: str, format: str) -> datetime`
Parse string to datetime using specified format.
`FN.parse_time(x: str) -> time`
Parse HH:MM:SS or HH:MM formatted string to a time object.
`FN.pow(a: float | int, b: float | int) -> float | int`
Raise first number to the power of second number.
`FN.prefix(x: str | list[str], prefix: str) -> str | list[str]`
Add a prefix to a string or list of strings.
`FN.prettify_json(x: Any) -> str`
Convert object to formatted JSON string.
`FN.range(start: int, end: int, step: int = 1) -> list[int]`
Create a range of integers from start to end (exclusive), with a step size.
`FN.regex_extract(pattern: str, text: str) -> str | None`
Extract the first captured group from text; fallback to full match if none.
`FN.regex_match(pattern: str, text: str) -> bool`
Check if text matches regex pattern.
`FN.regex_not_match(pattern: str, text: str) -> bool`
Check if text does not match regex pattern.
`FN.replace(x: str, old: str, new: str) -> str`
Replace all occurrences of old substring with new substring.
`FN.seconds(x: int) -> timedelta`
Create timedelta with specified seconds.
`FN.seconds_between(start: datetime | str, end: datetime | str) -> float`
Seconds between two datetimes.
`FN.serialize(x: Any) -> str`
Serialize a JSON-compatible value to string.
`FN.serialize_json(x: Any) -> str`
Convert object to JSON string.
`FN.serialize_yaml(x: Any) -> str`
Serialize object to YAML string.
`FN.set_timezone(x: datetime | str, timezone: str) -> datetime`
Convert datetime to different timezone. Timezone must be a valid IANA timezone name (e.g., "America/New\_York").
`FN.slice(x: str, start_index: int, length: int) -> str`
Extract a substring from start\_index with given length.
`FN.slugify(x: str) -> str`
Slugify a string.
`FN.split(x: str, sep: str) -> list[str]`
Split a string into a list of strings by a seperator.
`FN.startswith(x: str, suffix: str) -> bool`
Check if a string starts wit a specified suffix.
`FN.strip(x: str, chars: str) -> str`
Removes all leading and trailing characters.
`FN.sub(a: float | int, b: float | int) -> float | int`
Subtract second number from first number.
`FN.suffix(x: str | list[str], suffix: str) -> str | list[str]`
Add a suffix to a string or list of strings.
`FN.sum(iterable: Iterable[float | int], start: float | int = 0) -> float | int`
Return the sum of a 'start' value (default: 0) plus an iterable of numbers.
`FN.symmetric_difference(a: Sequence[Any], b: Sequence[Any]) -> list[Any]`
Return a list of elements that are in either sequence but not in both.
`FN.tabulate(x: list[dict[str, typing.Any]], format: Literal[markdown, html, csv, xml]) -> str`
Format list of objects into `markdown`, `html`, `csv`, or `xml`
`FN.titleize(x: str) -> str`
Convert a string to titlecase.
`FN.to_base64(x: str) -> str`
Encode string to base64.
`FN.to_base64url(x: str) -> str`
Encode string to URL-safe base64.
`FN.to_datetime(x: Any, timezone: str | None = None) -> datetime`
Convert to timezone-aware datetime object from timestamp (in seconds), ISO 8601 string or existing datetime.
`FN.to_isoformat(x: datetime | str, timespec: str = auto) -> str`
Convert datetime to ISO format string.
`FN.to_keys(x: dict[Any, Any]) -> list[Any]`
Extract keys from an object.
`FN.to_markdown_list(x: list[str], ordered: bool = False) -> str`
Format list of strings into Markdown list.
`FN.to_markdown_table(x: list[dict[str, typing.Any]]) -> str`
Format list of dictionaries into Markdown table.
`FN.to_markdown_tasks(x: list[str]) -> str`
Format list of strings into Markdown tasks.
`FN.to_time(x: datetime | str) -> time`
Convert datetime to time.
`FN.to_timestamp(x: datetime | str, unit: str = s) -> int`
Convert datetime to timestamp in milliseconds ('ms') or seconds ('s').
`FN.to_values(x: dict[Any, Any]) -> list[Any]`
Extract values from an object.
`FN.today() -> date`
Return workflow logical time date (local) or current date if outside workflow.
`FN.union(a: Sequence[Any], b: Sequence[Any]) -> list[Any]`
Return a list containing the union of elements from two sequences.
`FN.unique(items: Sequence[Any]) -> list[Any]`
List of hashable items (e.g. strings, numbers) to remove duplicates from.
`FN.unset_timezone(x: datetime | str) -> datetime`
Remove timezone information from datetime without changing the time.
`FN.uppercase(x: str) -> str`
Convert string to uppercase.
`FN.url_decode(x: str) -> str`
Converts percent-encoded characters back into their original form.
`FN.url_encode(x: str) -> str`
Converts URL-unsafe characters into percent-encoded characters.
`FN.utcnow(as_isoformat: bool = False, timespec: str = auto) -> datetime | str`
Return workflow logical time (UTC, aware) or current UTC time if outside workflow.
`FN.uuid4() -> str`
Generate a random UUID string.
`FN.wall_clock(as_isoformat: bool = False, timespec: str = auto) -> datetime | str`
Return actual current wall clock time (local, naive).
`FN.weeks(x: int) -> timedelta`
Create timedelta with spcified weeks
`FN.weeks_between(start: datetime | str, end: datetime | str) -> float`
Weeks between two datetimes or dates.
`FN.windows_filetime(x: datetime | str) -> int`
Convert datetime to Windows filetime.
`FN.zip(*iterables: Sequence[Any]) -> list[tuple[Any, ...]]`
Zip multiple sequences together.
`FN.zip_map(x: list[str], y: list[str]) -> dict[str, str]`
Zip two arrays into list of key-value pairs, then convert into mapping.
## Operator equivalents
Equivalent function names: `FN.or`
Equivalent function names: `FN.and`
Equivalent function names: `FN.is_equal`
Equivalent function names: `FN.is_not_equal`, `FN.not_equal`
Equivalent function names: `FN.less_than`
Equivalent function names: `FN.less_than_or_equal`
Equivalent function names: `FN.greater_than`
Equivalent function names: `FN.greater_than_or_equal`
Equivalent function names: `FN.add`
Equivalent function names: `FN.sub`
Equivalent function names: `FN.mul`
Equivalent function names: `FN.div`
Equivalent function names: `FN.mod`
Equivalent function names: `FN.contains`, `FN.is_in`
Equivalent function names: `FN.does_not_contain`, `FN.is_not_in`, `FN.not_in`
# JSONPath
Source: https://docs.tracecat.com/cheatsheets/jsonpath
Quick reference for JSONPath syntax, filters, and access patterns used in Tracecat expressions to read fields from triggers, actions, secrets, and variables.
## Filter patterns
Equality:
```yaml Expression theme={null}
high_alerts: ${{ TRIGGER.alerts[?(@.severity == "high")] }}
open_findings: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")] }}
```
```json Result theme={null}
{
"high_alerts": [{"id": "al-1", "severity": "high"}],
"open_findings": [{"id": "f-1", "status": "open"}]
}
```
Inequality:
```yaml Expression theme={null}
secondary_roles: ${{ ACTIONS.parse_event.result.included[?(@.attributes.incident_role.data.attributes.slug != "primary-role")] }}
```
```json Result theme={null}
{
"secondary_roles": [
{
"attributes": {
"incident_role": {
"data": {
"attributes": {
"slug": "secondary-role"
}
}
}
}
}
]
}
```
Numeric comparison:
```yaml Expression theme={null}
critical_scores: ${{ ACTIONS.lookup_users.result.users[?(@.score >= 90)] }}
recent_events: ${{ TRIGGER.events[?(@.count > 10)] }}
```
```json Result theme={null}
{
"critical_scores": [{"name": "Alice", "score": 96}],
"recent_events": [{"id": "evt-1", "count": 14}]
}
```
Truthy field check:
```yaml Expression theme={null}
users_with_email: ${{ ACTIONS.lookup_users.result.users[?(@.email)] }}
alerts_with_owner: ${{ TRIGGER.alerts[?(@.owner)] }}
```
```json Result theme={null}
{
"users_with_email": [{"name": "Alice", "email": "alice@example.com"}],
"alerts_with_owner": [{"id": "al-1", "owner": "secops"}]
}
```
String matching by exact value:
```yaml Expression theme={null}
prod_hosts: ${{ ACTIONS.inventory.result.hosts[?(@.environment == "prod")] }}
linux_hosts: ${{ ACTIONS.inventory.result.hosts[?(@.os == "linux")] }}
```
```json Result theme={null}
{
"prod_hosts": [{"hostname": "api-1", "environment": "prod"}],
"linux_hosts": [{"hostname": "api-1", "os": "linux"}, {"hostname": "worker-1", "os": "linux"}]
}
```
Nested field checks:
```yaml Expression theme={null}
owned_devices: ${{ TRIGGER.assets[?(@.owner.name == "SecOps")] }}
resolved_cases: ${{ ACTIONS.search_cases.result.items[?(@.status.name == "resolved")] }}
```
```json Result theme={null}
{
"owned_devices": [{"id": "dev-1", "owner": {"name": "SecOps"}}],
"resolved_cases": [{"id": "case-2", "status": {"name": "resolved"}}]
}
```
Filter and project a nested field:
```yaml Expression theme={null}
role_slugs: ${{ ACTIONS.parse_event.result.included[?(@.attributes.incident_role.data.attributes.slug)].attributes.incident_role.data.attributes.slug }}
```
```json Result theme={null}
{
"role_slugs": ["primary-role", "secondary-role"]
}
```
Filter and return one field from matching rows:
```yaml Expression theme={null}
open_ids: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")].id }}
```
```json Result theme={null}
{
"open_ids": ["f-1", "f-3"]
}
```
## Return behavior
* Single matches return a scalar.
* Wildcards return a list.
* Filters return a list.
* Non-existent fields return `None` (no error is raised).
Examples:
```yaml Expression theme={null}
name: ${{ TRIGGER.user.name }}
```
```json Result theme={null}
{
"name": "Alice"
}
```
```yaml Expression theme={null}
names: ${{ TRIGGER.users[*].name }}
```
```json Result theme={null}
{
"names": ["Alice", "Bob", "Carol"]
}
```
## Examples
Trigger data:
```yaml Expression theme={null}
email: ${{ TRIGGER.user.email }}
```
```json Result theme={null}
{
"email": "alice@example.com"
}
```
Action result:
```yaml Expression theme={null}
ticket_id: ${{ ACTIONS.create_ticket.result.id }}
```
```json Result theme={null}
{
"ticket_id": "T-123"
}
```
Array item:
```yaml Expression theme={null}
first_tag: ${{ ACTIONS.lookup_tags.result.tags[0] }}
```
```json Result theme={null}
{
"first_tag": "malware"
}
```
Wildcard:
```yaml Expression theme={null}
tag_names: ${{ ACTIONS.lookup_tags.result.tags[*] }}
```
```json Result theme={null}
{
"tag_names": ["malware", "phishing", "credential-access"]
}
```
Filter:
```yaml Expression theme={null}
open_findings: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")] }}
```
```json Result theme={null}
{
"open_findings": [{"id": "f-1", "status": "open"}, {"id": "f-3", "status": "open"}]
}
```
Filter and project:
```yaml Expression theme={null}
open_titles: ${{ ACTIONS.fetch_findings.result.items[?(@.status == "open")].title }}
```
```json Result theme={null}
{
"open_titles": ["Suspicious login", "Impossible travel"]
}
```
## Related pages
* See [JSONPath](/automations/core-concepts/jsonpath) for core concepts and syntax.
* See [Expressions](/automations/core-concepts/expressions) for expression syntax and contexts.
* See [Functions](/automations/core-concepts/functions) for helper functions you can use alongside JSONPath access.
# Custom registry
Source: https://docs.tracecat.com/custom-actions/custom-registry
Sync custom Python and YAML actions into Tracecat through your own registry: version, share, and reuse organization-specific automations across workspaces.
You can build your own actions and use them in agents and workflows through Tracecat's custom registry feature.
## Why use a custom registry
* Version control your code separate from Tracecat
* Reuse your custom actions in multiple agents and workflows
* Easily update your custom actions across all agents and workflows
## Permissions
Custom registry is an organization-level feature and syncs across all workspaces.
You must have the "Organization Admin" role to add and manage the custom registry.
## Installation
Clone the [custom registry starter kit](https://github.com/TracecatHQ/custom-integrations-starter-kit) from GitHub.
Go to "/actions" page in the workspace -> "Add registry" button -> "Custom registry" in organization settings.
Configure the remote repository URL, package name, and allowed Git domains.
The package name is the name of the Python package (e.g. the parent folder named `custom_actions` in the starter kit) in the repo.
Click "Sync from remote" button to sync the registry.
## Revert changes
Syncing defaults to the latest commit in the remote repository.
You can change the commit to sync to using the "Change commit" button.
## How custom registry works
When you sync a registry, Tracecat:
* Pulls the latest code from the remote repository
* Converts the package and its dependencies into a tarball using `uv`
* Uploads the tarball to S3-compatible object storage
* Tarballs are stored in the bucket specified in the `TRACECAT__BLOB_STORAGE_BUCKET_REGISTRY` environment variable
Published workflows run actions synced at the time of publication.
When triggered, the Tracecat executor pulls the pinned version of the platform registry and custom registry tarballs from S3.
You must republish a workflow to use the latest platform and custom actions.
Even if there were no changes to the workflow itself.
## FAQ
Yes. Tracecat works with Gitlab and GitHub Enterprise.
Yes. The package name from the starter kit is `custom_actions`.
To rename it, you'll need to rename the:
* `custom_actions` folder to `my_new_package_name`
* Project name in `pyproject.toml` to `my_new_package_name`
Note: Python package names must be snake\_case.
Yes. You can rename the git repo. It does not need to have the same name as the Python package.
You must specify new dependencies in the `dependencies` section of the `pyproject.toml` file.
Yes. For local Docker deployments, you can hot reload custom actions into Tracecat with a local registry.
See [local development](/custom-actions/local-development) for more details.
# Local development
Source: https://docs.tracecat.com/custom-actions/local-development
Hot-reload custom Python and YAML actions while developing locally against Tracecat: iterate on registry code with fast feedback loops and live workflow runs.
You can test custom actions locally without syncing on every change.
Local registry should only be used for development. Production deployments should use remote [custom registry](/custom-actions/custom-registry) sync.
## Why local development
* Faster feedback loop
* No need to sync on every change
* No need to republish a workflow to use the latest platform and custom actions
## How to enable local development
In your `.env` file, set the following environment variables:
1. `TRACECAT__LOCAL_REPOSITORY_ENABLED` to `true`
2. `TRACECAT__LOCAL_REPOSITORY_PATH` to the path of your local repository e.g. `~/repos/my-local-registry`
3. `PYTHONPATH` to `/app/local_registry:`
```bash theme={null}
TRACECAT__LOCAL_REPOSITORY_ENABLED=true
TRACECAT__LOCAL_REPOSITORY_PATH=~/dev/org/internal-registry
PYTHONPATH=/app/local_registry:
```
# Python UDFs
Source: https://docs.tracecat.com/custom-actions/python-udf
Build custom Python actions for Tracecat: declare inputs and outputs, package dependencies, and expose user-defined functions to workflows and agents.
Tracecat makes it easy to turn your Python scripts into actions for agents and workflows. All you need is:
* A single Python decorator, `@registry.register`
* `from typing import Annotated`
* `from typing_extensions import Doc`
## Quick start
1. Add a Python file to your custom registry package.
2. Register one async function with `@registry.register(...)`.
3. Define typed inputs, read secrets with `secrets.get(...)`, and return JSON-serializable data.
```python theme={null}
from typing import Annotated
from typing_extensions import Doc
from tracecat_registry import registry, RegistrySecret, secrets
# (Optional) Define secrets used in the function
secret_name = RegistrySecret(
name="secret_name",
keys=["SECRET_NAME"],
optional_keys=["OPTIONAL_SECRET_NAME"],
)
# Register the function as a Tracecat UDF
@registry.register(
default_title="Say goodbye secretly",
description="This is a function that says goodbye",
display_group="Greetings",
namespace="integrations.greetings",
# (Optional) Define secrets used in the function
secrets=[secret_name],
)
async def say_goodbye_secretly(
name: Annotated[str, Doc("The name to say goodbye to")],
):
secret = secrets.get("SECRET_NAME")
# We're returning the secret for demonstration only.
# Do not do this in your own functions!
return {"message": f"Goodbye, {name}! Secret: {secret}"}
```
## What to define
* Use `tools.` for the namespace.
* Set `default_title`, `description`, `display_group`, `doc_url`, and `namespace` in `@registry.register(...)`.
* Define action inputs with type hints and `Field(..., description=...)`.
* Define required credentials with `RegistrySecret(...)` and pass them in `secrets=[...]`.
* Read secret values with `secrets.get(...)`.
* Return plain dicts, lists, strings, numbers, or booleans.
## Declaring secret types
By default, secrets are `custom` (arbitrary key-value). If your action requires an SSH key, mTLS certificate, or CA certificate, set `secret_type` so the credentials UI renders the correct form.
| `secret_type` | Required `keys` | Description |
| ------------- | ---------------------------------------- | --------------------------------- |
| `"custom"` | Any | Generic key-value pairs (default) |
| `"ssh_key"` | `["PRIVATE_KEY"]` | SSH private key (PEM) |
| `"mtls"` | `["TLS_CERTIFICATE", "TLS_PRIVATE_KEY"]` | mTLS client certificate and key |
| `"ca_cert"` | `["CA_CERTIFICATE"]` | CA certificate bundle |
### Examples
```python theme={null}
# SSH key secret — renders an SSH private key textarea in the UI
ssh_secret = RegistrySecret(
name="ansible",
keys=["PRIVATE_KEY"],
secret_type="ssh_key",
)
# mTLS secret — renders certificate + key textareas
mtls_secret = RegistrySecret(
name="mtls",
keys=["TLS_CERTIFICATE", "TLS_PRIVATE_KEY"],
secret_type="mtls",
optional=True,
)
# CA certificate secret — renders a certificate textarea
ca_cert_secret = RegistrySecret(
name="ca_cert",
keys=["CA_CERTIFICATE"],
secret_type="ca_cert",
optional=True,
)
# Custom secret (default) — renders key-value inputs
api_secret = RegistrySecret(
name="slack",
keys=["SLACK_BOT_TOKEN"],
)
```
`secret_type` uses snake\_case everywhere — Python declarations, the API, and the UI all use the same values (`ssh_key`, `ca_cert`, `mtls`, `custom`).
Use the same `${{ SECRETS... }}` syntax as workflow actions.
Custom secrets (API keys, SSH, mTLS, CA bundles, and so on):
```yaml theme={null}
${{ SECRETS.. }}
```
OAuth tokens live under `_oauth`. The key is the provider ID in uppercase plus `_USER_TOKEN` or `_SERVICE_TOKEN`:
* `authorization_code`: `${{ SECRETS._oauth._USER_TOKEN }}`
* `client_credentials`: `${{ SECRETS._oauth._SERVICE_TOKEN }}`
```yaml theme={null}
${{ SECRETS.slack_oauth.SLACK_USER_TOKEN }}
${{ SECRETS.google_docs_oauth.GOOGLE_DOCS_SERVICE_TOKEN }}
```
Optional fallback when either grant type is allowed:
```yaml theme={null}
${{ SECRETS.microsoft_sentinel_oauth.MICROSOFT_SENTINEL_USER_TOKEN || SECRETS.microsoft_sentinel_oauth.MICROSOFT_SENTINEL_SERVICE_TOKEN }}
```
## Python UDFs
Declare credentials in `@registry.register(..., secrets=[...])`.
* `RegistrySecret`: static keys; set `secret_type` to `ssh_key`, `mtls`, or `ca_cert` when needed ([secret types](/automations/core-concepts/secrets)). Optional: `optional`, `optional_keys`.
* `RegistryOAuthSecret`: declares a dependency on an existing OAuth integration. Pass the `provider_id` and `grant_type` that match the integration in your workspace (a mismatch — for example declaring `authorization_code` when the integration uses `client_credentials` — will not resolve).
Read values with `secrets.get("")` (key only, e.g. `GOOGLE_DRIVE_USER_TOKEN`), not a `SECRETS.` path.
```python theme={null}
from tracecat_registry import RegistryOAuthSecret, RegistrySecret, registry, secrets
api = RegistrySecret(name="exa", keys=["EXA_API_KEY"])
oauth = RegistryOAuthSecret(
provider_id="google_drive",
grant_type="authorization_code",
)
```
## YAML
Under `definition`, set a `secrets` list (same validator as Python).
Custom (optional `secret_type` for structured secrets):
```yaml theme={null}
definition:
secrets:
- name: exa
keys: ["EXA_API_KEY"]
- name: ansible
keys: ["PRIVATE_KEY"]
secret_type: ssh_key
```
OAuth:
```yaml theme={null}
definition:
secrets:
- type: oauth
provider_id: microsoft_teams
grant_type: authorization_code
```
The `provider_id` and `grant_type` must match an integration already configured in your workspace. Use `${{ SECRETS._oauth. }}` in `args`. Set `optional: true` on an OAuth entry when it is not always required.
## Example providers
See [`integrations/google_drive.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/google_drive.py) and [`integrations/slack_sdk.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/slack_sdk.py) for UDFs that use OAuth credentials. See [`tracecat_registry/core/ssh.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/core/ssh.py) for an `ssh_key` secret example.
For YAML templates, see [`microsoft_teams/send_message.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/microsoft_teams/send_message.yml) (`authorization_code`), [`google_docs/create_document.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/google_docs/create_document.yml) (`client_credentials`), and [`microsoft_sentinel/.../get_alert_rule_template.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/microsoft_sentinel/alert_rules/get_alert_rule_template.yml) (optional dual grant). See [`templates/tools/exa/search.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/exa/search.yml) for a simple API key template.
For the full list of built-in provider IDs, see [`tracecat/integrations/providers/__init__.py`](https://github.com/TracecatHQ/tracecat/blob/main/tracecat/integrations/providers/__init__.py).
## Example actions
You can browse all open-source integrations in Tracecat in [tools actions](https://github.com/TracecatHQ/tracecat/tree/main/packages/tracecat-registry/tracecat_registry/integrations). Use [template actions](https://github.com/TracecatHQ/tracecat/tree/main/packages/tracecat-registry/tracecat_registry/templates/tools) to see how actions are composed, and use [core actions](https://github.com/TracecatHQ/tracecat/tree/main/packages/tracecat-registry/tracecat_registry/core) to inspect built-in implementations.
For concrete examples, browse the [Slack](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/slack_sdk.py), [AWS Boto3](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/aws_boto3.py), and [FalconPy](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/crowdstrike_falconpy.py) integrations.
# YAML templates
Source: https://docs.tracecat.com/custom-actions/yaml-template
Build custom YAML template actions for Tracecat: compose existing actions and expressions into reusable, versioned building blocks for workflows and agents.
Use a YAML action template to compose existing actions into a reusable action.
## Template shape
Create a `.yml` file in your registry templates directory. Define inputs in `expects`, run actions in `steps`, and return the final value from `returns`.
```yaml theme={null}
type: action
definition:
title: Post message
description: Post a message to a Slack channel.
display_group: Slack
namespace: tools.slack
name: post_message
expects:
channel:
type: str
description: The Slack channel ID.
text:
type: str
description: The message text.
steps:
- ref: post_message
action: tools.slack_sdk.call_method
args:
sdk_method: chat_postMessage
params:
channel: ${{ inputs.channel }}
text: ${{ inputs.text }}
returns: ${{ steps.post_message.result }}
```
* Start every file with `type: action`.
* Use `tools.` for the namespace.
* Set `title`, `description`, `display_group`, `namespace`, and `name` in `definition`.
* Define inputs in `expects`.
* Build the action in `steps`.
* Return the final value from `returns`.
## Expressions
Use `${{ }}` for expressions.
Use `inputs` to read the inputs you defined in `expects`.
Use `steps` to read the result of an earlier step. After a step runs, its output is available at `steps.[.result`.
```yaml Read an input theme={null}
args:
channel: ${{ inputs.channel }}
text: ${{ inputs.text }}
```
```yaml Read an earlier step result theme={null}
returns: ${{ steps.post_message.result }}
```
```yaml Build one step from another theme={null}
steps:
- ref: lookup_user
action: tools.slack.users.lookup_user_by_email
args:
email: ${{ inputs.email }}
- ref: post_message
action: tools.slack.chat.post_message
args:
channel: ${{ steps.lookup_user.result.id }}
text: Hello
```
You can use:
* `inputs`
* `steps`
* `SECRETS`
* `VARS`
* `FN.*`
## Secrets
Declare what each template needs under `definition.secrets` (API keys, structured types, or OAuth). That list drives which credentials must exist for the action when the workflow runs. Use the same `${{ SECRETS... }}` paths in `args` as in any other expression.
Use the same `${{ SECRETS... }}` syntax as workflow actions.
Custom secrets (API keys, SSH, mTLS, CA bundles, and so on):
```yaml theme={null}
${{ SECRETS.. }}
```
OAuth tokens live under `_oauth`. The key is the provider ID in uppercase plus `_USER_TOKEN` or `_SERVICE_TOKEN`:
* `authorization_code`: `${{ SECRETS._oauth._USER_TOKEN }}`
* `client_credentials`: `${{ SECRETS._oauth._SERVICE_TOKEN }}`
```yaml theme={null}
${{ SECRETS.slack_oauth.SLACK_USER_TOKEN }}
${{ SECRETS.google_docs_oauth.GOOGLE_DOCS_SERVICE_TOKEN }}
```
Optional fallback when either grant type is allowed:
```yaml theme={null}
${{ SECRETS.microsoft_sentinel_oauth.MICROSOFT_SENTINEL_USER_TOKEN || SECRETS.microsoft_sentinel_oauth.MICROSOFT_SENTINEL_SERVICE_TOKEN }}
```
## Python UDFs
Declare credentials in `@registry.register(..., secrets=[...])`.
* `RegistrySecret`: static keys; set `secret_type` to `ssh_key`, `mtls`, or `ca_cert` when needed ([secret types](/automations/core-concepts/secrets)). Optional: `optional`, `optional_keys`.
* `RegistryOAuthSecret`: declares a dependency on an existing OAuth integration. Pass the `provider_id` and `grant_type` that match the integration in your workspace (a mismatch — for example declaring `authorization_code` when the integration uses `client_credentials` — will not resolve).
Read values with `secrets.get("")` (key only, e.g. `GOOGLE_DRIVE_USER_TOKEN`), not a `SECRETS.` path.
```python theme={null}
from tracecat_registry import RegistryOAuthSecret, RegistrySecret, registry, secrets
api = RegistrySecret(name="exa", keys=["EXA_API_KEY"])
oauth = RegistryOAuthSecret(
provider_id="google_drive",
grant_type="authorization_code",
)
```
## YAML
Under `definition`, set a `secrets` list (same validator as Python).
Custom (optional `secret_type` for structured secrets):
```yaml theme={null}
definition:
secrets:
- name: exa
keys: ["EXA_API_KEY"]
- name: ansible
keys: ["PRIVATE_KEY"]
secret_type: ssh_key
```
OAuth:
```yaml theme={null}
definition:
secrets:
- type: oauth
provider_id: microsoft_teams
grant_type: authorization_code
```
The `provider_id` and `grant_type` must match an integration already configured in your workspace. Use `${{ SECRETS._oauth. }}` in `args`. Set `optional: true` on an OAuth entry when it is not always required.
## Example providers
See [`integrations/google_drive.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/google_drive.py) and [`integrations/slack_sdk.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/integrations/slack_sdk.py) for UDFs that use OAuth credentials. See [`tracecat_registry/core/ssh.py`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/core/ssh.py) for an `ssh_key` secret example.
For YAML templates, see [`microsoft_teams/send_message.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/microsoft_teams/send_message.yml) (`authorization_code`), [`google_docs/create_document.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/google_docs/create_document.yml) (`client_credentials`), and [`microsoft_sentinel/.../get_alert_rule_template.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/microsoft_sentinel/alert_rules/get_alert_rule_template.yml) (optional dual grant). See [`templates/tools/exa/search.yml`](https://github.com/TracecatHQ/tracecat/blob/main/packages/tracecat-registry/tracecat_registry/templates/tools/exa/search.yml) for a simple API key template.
For the full list of built-in provider IDs, see [`tracecat/integrations/providers/__init__.py`](https://github.com/TracecatHQ/tracecat/blob/main/tracecat/integrations/providers/__init__.py).
## Limitations
* Template steps only support `ref`, `action`, and `args`.
* Template steps run in order.
* Template steps do not support `run_if`, `for_each`, `join_strategy`, `start_delay`, `timeout`, or `max_attempts`.
* Templates can call tools actions, other templates, and `core.script.run_python`. Other platform actions are not supported inside templates.
* If a later step fails, you do not get a final result with earlier step outputs. Keep templates short. In practice, do not build templates with more than 2 steps.
## Example templates
All integrations in Tracecat are open source. Browse [template actions](https://github.com/TracecatHQ/tracecat/tree/main/packages/tracecat-registry/tracecat_registry/templates/tools) for more examples.
For concrete examples, browse the [Slack templates](https://github.com/TracecatHQ/tracecat/tree/main/packages/tracecat-registry/tracecat_registry/templates/tools/slack) and [CrowdStrike templates](https://github.com/TracecatHQ/tracecat/tree/main/packages/tracecat-registry/tracecat_registry/templates/tools/crowdstrike).
# Getting started
Source: https://docs.tracecat.com/overview/getting-started
Self-host your own instance or join Tracecat Community Cloud.
The easiest way to get started is to connect your agent harness (Claude Code, Cursor, OpenAI Codex) to Tracecat.
## Self-host
Docker Compose is the easiest way to self-host.
Check out the full guide [here](/self-hosting/docker-compose) or follow the quickstart below.
```bash theme={null}
# Setup environment variables and secrets
curl -o env.sh https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/env.sh
curl -o .env.example https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/.env.example
chmod +x env.sh && ./env.sh
# Download Caddyfile
curl -o Caddyfile https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/Caddyfile
# Download Docker Compose file
curl -o docker-compose.yml https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/docker-compose.yml
# Start Tracecat
docker compose up -d
```
## Connect MCP
Connecting your agent to Tracecat Cloud automatically creates an account for you.
You can also sign up manually via [https://platform.tracecat.com](https://platform.tracecat.com).
If you are **self-hosted**, replace `https://platform.tracecat.com` with your
`PUBLIC_APP_URL` (e.g. `http://localhost` or `https://tracecat.example.com`).
Authentication uses a built-in OIDC provider—your agent is redirected to sign in
through the browser on first connection. For clients or environments that cannot
complete a browser sign-in, authenticate with a
[personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens) instead.
Sign in with OAuth:
```bash theme={null}
claude mcp add -t http tracecat https://platform.tracecat.com/mcp
claude
/mcp
```
Or authenticate with a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens).
Set `TRACECAT_MCP_PAT` in your environment and reference it with **single
quotes** so the variable (not the token) is written to the saved config:
```bash theme={null}
claude mcp add --transport http tracecat https://platform.tracecat.com/mcp \
--header 'Authorization: Bearer ${TRACECAT_MCP_PAT}'
```
Sign in with OAuth:
```bash theme={null}
codex mcp add tracecat --url https://platform.tracecat.com/mcp
codex mcp login tracecat
```
Or authenticate with a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens).
Set `TRACECAT_MCP_PAT` in your environment, then reference it by name:
```bash theme={null}
codex mcp add tracecat --url https://platform.tracecat.com/mcp \
--bearer-token-env-var TRACECAT_MCP_PAT
```
```bash theme={null}
copilot
/mcp add
# Server Name: tracecat
# Server Type: HTTP
# URL: https://platform.tracecat.com/mcp
# Tools: *
```
Follow [GitHub Copilot MCP setup](https://docs.github.com/en/copilot/how-tos/copilot-cli/customize-copilot/add-mcp-servers) for the latest CLI prompts.
Or add this server to `~/.copilot/mcp-config.json`:
```json theme={null}
{
"mcpServers": {
"tracecat": {
"type": "http",
"url": "https://platform.tracecat.com/mcp",
"tools": ["*"]
}
}
}
```
To use a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens) instead of
OAuth, add an `Authorization` header (`${TRACECAT_MCP_PAT}` is read from your
environment):
```json theme={null}
"headers": {
"Authorization": "Bearer ${TRACECAT_MCP_PAT}"
}
```
On Tracecat Cloud, click [Add Tracecat to Cursor](https://cursor.com/en-US/install-mcp?name=tracecat\&config=eyJ1cmwiOiJodHRwczovL3BsYXRmb3JtLnRyYWNlY2F0LmNvbS9tY3AifQ)
to add it in one click. Otherwise configure `.cursor/mcp.json` manually:
```json theme={null}
{
"mcpServers": {
"tracecat": {
"url": "https://platform.tracecat.com/mcp"
}
}
}
```
To use a [personal access token (PAT)](/automations/tracecat-mcp#personal-access-tokens) instead of
OAuth, add an `Authorization` header (Cursor resolves `${env:TRACECAT_MCP_PAT}`
from your environment):
```json theme={null}
"headers": {
"Authorization": "Bearer ${env:TRACECAT_MCP_PAT}"
}
```
# Welcome to Tracecat
Source: https://docs.tracecat.com/overview/introduction
Tracecat is the AI automation platform for security teams and agents.
## Automating security work
The AI-native security automation platform.
Turn prompts into workflows, triggers, and tables via Tracecat MCP.
Build custom AI agents that call tools and MCP (stdio, remote) servers.
Resolve work items with agents and workflows.
Build your own custom actions and sync them into Tracecat via git.
Host your own sandboxed MCP server in Tracecat.
Host your Tracecat in your own infrastructure.
## Securing agents at scale
Enterprise Edition
Protect your organization's agent rollout with the same security features as Tracecat automation.
Connect local agents to any tool, MCP server, workflow, or agent in Tracecat.
Monitor agent tool calls and activity across all connected agents (Claude Code, Cursor, OpenAI Codex).
Detect and block malicious tool calls with pre-built and custom rules.
Approve or reject agent tools calls from within Tracecat UI, Slack, or Microsoft Teams.
# Architecture
Source: https://docs.tracecat.com/self-hosting/architecture
Architecture overview for self-hosted Tracecat: services, networking, authentication boundaries, and dependencies between API, executor, worker, LiteLLM, and frontend.
## Services
The Docker Compose stack runs 16 containers. Only `caddy` is exposed externally; all other ports are internal to the Docker network.
| Service | Port | Description |
| :--------------------- | :----------------- | :-------------------------------------------- |
| `caddy` | 80 (configurable) | Reverse proxy and TLS termination |
| `api` | 8000 | REST API and webhook receiver |
| `ui` | 3000 | Next.js frontend |
| `worker` | — | Workflow orchestrator |
| `executor` | — | Action executor with optional sandbox |
| `agent-worker` | — | AI agent orchestrator |
| `agent-executor` | — | AI agent action executor |
| `litellm` | 4000 | Managed LiteLLM gateway for AI model requests |
| `mcp` | 8099 | MCP server for IDE integrations |
| `postgres_db` | 5432 | Application database (PostgreSQL 16) |
| `temporal` | 7233 | Workflow engine |
| `temporal_postgres_db` | 5432 | Temporal database (PostgreSQL 13) |
| `temporal_ui` | 8081 (not exposed) | Temporal web UI |
| `minio` | 9000, 9001 | S3-compatible object storage |
| `redis` | 6379 | Cache and message broker |
| `migrations` | — | One-shot database migration runner |
## Networking
### Caddy routing
Caddy is the single entry point for all external traffic. It forwards requests based on path:
| Path | Destination | Purpose |
| :------------------------------------------------------------------------------------------- | :----------- | :------------------ |
| `/api*` | `api:8000` | REST API |
| `/mcp*` | `mcp:8099` | MCP server |
| `/.well-known/oauth-*`, `/authorize*`, `/token`, `/register`, `/consent*`, `/auth/callback*` | `mcp:8099` | MCP OAuth flow |
| `/s3/*` | `minio:9000` | Presigned URL proxy |
| `/*` | `ui:3000` | Frontend (default) |
### Data flow
The browser connects to Caddy, which proxies to the API or UI. The UI server also calls the API directly via `INTERNAL_API_URL` for server-side rendering.
External systems send webhooks to `/api/webhooks/...`, which Caddy forwards to the API service.
The API submits workflow runs to the Temporal server on port 7233. Workers pull tasks from Temporal's task queue and dispatch actions to executors. Executors run individual action steps, optionally inside an nsjail sandbox.
Agent workers and agent executors follow the same Temporal-based pattern for AI agent workflows.
### LiteLLM request path
The `litellm` container runs Tracecat's managed LiteLLM gateway on port 4000. It is an internal service, not a public API endpoint. When an agent workflow reaches a model call, `agent-executor` sends the request to `http://litellm:4000` by default. The LiteLLM gateway validates the request, resolves the selected model provider, injects the provider credentials, and forwards the request upstream. This keeps provider credentials out of the sandboxed agent process while giving all managed model requests one internal routing point. Custom provider configurations can bypass the managed gateway when passthrough mode is enabled. Otherwise, root agents and subagents use the internal LiteLLM gateway.
### Docker networks
Four networks isolate traffic between service groups:
| Network | Scope | Services |
| :------------ | :------- | :----------------------------------------------------------------------------------------------------------------------------- |
| `core` | default | caddy, api, ui, worker, executor, agent-worker, agent-executor, litellm, mcp, redis, minio, temporal, temporal\_ui, migrations |
| `core-db` | internal | api, worker, executor, agent-worker, agent-executor, litellm, mcp, migrations, postgres\_db |
| `temporal` | default | temporal, temporal\_ui, worker, executor, agent-worker, agent-executor, mcp |
| `temporal-db` | internal | temporal, temporal\_postgres\_db |
Networks marked `internal` cannot reach the internet, preventing direct external access to databases.
## OIDC
Set `TRACECAT__AUTH_TYPES=oidc` in your `.env` file and configure these variables:
* `OIDC_ISSUER` — your identity provider's issuer URL
* `OIDC_CLIENT_ID` — client ID from your identity provider
* `OIDC_CLIENT_SECRET` — client secret from your identity provider
Set the callback URI in your identity provider to `/auth/oauth/callback`.
See [OIDC configuration](/authentication/oidc) for provider-specific setup instructions.
## SAML
Set `TRACECAT__AUTH_TYPES=saml` in your `.env` file and configure `SAML_IDP_METADATA_URL` with your identity provider's metadata URL.
Supported identity providers: Okta, Microsoft Entra ID, Authentik, and Keycloak.
See [SAML configuration](/authentication/saml) for provider-specific setup instructions.
## FAQ
Yes. Update `TRACECAT__DB_URI` to point to your managed PostgreSQL instance and `REDIS_URL` for Redis. For Temporal, update the Temporal PostgreSQL credentials in your `.env` file.
See [Security](/self-hosting/security) for production credential recommendations.
Caddy auto-provisions TLS certificates from Let's Encrypt when `BASE_DOMAIN` is set to a real domain. Set `PUBLIC_APP_URL` to use `https://` and expose ports 80 and 443 on the Caddy container.
See [Configure SSL for production](/self-hosting/docker-compose#how-do-i-configure-ssl-for-production) for step-by-step instructions.
Yes. Tracecat has been tested with Amazon S3, MinIO, SeaweedFS, and RustFS.
Point your IDE's MCP configuration to `/mcp`. Authentication uses a built-in OIDC provider — your agent will be redirected to sign in through the browser on first connection.
See [Tracecat MCP](/automations/tracecat-mcp#setup) for IDE-specific setup instructions.
# AWS ECS Fargate
Source: https://docs.tracecat.com/self-hosting/aws-fargate
Deploy self-hosted Tracecat to AWS ECS Fargate using Terraform: provision RDS, networking, secrets, and Temporal alongside Tracecat services in your own AWS account.
This stack exposes Tracecat to the public internet.
We've set the `auth_types` Terraform variable to `saml` by default.
You must configure SAML before your first login or change `auth_types` to another method.
See [Security](/self-hosting/security) for additional production hardening recommendations.
## Prerequisites
* [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
* AWS credentials configured for your target account and role
* A public [Route53 hosted zone](https://aws.amazon.com/route53/) (domain and hosted zone ID)
* `openssl` and AWS CLI (if using the helper secret script)
## Clone the repository
Clone the Tracecat repository and navigate to the Fargate deployment directory.
```bash theme={null}
git clone https://github.com/TracecatHQ/tracecat.git
cd tracecat/deployments/fargate
```
## Create core secrets
You can create these in AWS Secrets Manager manually or use the helper script:
```bash theme={null}
export AWS_DEFAULT_REGION=
./scripts/create-aws-secrets.sh
```
Save the resulting secret ARNs. You'll need them for Terraform variables.
## Configure authentication secrets (optional)
Depending on your chosen `auth_types` (e.g. `saml`, `oidc`, `oauth`), provide the necessary secret ARNs as Terraform variables.
For example, for SAML:
* `saml_idp_metadata_url_arn`
## Initialize and deploy
Initialize Terraform and apply the configuration.
```bash theme={null}
terraform init
export TF_VAR_aws_region=
export TF_VAR_domain_name=
export TF_VAR_hosted_zone_id=
export TF_VAR_tracecat_db_encryption_key_arn=
export TF_VAR_tracecat_service_key_arn=
export TF_VAR_tracecat_signing_secret_arn=
export TF_VAR_user_auth_secret_arn=
# Optional but recommended
export TF_VAR_tracecat_image_tag=1.0.0-beta.50
terraform apply
```
Provisioning takes about 10-20 minutes due to RDS and ECS startup.
## Access Tracecat
Once deployed, access your instance at:
* UI: `https://`
* API docs: `https:///api/docs`
* MCP: `https:///mcp`
## Updating Tracecat
To update an existing Tracecat deployment on Fargate:
1. Pull the latest Fargate stack from the Tracecat repository to ensure you have the most recent infrastructure changes.
2. Change the `TF_VAR_tracecat_image_tag` variable to the desired image tag compatible with the stack, or remove the variable to default to the latest image tag.
3. Run `terraform apply` to apply the updates.
```bash theme={null}
cd tracecat/deployments/fargate
git pull origin main
# Set variables as before, then update the image tag
export TF_VAR_tracecat_image_tag=1.0.0-beta.50
terraform apply
```
## Temporal DB SSL enforcement
For the bundled Fargate `temporalio/auto-setup` deployment, `temporal_db_force_ssl` defaults to `false`:
```bash theme={null}
export TF_VAR_temporal_db_force_ssl=false
terraform apply
```
This setting applies only to the bundled Temporal RDS instance. It requires a DB reboot when changed and permits non-TLS connections to the Temporal database for compatibility with the current Fargate Temporal auto-setup flow.
If you are using Temporal Cloud or another external Temporal cluster, set `disable_temporal_autosetup=true` and point `temporal_cluster_url` at your external cluster. In that setup, `temporal_db_force_ssl` is typically unused because the bundled Temporal RDS instance is not created. If you run your own external Temporal PostgreSQL and want SSL-only enforcement there, set `TF_VAR_temporal_db_force_ssl=true`.
## FAQ
Fargate does not support the permissions model required by `nsjail`. Tracecat uses a fallback executor without `nsjail` isolation on Fargate.
If you need the highest isolation for untrusted code execution (like custom registry actions or `core.script.run_python`), deploy Tracecat on Kubernetes using the [Helm chart](https://github.com/TracecatHQ/tracecat/tree/main/deployments/k8s/helm), where `nsjail` is enabled by default.
The Terraform stack deploys:
* Public ALB, Route53 records, and ACM certificates
* ECS cluster with Service Connect
* RDS instances (core database and optional Temporal database)
* ElastiCache Redis
* S3 buckets for attachments, registry, and workflow artifacts
* VPC endpoints for S3 and Secrets Manager
Migrations run in an init container during the API task startup. The API container only starts if migrations succeed. If migrations fail, the deployment pauses and dependent services (`worker`, `executor`) will not update.
# Docker Compose
Source: https://docs.tracecat.com/self-hosting/docker-compose
Deploy self-hosted Tracecat using Docker Compose: bring up the API, executor, worker, frontend, Postgres, and Temporal stack on a single host in minutes.
Docker Compose deployments default to basic email / password authentication.
Production deployments should use [OIDC](/authentication/oidc) or [SAML](/authentication/saml) SSO.
See [Security](/self-hosting/security) for additional production hardening recommendations.
Tracecat SAML SSO always requires signed assertions and signed responses.
## Prerequisites
* [Docker](https://docs.docker.com/engine/install/) version 26.0.0+
* [Docker Compose](https://docs.docker.com/compose/install/) version 2.29.0+
* [openssl](https://www.openssl.org/source/)
## Core secrets
The `env.sh` script (next step) generates these automatically. If you need to generate them manually:
## Download configuration files
```bash theme={null}
# 1. Download the env.sh installation script
curl -o env.sh https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/env.sh
# 2. Download the .env.example template file (env.sh needs this to generate your .env file)
curl -o .env.example https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/.env.example
# 3. Make the env.sh script executable and run it
chmod +x env.sh && ./env.sh
```
After running `env.sh`, you'll be prompted to input the following:
* Set `PUBLIC_APP_URL`. Defaults to `localhost`.
* Require PostgreSQL SSL mode? Defaults to `n`.
* Required field: Enter email address for the first user (superadmin).
## Download Caddyfile
Tracecat uses Caddy as a reverse proxy.
You'll need to download the following `Caddyfile` to configure this service.
```bash theme={null}
curl -o Caddyfile https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/Caddyfile
```
## Download Docker Compose file
```bash theme={null}
curl -o docker-compose.yml https://raw.githubusercontent.com/TracecatHQ/tracecat/1.0.0-beta.50/docker-compose.yml
```
## Start Tracecat
Run the command below to start Tracecat and all related services.
Make sure your `docker-compose.yml` and generated `.env` files are in the same directory.
```bash theme={null}
docker compose up
```
## Access Tracecat
Once deployed, access your instance at:
* UI: `http://localhost:${PUBLIC_APP_PORT}`
* API docs: `http://localhost:${PUBLIC_APP_PORT}/api/docs`
* MCP: `http://localhost:${PUBLIC_APP_PORT}/mcp`
## Updating Tracecat
Be careful when updating Tracecat.
Do not accidentally overwrite or lose your existing `TRACECAT__SERVICE_KEY`, `TRACECAT__SIGNING_SECRET`, `TRACECAT__DB_ENCRYPTION_KEY`, and `USER_AUTH_SECRET` secrets.
Losing these secrets will break your credentials and webhooks.
```bash theme={null}
# 1. Download the latest env migration script and env template
curl -o env-migration.sh https://raw.githubusercontent.com/TracecatHQ/tracecat//env-migration.sh
curl -o .env.example https://raw.githubusercontent.com/TracecatHQ/tracecat//.env.example
# 2. Make the migration script executable and update your existing .env
chmod +x env-migration.sh && ./env-migration.sh
# 3. Download the latest Docker Compose file
curl -o docker-compose.yml https://raw.githubusercontent.com/TracecatHQ/tracecat//docker-compose.yml
# 4. Download the latest Caddyfile
curl -o Caddyfile https://raw.githubusercontent.com/TracecatHQ/tracecat//Caddyfile
# 5. Restart Tracecat with the updated configuration
docker compose up -d
```
The migration script creates a backup of your existing `.env` before rewriting it.
After the stack starts, verify that your containers are healthy and that you can sign in successfully.
## Scaling
Docker Compose runs all services on a single host.
These are recommended minimums for different workload sizes.
| Resource | Small | Standard | Production |
| :-------------------- | :-------- | :-------- | :---------- |
| CPU | 8 cores | 16 cores | 32+ cores |
| RAM | 16 GB | 32 GB | 64+ GB |
| Storage | 20 GB SSD | 50 GB SSD | 100+ GB SSD |
| Docker | 26.0.0+ | 26.0.0+ | 26.0.0+ |
| Workflow starts/sec | \~5 | \~15 | \~40 |
| Concurrent seats | 1-10 | 10-50 | 50+ |
| Concurrent agents/sec | 1-2 | 5-10 | 10+ |
* Small: Development, testing, small teams (1-10 users)
* Standard: Mid-size teams (10-50 users), moderate workflow execution
* Production: Large teams (50+ users), high throughput
Memory is typically the constraining factor.
Workflow throughput is lower than dedicated Kubernetes deployments where services have guaranteed resources and can scale independently.
For production workloads that exceed single-host capacity, consider [converting to Docker Swarm](#convert-to-docker-swarm) or deploying on Kubernetes.
## Convert to Docker Swarm
Docker Swarm lets you scale individual services with resource limits and replicas across one or more nodes.
### Service resource recommendations
| Service | CPU (cores) | Memory | Replicas |
| :--------------------- | ----------: | ------: | -------: |
| caddy | 0.25 | 256 Mi | 1 |
| api | 2 | 4 Gi | 2 |
| worker | 2 | 2 Gi | 4 |
| executor | 4 | 8 Gi | 4 |
| agent-worker | 2 | 2 Gi | 2 |
| agent-executor | 4 | 16 Gi | 2 |
| ui | 0.5 | 1 Gi | 2 |
| mcp | 1 | 1 Gi | 1 |
| postgres\_db | 2 | 4 Gi | 1 |
| temporal | 4 | 8 Gi | 1 |
| temporal\_postgres\_db | 2 | 4 Gi | 1 |
| redis | 0.5 | 1 Gi | 1 |
| minio | 0.5 | 1 Gi | 1 |
| Total | \~25 | \~52 Gi | 23 |
Stateful services (`postgres_db`, `temporal_postgres_db`, `minio`, `redis`) must remain at 1 replica.
Scaling these requires external managed services (e.g., RDS, ElastiCache) or specialized clustering.
### Deploy with Docker Swarm
1. Initialize Swarm:
```bash theme={null}
docker swarm init
```
2. Add `deploy` configuration to each service in your `docker-compose.yml`. For example, for the `api` service:
```yaml theme={null}
services:
api:
# ... existing configuration ...
deploy:
replicas: 2
resources:
limits:
cpus: "2"
memory: 4G
reservations:
cpus: "2"
memory: 4G
```
3. Deploy the stack:
```bash theme={null}
docker stack deploy -c docker-compose.yml tracecat
```
4. Verify services are running:
```bash theme={null}
docker stack services tracecat
```
## FAQ
For an overview of all services and networking, see [Architecture](/self-hosting/architecture).
Yes but don't forget to set `PUBLIC_APP_URL` to `127.0.0.1` instead of `localhost` in your `.env` file.
Yes but you'll need to set `PUBLIC_APP_URL` to the WSL IP address instead of `localhost`.
Run `ip addr` to find your WSL IP address (usually 172.x.x.x).
This suggests that the Tracecat UI is healthy but is unable to communicate with the Tracecat API.
* Check that the `api` service is healthy
* Check that this is not a CORS issue (see next FAQ)
* Check that you changed `PUBLIC_APP_URL` and `PUBLIC_APP_PORT` to the correct address
* Check the Chrome developer console for any errors
You must configure `PUBLIC_APP_URL` and `PUBLIC_API_URL` to the same domain that your browser is accessing the Tracecat UI from.
Tracecat strictly enforces CORS to prevent XSS attacks.
This error occurs when your browser cannot connect to Tracecat API via `PUBLIC_APP_URL`.
Please check the following:
* Do not set `PUBLIC_APP_URL` to `0.0.0.0`. Browsers cannot connect to this address. Use `localhost`, `127.0.0.1`, or your machine's actual IP address instead.
* WSL users: Do not use `127.0.0.1`. Run `ip addr` to find your WSL IP address (usually `172.x.x.x`) and use that instead.
* If your frontend is running on a different machine than the API, set `NEXT_PUBLIC_API_URL` to an address your browser can reach.
* Run `docker compose ps` to verify all services are running.
* Check the temporal service is healthy. Worker connectivity issues can sometimes affect login.
* View container logs: `docker compose logs api` and `docker compose logs temporal`.
* Check firewall and port forwarding if using a reverse proxy.
For example, if you've deployed Tracecat into a VM and exposed it to your browser as `https://my-tracecat-instance.com`,
you must set:
* `PUBLIC_APP_URL` to `https://my-tracecat-instance.com`
* `PUBLIC_API_URL` to `https://my-tracecat-instance.com/api`
Set both values to the exact browser-reachable URLs for your deployment, including the scheme:
* Local example:
* `PUBLIC_APP_URL=http://localhost:8000`
* `PUBLIC_API_URL=http://localhost:8000/api`
* Reverse proxy or public domain example:
* `PUBLIC_APP_URL=https://tracecat.example.com`
* `PUBLIC_API_URL=https://tracecat.example.com/api`
Use full URLs once.
Do not prepend `http://` or `https://` twice, and do not use addresses that only work inside Docker such as `0.0.0.0` or internal container hostnames.
If sign-in still fails:
* Verify that the domain in your browser exactly matches `PUBLIC_APP_URL`.
* Verify that `PUBLIC_API_URL` is the same origin plus `/api`.
* Run `docker compose ps` and check that `api`, `worker`, and `temporal` are healthy.
* Review `docker compose logs api` for startup, auth, or CORS errors.
Undersized Temporal clusters cause `No hosts available` errors and workflow execution failures.
Ensure the Temporal server has at least 4 CPU cores and 8 GB of memory.
Temporal also requires a well-provisioned PostgreSQL backend for adequate query throughput.
The bundled `temporal_postgres_db` container is suitable for development and small deployments only.
For production workloads, use a managed PostgreSQL instance (e.g., Amazon Aurora Serverless) for better QPS and reliability.
Tracecat ships with [Caddy](https://caddyserver.com/) as a reverse proxy.
Caddy automatically provisions and renews TLS certificates from Let's Encrypt when configured with a domain name.
In your `.env` file, set `BASE_DOMAIN` to your domain and update the public URLs to use HTTPS:
```bash theme={null}
BASE_DOMAIN=tracecat.example.com
PUBLIC_APP_URL=https://tracecat.example.com
PUBLIC_API_URL=https://tracecat.example.com/api
```
Update the `caddy` service ports in your `docker-compose.yml`:
```yaml theme={null}
services:
caddy:
ports:
- "80:80"
- "443:443"
```
Port 80 must remain open for the ACME HTTP-01 challenge. Port 443 serves HTTPS traffic.
```bash theme={null}
docker compose up -d
```
Caddy will automatically obtain and renew certificates on startup.
# Environment variables
Source: https://docs.tracecat.com/self-hosting/environment-variables
Reference for every self-hosted Tracecat environment variable: configure auth, storage, secrets, integrations, and runtime behavior across services.
## Required secrets
| Secret | Purpose |
| :---------------------------- | :---------------------------------------------------------------------------------------------------- |
| `TRACECAT__DB_ENCRYPTION_KEY` | Fernet key for at-rest encryption in PostgreSQL. Losing it makes encrypted credentials unrecoverable. |
| `TRACECAT__SERVICE_KEY` | HMAC key for service-to-service JWT signing. |
| `TRACECAT__SIGNING_SECRET` | Signs webhook URLs and HMAC operations. Changing it invalidates existing webhook URLs. |
| `USER_AUTH_SECRET` | Signs OAuth state parameters and password-reset tokens. |
Generate all four with `openssl`:
```bash theme={null}
# TRACECAT__SERVICE_KEY
openssl rand -hex 32
# TRACECAT__SIGNING_SECRET
openssl rand -hex 32
# USER_AUTH_SECRET
openssl rand -hex 32
# TRACECAT__DB_ENCRYPTION_KEY (Fernet-compatible base64)
openssl rand 32 | base64 | tr -d '\n' | tr '+/' '-_'
```
## Example `.env`
```bash theme={null}
PUBLIC_APP_URL=https://tracecat.yourdomain.com
PUBLIC_API_URL=https://tracecat.yourdomain.com/api
TRACECAT__APP_ENV=production
TRACECAT__DB_ENCRYPTION_KEY=
TRACECAT__SERVICE_KEY=
TRACECAT__SIGNING_SECRET=
USER_AUTH_SECRET=
TRACECAT__AUTH_SUPERADMIN_EMAIL=admin@yourdomain.com
TRACECAT__DB_SSLMODE=require
TRACECAT__POSTGRES_USER=postgres
TRACECAT__POSTGRES_PASSWORD=
```
See [`.env.example`](https://github.com/TracecatHQ/tracecat/blob/main/.env.example) for all options.
## Variables
### Network
| Variable | Default | Description |
| :----------------- | :------------------------------------ | :------------------------------------------------------------------------------ |
| `PUBLIC_APP_PORT` | `80` | Port the reverse proxy listens on. |
| `PUBLIC_APP_URL` | `http://localhost:${PUBLIC_APP_PORT}` | Public URL users visit to reach the Tracecat UI. |
| `PUBLIC_API_URL` | `${PUBLIC_APP_URL}/api` | Public URL for the Tracecat API, used by the browser and for webhook callbacks. |
| `INTERNAL_API_URL` | `http://api:8000` | Internal URL that other services use to reach the API container. |
### Application
| Variable | Default | Description |
| :------------------------- | :---------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------- |
| `TRACECAT__APP_ENV` | `development` | One of `development`, `staging`, or `production`. Controls logging detail and debug behavior. |
| `TRACECAT__API_URL` | `${INTERNAL_API_URL}` | API URL used by backend services. Normally matches `INTERNAL_API_URL`. |
| `TRACECAT__API_ROOT_PATH` | `/api` | Path prefix the API registers behind the reverse proxy. |
| `TRACECAT__PUBLIC_APP_URL` | `${PUBLIC_APP_URL}` | Public frontend URL used for links in emails and notifications. |
| `TRACECAT__PUBLIC_API_URL` | `${PUBLIC_API_URL}` | Public API URL used for incoming webhooks. If you expose webhooks through a tunnel (e.g. ngrok), set this to the tunnel URL. |
| `TRACECAT__ALLOW_ORIGINS` | `http://localhost:3000,${PUBLIC_APP_URL}` | Comma-separated list of allowed CORS origins. |
### PostgreSQL
| Variable | Default | Description |
| :---------------------------- | :--------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------- |
| `TRACECAT__POSTGRES_USER` | `postgres` | PostgreSQL username. |
| `TRACECAT__POSTGRES_PASSWORD` | `postgres` | PostgreSQL password. Change this in production. |
| `TRACECAT__DB_URI` | `postgresql+psycopg://${TRACECAT__POSTGRES_USER}:${TRACECAT__POSTGRES_PASSWORD}@postgres_db:5432/postgres` | Full database connection URI. Override this when using an external database. |
| `TRACECAT__DB_SSLMODE` | `disable` | PostgreSQL SSL mode. Set to `require` or `verify-full` for remote databases. |
### Authentication
| Variable | Default | Description |
| :----------------------------------- | :------ | :------------------------------------------------------------------------------------------------------------ |
| `TRACECAT__AUTH_SUPERADMIN_EMAIL` | | Email of the first user to promote to superadmin on initial startup. |
| `TRACECAT__AUTH_TYPES` | `basic` | Comma-separated list of enabled auth methods: `basic`, `oidc`, `saml`. |
| `TRACECAT__AUTH_ALLOWED_DOMAINS` | | Comma-separated email domains allowed to register (e.g. `example.com,example.org`). Leave blank to allow all. |
| `TRACECAT__AUTH_MIN_PASSWORD_LENGTH` | `12` | Minimum password length for basic auth. |
### OIDC / OAuth
| Variable | Default | Description |
| :------------------- | :--------------------- | :---------------------------------------------------- |
| `OIDC_ISSUER` | | OIDC issuer URL (e.g. `https://accounts.google.com`). |
| `OIDC_CLIENT_ID` | | OAuth client ID from your identity provider. |
| `OIDC_CLIENT_SECRET` | | OAuth client secret from your identity provider. |
| `OIDC_SCOPES` | `openid profile email` | Space-separated OAuth scopes to request. |
### SAML
| Variable | Default | Description |
| :------------------------- | :------ | :------------------------------------------------------------------------------------------ |
| `SAML_IDP_METADATA_URL` | | URL to your SAML IdP metadata XML. |
| `SAML_ACCEPTED_TIME_DIFF` | `3` | Maximum clock skew in seconds accepted when validating SAML assertions. |
| `SAML_ALLOW_UNSOLICITED` | `false` | Whether to allow unsolicited SAML responses. |
| `SAML_VERIFY_SSL_ENTITY` | `true` | Whether to verify SSL certificates for general SAML entity operations. |
| `SAML_VERIFY_SSL_METADATA` | `true` | Whether to verify SSL certificates when fetching SAML metadata. |
| `SAML_CA_CERTS` | | Optional base64-encoded CA bundle for validating self-signed IdP metadata TLS certificates. |
### Temporal
| Variable | Default | Description |
| :---------------------------- | :-------------------- | :---------------------------------------------------------------- |
| `TEMPORAL__CLUSTER_URL` | `temporal:7233` | Temporal cluster gRPC endpoint. |
| `TEMPORAL__CLUSTER_QUEUE` | `tracecat-task-queue` | Temporal task queue name. |
| `TEMPORAL__CLUSTER_NAMESPACE` | `default` | Temporal namespace. |
| `TEMPORAL__API_KEY` | | API key for Temporal Cloud. Leave empty for self-hosted Temporal. |
### Executor
| Variable | Default | Description |
| :------------------------------------------------- | :------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `TRACECAT__EXECUTOR_BACKEND` | `direct` | Execution strategy for actions. `direct` runs a subprocess per action, `pool` uses warm nsjail workers (requires nsjail), `ephemeral` spawns a cold nsjail subprocess per action for full isolation, `auto` selects `pool` if nsjail is available and falls back to `direct`, `test` runs in-process for tests only. |
| `TRACECAT__DISABLE_NSJAIL` | `true` | Disable nsjail sandboxing. Set to `false` only if nsjail is installed. |
| `TRACECAT__RESULT_EXTERNALIZATION_ENABLED` | `true` | Store large action results in blob storage instead of Temporal history. |
| `TRACECAT__COLLECTION_MANIFESTS_ENABLED` | `true` | Store large collections as chunked manifests in blob storage. |
| `TRACECAT__RESULT_EXTERNALIZATION_THRESHOLD_BYTES` | `128000` | Byte threshold above which payloads are externalized to blob storage. |
| `TRACECAT__WORKFLOW_ARTIFACT_RETENTION_DAYS` | `30` | Retention period in days for workflow artifacts. Objects older than this are automatically deleted via S3 lifecycle rules. Set to `0` to disable. |
### Blob storage
| Variable | Default | Description |
| :------------------------------------------ | :--------------------- | :-------------------------------- |
| `TRACECAT__BLOB_STORAGE_BUCKET_WORKFLOW` | `tracecat-workflow` | S3 bucket for workflow artifacts. |
| `TRACECAT__BLOB_STORAGE_BUCKET_ATTACHMENTS` | `tracecat-attachments` | S3 bucket for case attachments. |
| `TRACECAT__BLOB_STORAGE_BUCKET_REGISTRY` | `tracecat-registry` | S3 bucket for registry packages. |
### MinIO
| Variable | Default | Description |
| :-------------------- | :--------- | :-------------------------------------------------------------- |
| `MINIO_ROOT_USER` | `minio` | MinIO root username. Only used with the bundled MinIO instance. |
| `MINIO_ROOT_PASSWORD` | `password` | MinIO root password. Change this in production. |
### Redis
| Variable | Default | Description |
| :----------- | :------------------------------------ | :------------------------------------------------------------------------------ |
| `REDIS_HOST` | `redis` | Redis hostname. |
| `REDIS_PORT` | `6379` | Redis port. |
| `REDIS_URL` | `redis://${REDIS_HOST}:${REDIS_PORT}` | Full Redis connection URL. Override this when using an external Redis instance. |
# Kubernetes
Source: https://docs.tracecat.com/self-hosting/kubernetes
Deploy self-hosted Tracecat to Kubernetes with the OCI Helm chart: install Tracecat services and Temporal on EKS, GKE, or any conformant cluster.
The Tracecat Helm chart is distributed as a private OCI artifact hosted in AWS ECR.
Please contact [customer success](https://cal.com/team/tracecat) for access for evaluations or internal enterprise use.
## Prerequisites
* Kubernetes 1.27+
* Helm 3.12+ (with OCI support)
* `kubectl` configured for your target cluster
* Access to the Tracecat OCI Helm chart (see above)
* External PostgreSQL instance (e.g., Amazon RDS, Cloud SQL)
* External Redis instance (e.g., Amazon ElastiCache, Memorystore)
* S3-compatible object storage (e.g., Amazon S3, MinIO)
* `openssl` (for generating secrets)
## Core secrets
Tracecat requires four cryptographic secrets.
## Secrets management
The Helm chart supports three strategies for providing secrets to Tracecat pods.
The chart creates `ExternalSecret` resources that sync from AWS Secrets Manager into Kubernetes secrets via a `ClusterSecretStore`.
You need [External Secrets Operator](https://external-secrets.io) installed and a `ClusterSecretStore` configured with IRSA.
```yaml theme={null}
externalSecrets:
enabled: true
clusterSecretStoreRef: "my-cluster-secret-store"
coreSecrets:
enabled: true
secretArn: "arn:aws:secretsmanager:us-west-2:123456789012:secret:tracecat/core"
postgres:
enabled: true
secretArn: "arn:aws:secretsmanager:us-west-2:123456789012:secret:tracecat/postgres"
redis:
enabled: true
secretArn: "arn:aws:secretsmanager:us-west-2:123456789012:secret:tracecat/redis"
```
Expected secret formats in AWS Secrets Manager:
| Secret | Format |
| :--------- | :--------------------------------------------------------------------------------------------------------- |
| Core | JSON: `{ "dbEncryptionKey": "...", "serviceKey": "...", "signingSecret": "...", "userAuthSecret": "..." }` |
| PostgreSQL | JSON: `{ "username": "...", "password": "..." }` |
| Redis | Raw URL string, e.g. `rediss://:password@host:6379` |
| Temporal | Raw API key string |
The chart refreshes secrets every `1m` by default. Override with `externalSecrets.refreshInterval`.
Reference a secret you created with `kubectl` or your GitOps pipeline.
```bash theme={null}
kubectl create secret generic tracecat-secrets \
--namespace tracecat \
--from-literal=dbEncryptionKey="$(openssl rand 32 | base64 | tr -d '\n' | tr '+/' '-_')" \
--from-literal=serviceKey="$(openssl rand -hex 32)" \
--from-literal=signingSecret="$(openssl rand -hex 32)" \
--from-literal=userAuthSecret="$(openssl rand -hex 32)"
```
Then set `secrets.existingSecret` in your values:
```yaml theme={null}
secrets:
existingSecret: "tracecat-secrets"
```
You also need separate secrets for PostgreSQL and Redis, referenced by `externalPostgres.auth.existingSecret` and `externalRedis.auth.existingSecret`.
Only use this approach if secret values are encrypted in your repository and injected at deploy time through a pipeline like ArgoCD with sealed secrets or SOPS.
Storing plaintext secrets in version control is not safe.
```yaml theme={null}
secrets:
create:
tracecat:
enabled: true
dbEncryptionKey: "${DB_ENCRYPTION_KEY}"
serviceKey: "${SERVICE_KEY}"
signingSecret: "${SIGNING_SECRET}"
userAuthSecret: "${USER_AUTH_SECRET}"
postgres:
enabled: true
username: "${DB_USERNAME}"
password: "${DB_PASSWORD}"
redis:
enabled: true
url: "${REDIS_URL}"
```
The chart renders these as Helm pre-install hooks so they exist before the migrations job runs.
## External services
The Helm chart does not bundle databases. You must provide connection details for PostgreSQL, Redis, S3, and Temporal.
### PostgreSQL
```yaml theme={null}
externalPostgres:
host: "your-rds-instance.us-west-2.rds.amazonaws.com"
port: 5432
database: tracecat
sslMode: "require"
auth:
existingSecret: "tracecat-postgres-credentials" # keys: username, password
tls:
verifyCA: true
caCert: |
-----BEGIN CERTIFICATE-----
...RDS CA bundle...
-----END CERTIFICATE-----
```
For Amazon RDS, download the global CA bundle from the [AWS trust store](https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem).
### Redis
```yaml theme={null}
externalRedis:
auth:
existingSecret: "tracecat-redis-credentials" # key: url
```
The `url` key should be a full Redis connection string, e.g. `rediss://:password@host:6379`. Use `rediss://` (double s) for TLS.
### S3
```yaml theme={null}
externalS3:
endpoint: "" # leave empty for AWS S3
region: "us-west-2"
auth:
existingSecret: "tracecat-s3-credentials" # keys: accessKeyId, secretAccessKey
```
When using IRSA for S3 access, omit `auth.existingSecret` and annotate the service account instead (see [Service accounts](#service-accounts)).
### Temporal
The chart includes a Temporal subchart. Point it at your external PostgreSQL instance for persistence.
```yaml theme={null}
temporal:
enabled: true
server:
config:
persistence:
datastores:
default:
sql:
connectAddr: "your-rds-host:5432"
user: "temporal"
existingSecret: "tracecat-postgres-credentials"
visibility:
sql:
connectAddr: "your-rds-host:5432"
user: "temporal"
existingSecret: "tracecat-postgres-credentials"
```
The Temporal schema setup job runs automatically and creates the `temporal` and `temporal_visibility` databases if they do not exist.
Disable the bundled subchart and point to your Temporal Cloud namespace.
```yaml theme={null}
temporal:
enabled: false
externalTemporal:
enabled: true
clusterUrl: "your-namespace.tmprl.cloud:7233"
clusterNamespace: "your-namespace"
auth:
existingSecret: "tracecat-temporal-credentials" # key: apiKey
```
## Service accounts
The chart creates a shared `tracecat-app` service account for most workloads (API, worker, migrations). Optionally create dedicated service accounts for executor, agent-executor, and litellm.
### IRSA (EKS)
Annotate service accounts with an IAM role ARN for AWS API access (S3, Secrets Manager, Bedrock).
```yaml theme={null}
serviceAccount:
create: true
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/tracecat-app"
executor:
serviceAccount:
create: true
name: "tracecat-executor"
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/tracecat-executor"
```
Dedicated executor service accounts let you scope S3 and secret permissions separately from the main application role.
Cross-account role assumption is supported.
Set `tracecat.aws.assumeRoleAccountId` and `tracecat.aws.assumeRolePrincipalArn` to assume roles in other AWS accounts from the executor.
## Networking
The chart supports Kubernetes Ingress and Istio VirtualService for external traffic routing.
The chart creates a single Ingress resource with path-based routing. Set `ingress.split: true` to generate separate Ingress resources per service (useful when the API requires different annotations than the UI, such as longer timeouts).
```yaml theme={null}
ingress:
enabled: true
className: "alb" # or nginx, traefik, etc.
host: "tracecat.example.com"
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
tls:
- hosts:
- tracecat.example.com
secretName: tracecat-tls
```
Default path routing:
| Path | Service | Port |
| :----- | :------ | :--- |
| `/api` | api | 8000 |
| `/mcp` | mcp | 8099 |
| `/` | ui | 3000 |
MCP routes (`/mcp`, `/.well-known/oauth-*`, `/authorize`, `/token`, `/register`, `/consent`, `/auth/callback`) are included automatically when `mcp.enabled: true`.
Disable `ingress.enabled` when using VirtualServices to avoid conflicting resources.
```yaml theme={null}
ingress:
enabled: false
virtualService:
enabled: true
tracecat:
enabled: true
configs:
- name: tracecat
hosts:
- "tracecat.example.com"
gateways:
- "istio-system/my-gateway"
```
Optional webhook and Temporal Web UI VirtualServices are available via `virtualService.webhooks` and `virtualService.temporal`.
## Installation
```bash theme={null}
helm registry login
```
Use the credentials provided by the Tracecat team.
Combine secrets, external services, networking, and URL configuration from the sections above into a single `values.yaml`.
```yaml theme={null}
secrets:
existingSecret: "tracecat-secrets"
urls:
publicApp: "https://tracecat.example.com"
publicApi: "https://tracecat.example.com/api"
tracecat:
auth:
types: "oidc"
superadminEmail: "admin@example.com"
ingress:
enabled: true
className: "alb"
host: "tracecat.example.com"
externalPostgres:
host: "your-db-host"
auth:
existingSecret: "tracecat-postgres-credentials"
externalRedis:
auth:
existingSecret: "tracecat-redis-credentials"
externalS3:
region: "us-west-2"
```
```bash theme={null}
helm install tracecat oci:///tracecat \
--version \
--namespace tracecat --create-namespace \
-f values.yaml \
--wait --timeout 10m
```
Replace `` with the version provided by the Tracecat team (e.g. `0.4.5`).
The `--wait` flag blocks until all pods are ready. Initial provisioning takes a few minutes depending on Temporal schema setup.
## Access Tracecat
Once deployed, access your instance at:
* UI: `https://`
* API docs: `https:///api/docs`
* MCP: `https:///mcp`
## Upgrading
```bash theme={null}
helm upgrade tracecat oci:///tracecat \
--version \
--namespace tracecat \
-f values.yaml \
--wait --timeout 10m
```
Do not change or lose your `dbEncryptionKey`, `serviceKey`, `signingSecret`, or `userAuthSecret` values between upgrades.
Losing these secrets makes encrypted credentials unrecoverable and invalidates existing webhook URLs.
## Security
### Execution sandboxing
The chart enables nsjail by default (`tracecat.sandbox.disableNsjail: false`). nsjail isolates user-defined Python scripts and custom actions inside the executor.
```yaml theme={null}
tracecat:
sandbox:
disableNsjail: false # default
```
nsjail requires privileged pods with `SYS_ADMIN` capability and an `Unconfined` seccomp profile. The chart sets these automatically on executor and agent-executor containers.
See [Security](/self-hosting/security) for backend choices (`pool`, `ephemeral`, `direct`) and isolation tradeoffs.
### Authentication
Set `tracecat.auth.types` to `oidc` or `saml` for production deployments. See [OIDC](/authentication/oidc) and [SAML](/authentication/saml) for configuration details.
## Autoscaling
The chart uses KEDA with a Temporal queue-based scaler to auto-scale worker, executor, and agent-executor deployments.
Prerequisites:
* `keda.enabled: true` (installs the KEDA subchart)
* `metricsserver.enabled: true` (or an existing metrics-server in the cluster)
```yaml theme={null}
keda:
enabled: true
metricsserver:
enabled: true
worker:
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 8
targetQueueSize: 5
cooldownPeriod: 120
executor:
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 8
```
When autoscaling is enabled, the static `replicas` value is ignored. KEDA polls the Temporal task queue and scales based on queue depth.
## Minimum resources
These are the default resource requests and limits from the chart.
| Component | CPU request | Memory request | CPU limit | Memory limit | Default replicas |
| :------------- | :---------- | :------------- | :-------- | :----------- | :--------------- |
| UI | 500m | 512Mi | 500m | 1024Mi | 1 |
| API | 2000m | 4096Mi | 2000m | 4096Mi | 2 |
| Worker | 2000m | 2048Mi | 2000m | 2048Mi | 4 |
| Executor | 4000m | 8192Mi | 4000m | 8192Mi | 4 |
| Agent executor | 2000m | 4096Mi | 4000m | 16384Mi | 2 |
| Agent worker | 2000m | 2048Mi | 2000m | 2048Mi | 2 |
| LiteLLM | 4000m | 8192Mi | 4000m | 8192Mi | 2 |
| MCP | 1000m | 1024Mi | 1000m | 1024Mi | 2 |
The agent executor uses burstable limits (requests 2000m/4096Mi, limits 4000m/16384Mi) to handle variable LLM response sizes.
All other services use guaranteed QoS where requests equal limits.
## Observability
The chart bundles optional subcharts for Prometheus, Grafana, and Grafana Alloy (k8s-monitoring).
```yaml theme={null}
tracecat:
temporal:
metrics:
enabled: true
monitoring:
enabled: true
prometheus:
enabled: true
grafana:
enabled: true
adminPassword: "change-me"
```
For Grafana Cloud or other external providers, enable only `tracecat.temporal.metrics.enabled` and configure your own scraping. See `values-eks-grafana-cloud.yaml` in the chart examples directory.
For production observability with custom dashboards, OpenTelemetry export, and alerting, contact the Tracecat team for enterprise support.
## FAQ
Yes. Set `tracecat.aws.assumeRoleAccountId` and `tracecat.aws.assumeRolePrincipalArn` in your values.
The executor uses STS `AssumeRole` to access resources in other AWS accounts.
Ensure the target account's trust policy allows the executor's IRSA role.
Undersized Temporal clusters cause this error. Ensure the Temporal server pods have at least 4 CPU cores and 8 GB of memory.
If using self-hosted Temporal with an external PostgreSQL, verify the database can handle the query throughput.
Managed services like Amazon Aurora Serverless are recommended for production workloads.
Yes. The chart includes KEDA `ScaledObject` resources for worker, executor, and agent-executor.
Set `keda.enabled: true` and `.autoscaling.enabled: true`.
Scaling is driven by Temporal task queue depth, not CPU or memory utilization.
Yes. The chart requires PostgreSQL, Redis, and S3-compatible storage but does not require AWS.
Use any provider for these services.
For secrets management without AWS Secrets Manager, use the existing Kubernetes secret or chart-managed secret template strategies instead of External Secrets Operator.
Set `scheduling.architecture` to `arm64` or `amd64`. The chart adds a `kubernetes.io/arch` node selector to all pods.
Set it to an empty string to disable architecture pinning.
# Security
Source: https://docs.tracecat.com/self-hosting/security
Harden your self-hosted Tracecat deployment: rotate secrets, lock down network egress, configure SSO and RBAC, and meet common compliance baselines.
## Infrastructure credentials
The default configuration ships with weak, well-known passwords for PostgreSQL, MinIO, and Redis. Replace them with strong, unique values before exposing Tracecat to production traffic.
```bash theme={null}
# PostgreSQL
TRACECAT__POSTGRES_USER=tracecat
TRACECAT__POSTGRES_PASSWORD=
# Temporal PostgreSQL
TEMPORAL__POSTGRES_USER=temporal
TEMPORAL__POSTGRES_PASSWORD=
# MinIO / S3
MINIO_ROOT_USER=
MINIO_ROOT_PASSWORD=
# Redis — add a password and update the URL
REDIS_URL=redis://:@redis:6379
```
For Redis, you also need to pass the password to the container. Add a `command` override in your `docker-compose.yml`:
```yaml theme={null}
services:
redis:
command: ["redis-server", "--requirepass", ""]
```
In production, consider replacing self-hosted PostgreSQL and Redis with managed services (e.g., Amazon RDS, ElastiCache) that handle encryption at rest, automated backups, and credential rotation.
## Execution sandboxing
Tracecat executes user-defined Python scripts and actions inside the executor service. The level of isolation depends on your configuration.
By default, Tracecat runs with `TRACECAT__DISABLE_NSJAIL=true` and uses the `direct` executor backend. In this mode, scripts run as regular subprocesses and can access the executor's environment variables, filesystem, and network. This is acceptable for development but **not recommended for production**.
### PID namespace isolation
The default `direct` backend provides best-effort PID namespace isolation using Linux `unshare`. This prevents scripts from inspecting other processes via `/proc`, but does not restrict filesystem or network access. It works without Docker privileged mode and is the baseline for non-sandboxed deployments.
### nsjail sandbox (recommended for production)
For production, enable [nsjail](https://github.com/google/nsjail) — a process isolation tool from Google that enforces:
* **Filesystem isolation** — scripts can only access their job directory and explicitly mounted paths. The host filesystem is not visible.
* **Resource limits** — CPU time, memory, file size, and process count are capped per execution. A runaway script cannot starve the host.
* **User namespace separation** — scripts run as unprivileged users even when the container runs as root.
* **Network access** — network is allowed (scripts need to reach databases, APIs, and S3) but constrained to the container's network namespace.
To enable nsjail, set the following in your `.env`:
```bash theme={null}
TRACECAT__DISABLE_NSJAIL=false
TRACECAT__EXECUTOR_BACKEND=pool # or 'ephemeral' for multi-tenant full isolation
```
nsjail requires:
* Linux with kernel 4.6+
* Docker privileged mode or `CAP_SYS_ADMIN` capability on the executor container
* The nsjail binary and sandbox rootfs (included in Tracecat images)
nsjail is not supported on macOS or Windows. These platforms can only use the `direct` backend with PID namespace isolation.
### Choosing a backend
| Backend | Isolation | Latency | Use case |
| :---------- | :------------------------------- | :---------- | :-------------------------------- |
| `direct` | PID namespace only | \~50ms | Development, trusted environments |
| `pool` | nsjail sandbox (warm workers) | \~100-200ms | Single-tenant production |
| `ephemeral` | nsjail sandbox (cold per action) | \~4000ms | Multi-tenant, maximum isolation |
## Authentication
Docker Compose deployments default to basic email/password authentication. For production, configure [OIDC](/authentication/oidc) or [SAML](/authentication/saml) SSO.
## TLS
Never run production traffic over plain HTTP. See [How do I configure SSL for production?](/self-hosting/docker-compose#how-do-i-configure-ssl-for-production) for Caddy-based automatic TLS setup.
# AbuseIPDB
Source: https://docs.tracecat.com/tools/abuseipdb
Reference for the Tracecat AbuseIPDB integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Lookup IP address
Action ID: `tools.abuseipdb.lookup_ip_address`
Lookup an IP address in AbuseIPDB.
Reference: [https://docs.abuseipdb.com/#check-endpoint](https://docs.abuseipdb.com/#check-endpoint)
### Secrets
Required secrets:
* `abuseipdb`: required values `ABUSEIPDB_API_KEY`.
### Input fields
IP address to lookup.
Maximum age of the IP address in days.
Default: `30`.
# AlertMedia
Source: https://docs.tracecat.com/tools/alertmedia
Reference for the Tracecat AlertMedia integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Create trip
Action ID: `tools.alertmedia.create_trip`
Create a trip in AlertMedia.
Reference: [https://docs.alertmedia.com/reference/steps-create-a-trip-and-itinerary](https://docs.alertmedia.com/reference/steps-create-a-trip-and-itinerary)
### Secrets
Required secrets:
* `alertmedia`: required values `ALERTMEDIA_API_KEY`.
### Input fields
City of the trip.
Country code of the trip. For example, US, CA, GB, etc.
End date of the trip. Example 2025-06-26 23:59:59
Latitude of the trip.
Longitude of the trip.
Name of the trip.
Start date of the trip. Example 2025-06-26 00:00:00
User ID of the user to create the trip for.
AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com))
Default: `null`.
Time zone of the trip.
Default: `"America/New_York"`.
Time zone of the trip.
Default: `"America/New_York"`.
## Delete trip
Action ID: `tools.alertmedia.delete_trip`
Delete a trip from AlertMedia.
Reference: [https://docs.alertmedia.com/reference/steps-deleting-a-trip-or-itinerary](https://docs.alertmedia.com/reference/steps-deleting-a-trip-or-itinerary)
### Secrets
Required secrets:
* `alertmedia`: required values `ALERTMEDIA_API_KEY`.
### Input fields
ID of the trip to delete.
User ID of the user to delete the trip for.
AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com))
Default: `null`.
## Get Travel Events
Action ID: `tools.alertmedia.get_travel_events`
Get travel events and concerns for users traveling. This can be traffic, weather, or other events that may affect the user's travel. This returns a list of events and an item range header. The item range header of 0-2/3 means that the first 3 events (0-2) have been returned and there are a total of 3 events.
Reference: [https://docs.alertmedia.com/reference/get-list-events](https://docs.alertmedia.com/reference/get-list-events)
### Secrets
Required secrets:
* `alertmedia`: required values `ALERTMEDIA_API_KEY`.
### Input fields
Whether to get active trips.
Default: `null`.
AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com))
Default: `null`.
Item-Range header value. Default is 0-25.
Default: `"0-25"`.
Start date of the trips to get. Example 2025-06-26 00:00:00
Default: `""`.
## Get user trip by ID
Action ID: `tools.alertmedia.get_user_trip_by_id`
Get a trip by ID from AlertMedia.
Reference: [https://docs.alertmedia.com/reference/get-list-a-users-travel-itinerary](https://docs.alertmedia.com/reference/get-list-a-users-travel-itinerary)
### Secrets
Required secrets:
* `alertmedia`: required values `ALERTMEDIA_API_KEY`.
### Input fields
ID of the trip to get.
User ID of the user to get the trip for.
AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com))
Default: `null`.
## Get user trips
Action ID: `tools.alertmedia.get_user_trips`
Get a list of trips for a user from AlertMedia. This returns a list of trips and an item range header. The item range header of 0-2/3 means that the first 3 trips (0-2) have been returned and there are a total of 3 trips.
Reference: [https://docs.alertmedia.com/reference/get-list-a-users-travel-itinerary](https://docs.alertmedia.com/reference/get-list-a-users-travel-itinerary)
### Secrets
Required secrets:
* `alertmedia`: required values `ALERTMEDIA_API_KEY`.
### Input fields
User ID of the user to get the trips for.
AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com))
Default: `null`.
Item-Range header value. Default is 0-25.
Default: `"0-25"`.
## Search trips
Action ID: `tools.alertmedia.search_trips`
Search for trips in AlertMedia. This returns a list of trips and an item range header. The item range header of 0-2/3 means that the first 3 trips (0-2) have been returned and there are a total of 3 trips.
Reference: [https://docs.alertmedia.com/reference/get-list-a-users-travel-itinerary](https://docs.alertmedia.com/reference/get-list-a-users-travel-itinerary)
### Secrets
Required secrets:
* `alertmedia`: required values `ALERTMEDIA_API_KEY`.
### Input fields
AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com))
Default: `null`.
Item-Range header value. Default is 0-25.
Default: `"0-25"`.
Sort trips in response by one of start\_date, end\_date, name, city, country, state, country\_code. Add - before the field name to reverse the order (e.g. ?ordering=-start\_date returns trips sorted by start date Z-A). Default is -active\_date.
Default: `"-active_date"`.
Filter trips by status, this is a comma separated list of statuses. Valid values are upcoming, active, past. Default is upcoming,active,past. (all statuses)
Default: `"upcoming,active,past"`.
## Search users
Action ID: `tools.alertmedia.search_users`
Search for users in AlertMedia. This returns a list of users and an item range header. The item range header of 0-2/3 means that the first 3 users (0-2) have been returned and there are a total of 3 users.
Reference: [https://docs.alertmedia.com/reference/get-list-users](https://docs.alertmedia.com/reference/get-list-users)
### Secrets
Required secrets:
* `alertmedia`: required values `ALERTMEDIA_API_KEY`.
### Input fields
AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com))
Default: `null`.
Email of the user to search for.
Default: `""`.
Whether the user has an registered device.
Default: `""`.
Whether the user has an email.
Default: `""`.
Whether the user has a phone number.
Default: `""`.
Item-Range header value. Default is 0-25.
Default: `"0-25"`.
Name of the user to search for.
Default: `""`.
Sort users in response by one of last\_name, first\_name, last\_login, email, mobile\_phone, date\_updated. Add - before the field name to reverse the order (e.g. ?ordering=-last\_name returns users sorted by last name Z-A)
Default: `""`.
Phone number of the user to search for.
Default: `""`.
## Update trip
Action ID: `tools.alertmedia.update_trip`
Update a trip in AlertMedia.
Reference: [https://docs.alertmedia.com/reference/steps-create-a-trip-and-itinerary](https://docs.alertmedia.com/reference/steps-create-a-trip-and-itinerary)
### Secrets
Required secrets:
* `alertmedia`: required values `ALERTMEDIA_API_KEY`.
### Input fields
Trip ID of the trip to update.
User ID of the user to create the trip for.
AlertMedia base URL (e.g. [https://tracecat.alertmedia.com](https://tracecat.alertmedia.com))
Default: `null`.
City of the trip.
Default: `null`.
Country code of the trip. For example, US, CA, GB, etc.
Default: `null`.
End date of the trip. Example 2025-06-26 23:59:59
Default: `null`.
Time zone of the trip.
Default: `null`.
Latitude of the trip.
Default: `null`.
Longitude of the trip.
Default: `null`.
Name of the trip.
Default: `null`.
Start date of the trip. Example 2025-06-26 00:00:00
Default: `null`.
Time zone of the trip.
Default: `null`.
# Amazon S3
Source: https://docs.tracecat.com/tools/amazon_s3
Reference for the Tracecat Amazon S3 integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Call S3 method
Action ID: `tools.amazon_s3.call_method`
Instantiate a S3 client and call a S3 method.
Reference: [https://docs.aws.amazon.com/boto3/latest/guide/s3-example-download-file.html](https://docs.aws.amazon.com/boto3/latest/guide/s3-example-download-file.html)
### Secrets
Optional secrets:
* `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`.
### Input fields
S3 method name.
S3 method parameters.
Endpoint URL for the AWS S3 service.
Default: `null`.
AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client.
Default: `null`.
## Copy S3 objects
Action ID: `tools.amazon_s3.copy_objects`
Copy S3 objects from one bucket to another.
Reference: [https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.copy\_object](https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.copy_object)
### Secrets
Optional secrets:
* `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`.
### Input fields
Destination S3 bucket name.
Prefix to filter objects (e.g., 'manuals\_' for keys starting with 'manuals\_').
Source S3 bucket name.
Endpoint URL for the AWS S3 service.
Default: `null`.
AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client.
Default: `null`.
## Delete S3 object
Action ID: `tools.amazon_s3.delete_object`
Delete an object from S3.
Reference: [https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.delete\_object](https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.delete_object)
### Secrets
Optional secrets:
* `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`.
### Input fields
S3 bucket name.
S3 object key.
Endpoint URL for the AWS S3 service.
Default: `null`.
AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client.
Default: `null`.
## Get S3 object
Action ID: `tools.amazon_s3.get_object`
Download an object from S3 and return its body as a string.
Reference: [https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.get\_object](https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.get_object)
### Secrets
Optional secrets:
* `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`.
### Input fields
S3 bucket name.
S3 object key.
Endpoint URL for the AWS S3 service.
Default: `null`.
AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client.
Default: `null`.
## Get S3 objects
Action ID: `tools.amazon_s3.get_objects`
Download multiple S3 objects and return their bodies as strings.
Reference: [https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.get\_object](https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.get_object)
### Secrets
Optional secrets:
* `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`.
### Input fields
S3 bucket name.
S3 object keys.
Endpoint URL for the AWS S3 service.
Default: `null`.
AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client.
Default: `null`.
## List S3 objects
Action ID: `tools.amazon_s3.list_objects`
List objects in an S3 bucket.
Reference: [https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.list\_objects\_v2](https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.list_objects_v2)
### Secrets
Optional secrets:
* `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`.
### Input fields
S3 bucket name.
Endpoint URL for the AWS S3 service.
Default: `null`.
Maximum number of objects to return.
Default: `1000`.
S3 object key prefix.
Default: `null`.
AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client.
Default: `null`.
## Parse S3 URI
Action ID: `tools.amazon_s3.parse_uri`
Parse an S3 URI into bucket name and object key.
Reference: [https://docs.aws.amazon.com/boto3/latest/guide/s3-example-download-file.html](https://docs.aws.amazon.com/boto3/latest/guide/s3-example-download-file.html)
### Secrets
Optional secrets:
* `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`.
### Input fields
## Put S3 object
Action ID: `tools.amazon_s3.put_object`
Uploads an object to S3. The object key is validated and content decoded.
Reference: [https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.put\_object](https://docs.aws.amazon.com/boto3/latest/reference/services/s3.html#S3.Client.put_object)
### Secrets
Optional secrets:
* `amazon_s3`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`.
### Input fields
S3 bucket name.
Base64 encoded content of the file to upload.
S3 object key.
Endpoint URL for the AWS S3 service.
Default: `null`.
AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client.
Default: `null`.
# Ansible
Source: https://docs.tracecat.com/tools/ansible
Reference for the Tracecat Ansible integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Run Ansible playbook
Action ID: `tools.ansible.run_playbook`
Run Ansible playbook on a single host given a list of plays in JSON format. Supports SSH host-connection mode only.
Reference: [https://docs.ansible.com/ansible/latest/index.html](https://docs.ansible.com/ansible/latest/index.html)
### Secrets
Required secrets:
* `ansible`: required values `PRIVATE_KEY`.
### Input fields
Host to SSH into and run the playbook on
Host name to use in the inventory
List of plays to run
SSH user to connect as
Environment variables to be used when running Ansible
Default: `null`.
Extra variables to pass to Ansible using `-e`
Default: `null`.
List of events to ignore from the playbook. Returns all events by default.
Default: `null`.
Optional mapping from password prompt to value. Example: \{"SSH password:": "\$\{\{ SECRETS.your\_secret\_name.some\_password }}"}.
Default: `null`.
Additional keyword arguments to pass to the runner
Default: `null`.
Timeout for the playbook execution in seconds
Default: `60`.
# ANY.RUN
Source: https://docs.tracecat.com/tools/anyrun
Reference for the Tracecat ANY.RUN integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Get analysis
Action ID: `tools.anyrun.get_analysis`
Retrieve details for an ANY.RUN analysis by ID.
Reference: [https://any.run/api-documentation/#tag/analysis/GET/v1/analysis/\{analysis\_id}](https://any.run/api-documentation/#tag/analysis/GET/v1/analysis/\{analysis_id})
### Secrets
Required secrets:
* `anyrun`: required values `ANYRUN_API_KEY`.
### Input fields
Identifier of the analysis task.
## List analyses
Action ID: `tools.anyrun.list_analyses`
List ANY.RUN analyses with optional status filtering.
Reference: [https://any.run/api-documentation/#tag/analysis/GET/v1/analysis/](https://any.run/api-documentation/#tag/analysis/GET/v1/analysis/)
### Secrets
Required secrets:
* `anyrun`: required values `ANYRUN_API_KEY`.
### Input fields
Maximum number of analyses to return.
Default: `50`.
Pagination offset.
Default: `0`.
Optional analysis status to filter by (e.g. finished, running).
Default: `null`.
## Submit analysis
Action ID: `tools.anyrun.submit_analysis`
Create an ANY.RUN analysis task for a file hash, URL, or file reference.
Reference: [https://any.run/api-documentation/#tag/analysis/POST/v1/analysis/](https://any.run/api-documentation/#tag/analysis/POST/v1/analysis/)
### Secrets
Required secrets:
* `anyrun`: required values `ANYRUN_API_KEY`.
### Input fields
Value of the object to analyze (URL, hash, or file UUID).
Whether to run the analysis in interactive mode.
Default: `false`.
Type of object to analyze (url, hash, or file).
Default: `"url"`.
Execution environment to use (e.g. win10).
Default: `"win10"`.
# AWS Boto3
Source: https://docs.tracecat.com/tools/aws_boto3
Reference for the Tracecat AWS Boto3 integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Call method
Action ID: `tools.aws_boto3.call_api`
Instantiate a Boto3 client and call an AWS Boto3 API method.
Reference: [https://docs.aws.amazon.com/boto3/latest/guide/clients.html](https://docs.aws.amazon.com/boto3/latest/guide/clients.html)
### Secrets
Required secrets:
* `aws`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`.
### Input fields
Method name e.g. 'list\_buckets', 'list\_instances'
AWS service name e.g. 's3', 'ec2', 'guardduty'.
Endpoint URL for the AWS service.
Default: `null`.
Parameters for the API method.
Default: `null`.
AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client.
Default: `null`.
## Call paginator
Action ID: `tools.aws_boto3.call_paginated_api`
Instantiate a Boto3 paginator and call a paginated AWS API method.
Reference: [https://docs.aws.amazon.com/boto3/latest/guide/paginators.html](https://docs.aws.amazon.com/boto3/latest/guide/paginators.html)
### Secrets
Required secrets:
* `aws`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`.
### Input fields
Paginator name e.g. 'list\_objects\_v2', 'describe\_instances'.
AWS service name e.g. 's3', 'ec2', 'guardduty'.
Endpoint URL for the AWS service.
Default: `null`.
Parameters for the API paginator.
Default: `null`.
AWS service region to use for this request. Overrides the AWS\_REGION secret for the service client.
Default: `null`.
# Azure Log Analytics
Source: https://docs.tracecat.com/tools/azure_log_analytics
Reference for the Tracecat Azure Log Analytics integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Execute cross-workspace KQL query
Action ID: `tools.azure_log_analytics.execute_cross_workspace_kql_query`
Execute a KQL query across multiple Log Analytics workspaces for federated Azure Log Analytics queries.
Reference: [https://learn.microsoft.com/en-us/rest/api/logsquery/query/execute?view=rest-logsquery-v1](https://learn.microsoft.com/en-us/rest/api/logsquery/query/execute?view=rest-logsquery-v1)
### Secrets
Optional secrets:
* `azure_log_analytics_oauth`: OAuth token `AZURE_LOG_ANALYTICS_USER_TOKEN`.
* `azure_log_analytics_oauth`: OAuth token `AZURE_LOG_ANALYTICS_SERVICE_TOKEN`.
### Input fields
List of additional workspace IDs to query.
KQL query to execute across workspaces.
Primary Log Analytics workspace ID (GUID).
Base URL for the Azure Log Analytics API.
Default: `"https://api.loganalytics.io"`.
Allowed values: `https://api.loganalytics.io`, `https://api.loganalytics.us`.
ISO8601 time period to limit query results (e.g., "P7D" for 7 days).
Default: `null`.
## Execute KQL query
Action ID: `tools.azure_log_analytics.execute_kql_query`
Execute a KQL query against Azure Log Analytics workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/logsquery/query/execute?view=rest-logsquery-v1](https://learn.microsoft.com/en-us/rest/api/logsquery/query/execute?view=rest-logsquery-v1)
### Secrets
Optional secrets:
* `azure_log_analytics_oauth`: OAuth token `AZURE_LOG_ANALYTICS_USER_TOKEN`.
* `azure_log_analytics_oauth`: OAuth token `AZURE_LOG_ANALYTICS_SERVICE_TOKEN`.
### Input fields
KQL query to execute (e.g., "SecurityIncident | take 10").
Log Analytics workspace ID (GUID).
Base URL for the Azure Log Analytics API.
Default: `"https://api.loganalytics.io"`.
Allowed values: `https://api.loganalytics.io`, `https://api.loganalytics.us`.
ISO8601 time period to limit query results (e.g., "P7D" for 7 days, "PT1H" for 1 hour).
Default: `null`.
# MITRE Caldera
Source: https://docs.tracecat.com/tools/caldera
Reference for the Tracecat MITRE Caldera integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Add link to operation
Action ID: `tools.caldera.add_operation_link`
Queue an ability on an existing Caldera operation.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Executor name to run the ability with (e.g. windows, linux, darwin).
Ability ID to add to the operation.
Operation ID to update.
Agent PAW that should run the ability.
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
## Caldera health check
Action ID: `tools.caldera.health_check`
Query the Caldera REST API health endpoint.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
## Create adversary
Action ID: `tools.caldera.create_adversary`
Create a new Caldera adversary profile.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Description of the adversary.
Name for the adversary.
Ordered list of ability IDs for the adversary playbook.
Default: `[]`.
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
Plugin that owns the adversary.
Default: `"stockpile"`.
Optional tags to assign.
Default: `[]`.
## Create Linux ability
Action ID: `tools.caldera.create_linux_ability`
Create a Caldera stockpile ability that runs on Linux agents.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Shell command to execute on the agent.
Ability description.
Ability name.
MITRE ATT\&CK tactic (e.g. discovery, collection).
MITRE ATT\&CK technique name.
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
Delete payloads from the agent after execution.
Default: `true`.
Optional payload files required by the ability.
Default: `[]`.
Privilege level required to run the ability (blank for default).
Default: `""`.
Whether the ability can run repeatedly on the same agent.
Default: `false`.
Optional MITRE ATT\&CK technique ID (e.g. T1059.004).
Default: `null`.
Command timeout in seconds.
Default: `60`.
## Create operation
Action ID: `tools.caldera.create_operation`
Create a Caldera operation from an existing adversary profile.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Adversary ID whose abilities should be executed.
Operation name.
Whether to automatically close the operation when finished.
Default: `false`.
Autonomous mode value (0 = manual, 1 = full autonomous).
Default: `1`.
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
Optional group assignment for the operation.
Default: `""`.
Sleep jitter value (format min/max seconds).
Default: `"2/4"`.
Obfuscator to use for commands.
Default: `"plain-text"`.
Objective ID the operation should satisfy.
Default: `"495a9828-cab1-44dd-a0ca-66e58177d8cc"`.
Planner ID to use when scheduling the operation.
Default: `"aaa7c857-37a0-4c4a-85f7-4e9f7f30e31a"`.
Source ID for fact collection.
Default: `"ed32b9c3-9593-4c33-b0db-e2007315096b"`.
Initial operation state (e.g. running, paused, finished).
Default: `"paused"`.
Whether to enable learning parsers during the run.
Default: `true`.
Visibility score for the operation.
Default: `51`.
## Create Windows ability
Action ID: `tools.caldera.create_windows_ability`
Create a Caldera stockpile ability that runs on Windows agents.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Exact PowerShell command to execute.
Ability description.
Ability name.
MITRE ATT\&CK tactic (e.g. discovery, execution).
MITRE ATT\&CK technique name.
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
Delete payloads from the agent after execution.
Default: `true`.
Optional payload files required by the ability.
Default: `[]`.
Privilege level required to run the ability (blank for default).
Default: `""`.
Whether the ability can run repeatedly on the same agent.
Default: `false`.
Optional MITRE ATT\&CK technique ID (e.g. T1059.001).
Default: `null`.
Command timeout in seconds.
Default: `60`.
## Get ability
Action ID: `tools.caldera.get_ability`
Retrieve a Caldera ability by ID.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Ability ID to fetch.
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
## Get adversary
Action ID: `tools.caldera.get_adversary`
Retrieve a Caldera adversary by ID.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Adversary ID to fetch.
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
## Get agent
Action ID: `tools.caldera.get_agent`
Retrieve a Caldera agent by PAW.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Agent PAW identifier.
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
## Get link result
Action ID: `tools.caldera.get_operation_link_result`
Retrieve the result payload for a specific Caldera link.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Link ID to fetch.
Operation ID that contains the link.
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
## Get operation
Action ID: `tools.caldera.get_operation`
Retrieve a Caldera operation by ID.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Operation ID to fetch.
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
## Get operation link
Action ID: `tools.caldera.get_operation_link`
Retrieve a specific link from a Caldera operation.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Link ID to fetch.
Operation ID that contains the link.
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
## List abilities
Action ID: `tools.caldera.list_abilities`
List all Caldera abilities.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
## List adversaries
Action ID: `tools.caldera.list_adversaries`
List Caldera adversaries.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
## List agents
Action ID: `tools.caldera.list_agents`
List all Caldera agents (alive or dead).
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
## List operation links
Action ID: `tools.caldera.list_operation_links`
List links for a specific Caldera operation.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Operation ID to inspect.
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
## List operations
Action ID: `tools.caldera.list_operations`
List all Caldera operations.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
## List payloads
Action ID: `tools.caldera.list_payloads`
List uploaded payloads from Caldera.
Reference: [https://caldera.readthedocs.io/en/latest/The-REST-API.html](https://caldera.readthedocs.io/en/latest/The-REST-API.html)
### Secrets
Required secrets:
* `caldera`: required values `CALDERA_API_KEY`.
### Input fields
Caldera API base URL (e.g. [http://localhost:8888/api/v2](http://localhost:8888/api/v2)).
Default: `null`.
# Cloudflare SDK
Source: https://docs.tracecat.com/tools/cloudflare_sdk
Reference for the Tracecat Cloudflare SDK integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Call method
Action ID: `tools.cloudflare_sdk.call_method`
Instantiate a Cloudflare client and call a Cloudflare SDK method.
Reference: [https://github.com/cloudflare/cloudflare-python](https://github.com/cloudflare/cloudflare-python)
### Secrets
Required secrets:
* `cloudflare`: required values `CLOUDFLARE_API_TOKEN`.
### Input fields
Cloudflare SDK method name, e.g. `list` or `create`.
Parameters for the Cloudflare SDK method.
Default: `null`.
Cloudflare SDK resource path, e.g. `zones` or `dns.records`.
Default: `null`.
## Call paginated method
Action ID: `tools.cloudflare_sdk.call_paginated_method`
Instantiate a Cloudflare client and call a paginated Cloudflare SDK method.
Reference: [https://github.com/cloudflare/cloudflare-python](https://github.com/cloudflare/cloudflare-python)
### Secrets
Required secrets:
* `cloudflare`: required values `CLOUDFLARE_API_TOKEN`.
### Input fields
Paginated Cloudflare SDK method name, e.g. `list`.
Parameters for the Cloudflare SDK method.
Default: `null`.
Cloudflare SDK resource path, e.g. `zones` or `dns.records`.
Default: `null`.
# Confluence
Source: https://docs.tracecat.com/tools/confluence
Reference for the Tracecat Confluence integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Add comment
Action ID: `tools.confluence.add_page_comment`
Add a comment to a Confluence page.
Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content/\{id}/child-commentsOfContent](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content/\{id}/child-commentsOfContent)
### Secrets
Required secrets:
* `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`.
### Input fields
Comment content in Confluence storage (XHTML) or wiki markup. Convert Markdown to storage before sending if needed.
The ID of the page to comment on.
Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api.
Default: `null`.
Content representation for the comment body (storage or wiki).
Default: `"storage"`.
## Add page label
Action ID: `tools.confluence.add_page_label`
Add a label to a Confluence page.
Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#label-addLabelsToContent](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#label-addLabelsToContent)
### Secrets
Required secrets:
* `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`.
### Input fields
Label name to apply.
The ID of the page to label.
Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api.
Default: `null`.
Label prefix (global, my, or team).
Default: `"global"`.
## Create page
Action ID: `tools.confluence.create_page`
Create a new Confluence page in a space, optionally under a parent.
Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-createContent](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-createContent)
### Secrets
Required secrets:
* `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`.
### Input fields
Page body in Confluence storage (XHTML) or wiki markup. Convert Markdown to storage before sending if needed.
Space key for the page (e.g., DEV, TEAM).
Title of the new page.
Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api.
Default: `null`.
Content representation for the body (storage or wiki).
Default: `"storage"`.
Optional parent page ID to nest under.
Default: `null`.
## Delete page
Action ID: `tools.confluence.delete_page`
Delete a Confluence page by ID.
Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-delete](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-delete)
### Secrets
Required secrets:
* `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`.
### Input fields
The ID of the page to delete.
Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api.
Default: `null`.
## Get child pages
Action ID: `tools.confluence.get_page_children`
List child pages for a parent Confluence page with pagination and optional content expansion.
Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content/\{id}/child-childrenOfType](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content/\{id}/child-childrenOfType)
### Secrets
Required secrets:
* `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`.
### Input fields
The ID of the parent page whose children you want to retrieve.
Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api.
Default: `null`.
Fields to expand on each child (e.g., version, body.storage, body.view).
Default: `"version"`.
Whether to force body.storage expansion for child content.
Default: `false`.
Maximum number of child pages to return (1-50).
Default: `25`.
Starting index for pagination (0-based).
Default: `0`.
## Get page by ID
Action ID: `tools.confluence.get_page`
Retrieve a Confluence page by its numeric ID with optional expanded fields.
Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-getContentById](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-getContentById)
### Secrets
Required secrets:
* `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`.
### Input fields
Confluence page ID (numeric). In URLs like [https://example.atlassian.net/wiki/spaces/TEAM/pages/123456789/Page+Title](https://example.atlassian.net/wiki/spaces/TEAM/pages/123456789/Page+Title) the ID is 123456789.
Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api.
Default: `null`.
Comma-separated fields to expand (e.g., body.storage, body.view, version, space, ancestors, children.attachment).
Default: `"body.storage,version,space"`.
## Get page by title
Action ID: `tools.confluence.get_page_by_title`
Find a Confluence page by title within a space.
Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-getContent](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-getContent)
### Secrets
Required secrets:
* `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`.
### Input fields
Space key containing the page (e.g., DEV, TEAM).
Exact page title to retrieve.
Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api.
Default: `null`.
Comma-separated fields to expand (e.g., body.storage, body.view, version, space, ancestors, children.attachment).
Default: `"body.storage,version,space"`.
## Get page comments
Action ID: `tools.confluence.get_page_comments`
Retrieve comments for a Confluence page with pagination support. Use start/limit to iterate through all comments.
Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content/\{id}/child-commentsOfContent](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content/\{id}/child-commentsOfContent)
### Secrets
Required secrets:
* `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`.
### Input fields
Confluence page ID to fetch comments for.
Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api.
Default: `null`.
Depth of comments to return (e.g., all, root).
Default: `"all"`.
Fields to expand on each comment (e.g., body.view, body.storage, version).
Default: `"body.view,version"`.
Maximum number of comments to return per request (1-50).
Default: `25`.
Starting index for pagination (0-based). Use \_links.next from response to get next page.
Default: `0`.
## Get page labels
Action ID: `tools.confluence.get_page_labels`
List labels applied to a Confluence page.
Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#label-getLabelsForContent](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#label-getLabelsForContent)
### Secrets
Required secrets:
* `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`.
### Input fields
The ID of the page to fetch labels for.
Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api.
Default: `null`.
## Search content
Action ID: `tools.confluence.search_content`
Search Confluence content with Confluence Query Language (CQL) and optional space filters.
Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#search-search](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#search-search)
### Secrets
Required secrets:
* `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`.
### Input fields
Search query in CQL. Examples: 'type=page AND space=DEV', 'title\~"Runbook"', or 'text \~ "incident response"'. CQL supports operators like AND/OR, ranges, and exact matches.
Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api.
Default: `null`.
Maximum number of results to return (1-50).
Default: `10`.
Optional comma-separated space keys to filter results (adds OR space clauses to the query).
Default: `null`.
## Update page
Action ID: `tools.confluence.update_page`
Update an existing Confluence page, incrementing the version automatically.
Reference: [https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-update](https://docs.atlassian.com/atlassian-confluence/REST/6.6.0/#content-update)
### Secrets
Required secrets:
* `confluence`: required values `CONFLUENCE_USERNAME`, `CONFLUENCE_API_TOKEN`.
### Input fields
Updated page body in Confluence storage (XHTML) or wiki markup. Convert Markdown to storage before sending if needed.
ID of the page to update.
New title for the page.
Confluence site base URL (e.g., [https://example.atlassian.net/wiki](https://example.atlassian.net/wiki)). Do not append /rest/api.
Default: `null`.
Content representation for the body (storage or wiki).
Default: `"storage"`.
Whether this is a minor edit for versioning purposes.
Default: `false`.
Optional new parent page ID to set on update.
Default: `null`.
Optional version comment to record with the update.
Default: `""`.
# CrowdSec
Source: https://docs.tracecat.com/tools/crowdsec
Reference for the Tracecat CrowdSec integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Lookup IP address
Action ID: `tools.crowdsec.lookup_ip_address`
Get threat intel report for an IP address from CrowdSec.
Reference: [https://docs.crowdsec.net/u/cti\_api/getting\_started/](https://docs.crowdsec.net/u/cti_api/getting_started/)
### Secrets
Required secrets:
* `crowdsec_cti`: required values `CTI_API_KEY`.
### Input fields
IPv4 or IPv6 address to analyze or scan.
# CrowdStrike
Source: https://docs.tracecat.com/tools/crowdstrike
Reference for the Tracecat CrowdStrike integration: registered actions, required secrets, expected inputs, and example workflow usage.
## List alerts
Action ID: `tools.crowdstrike.list_alerts`
Query for Crowdstrike alerts via the Falcon SIEM API.
Reference: [https://falconpy.io/Service-Collections/Alerts.html#uber-class-example-7](https://falconpy.io/Service-Collections/Alerts.html#uber-class-example-7)
### Input fields
End time for the query (exclusive).
Start time for the query (inclusive).
Maximum number of alerts to return.
Default: `100`.
Crowdstrike member CID.
Default: `null`.
Falcon Query Language (FQL) filter to apply to alerts. If specified, overrides `start_time` and `end_time`.
Default: `null`.
## List detects
Action ID: `tools.crowdstrike.list_detects`
Query for CrowdStrike detects and summaries via the Falcon SIEM API.
Reference: [https://falconpy.io/Service-Collections/Detects.html](https://falconpy.io/Service-Collections/Detects.html)
### Input fields
End time for the query (exclusive).
Start time for the query (inclusive).
Maximum number of alerts to return.
Default: `100`.
Crowdstrike member CID.
Default: `null`.
Falcon Query Language (FQL) filter to apply to alerts. If specified, overrides `start_time` and `end_time`.
Default: `null`.
## List incidents
Action ID: `tools.crowdstrike.list_incidents`
Query for Crowdstrike incidents via the Falcon SIEM API.
Reference: [https://falconpy.io/Service-Collections/Incidents.html](https://falconpy.io/Service-Collections/Incidents.html)
### Input fields
End time for the query (exclusive).
Start time for the query (inclusive).
Maximum number of incidents to return.
Default: `100`.
Crowdstrike member CID.
Default: `null`.
Falcon Query Language (FQL) filter to apply to cases. If specified, overrides `start_time` and `end_time`.
Default: `null`.
# Datadog
Source: https://docs.tracecat.com/tools/datadog
Reference for the Tracecat Datadog integration: registered actions, required secrets, expected inputs, and example workflow usage.
## List security signals
Action ID: `tools.datadog.list_security_signals`
Query for Datadog security signals.
Reference: [https://docs.datadoghq.com/api/latest/security-monitoring/#get-a-list-of-security-signals](https://docs.datadoghq.com/api/latest/security-monitoring/#get-a-list-of-security-signals)
### Secrets
Required secrets:
* `datadog`: required values `DATADOG_API_KEY`, `DATADOG_APP_KEY`.
### Input fields
End time for the query (exclusive).
Start time for the query (inclusive).
Datadog site API URL.
Default: `null`.
Maximum number of alerts to return.
Default: `100`.
Datadog search query.
Default: `null`.
# Elastic Security
Source: https://docs.tracecat.com/tools/elastic_security
Reference for the Tracecat Elastic Security integration: registered actions, required secrets, expected inputs, and example workflow usage.
## List detection alerts
Action ID: `tools.elastic_security.list_detection_signals`
Query for Elastic Security detection alerts.
Reference: [https://www.elastic.co/docs/api/doc/kibana/v8/operation/operation-searchalerts](https://www.elastic.co/docs/api/doc/kibana/v8/operation/operation-searchalerts)
### Secrets
Required secrets:
* `elastic_security`: required values `ELASTIC_API_KEY`.
### Input fields
End time for the query (exclusive).
Start time for the query (inclusive).
Kibana endpoint URL (e.g. [https://localhost:5601](https://localhost:5601)).
Default: `null`.
Maximum number of alerts to return.
Default: `100`.
Elastic JSON query DSL. If specified, overrides `start_time` and `end_time`.
Default: `null`.
Source field filter applied to each alert. Pass a list of dotted field
names to include only those fields, or a dict of `includes` / `excludes`
for fine-grained control. Maps directly to the Kibana `_source` request
body parameter. When `null` (default), every field is returned.
Default: `null`.
Whether to verify SSL certificates.
Default: `true`.
# Elasticsearch
Source: https://docs.tracecat.com/tools/elasticsearch
Reference for the Tracecat Elasticsearch integration: registered actions, required secrets, expected inputs, and example workflow usage.
## List indexes
Action ID: `tools.elasticsearch.list_indexes`
List all indexes in the Elasticsearch cluster.
Reference: [https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-cat-indices](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-cat-indices)
### Secrets
Required secrets:
* `elasticsearch`: required values `ELASTIC_API_KEY`.
### Input fields
Elasticsearch base URL (e.g. [https://localhost:9200](https://localhost:9200)).
Default: `null`.
Whether to verify SSL certificates.
Default: `true`.
## Search events
Action ID: `tools.elasticsearch.search_events`
Search events from Elasticsearch using query DSL.
Reference: [https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-search](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-search)
### Secrets
Required secrets:
* `elasticsearch`: required values `ELASTIC_API_KEY`.
### Input fields
Elasticsearch query DSL.
Elasticsearch base URL (e.g. [https://localhost:9200](https://localhost:9200)).
Default: `null`.
Index name to search. If not specified, searches all indices.
Default: `null`.
Maximum number of events to return.
Default: `100`.
Whether to verify SSL certificates.
Default: `true`.
# EmailRep
Source: https://docs.tracecat.com/tools/emailrep
Reference for the Tracecat EmailRep integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Lookup email
Action ID: `tools.emailrep.lookup_email`
Lookup an email address in the EmailRep database.
Reference: [https://docs.sublime.security/reference/emailrep-introduction](https://docs.sublime.security/reference/emailrep-introduction)
### Secrets
Required secrets:
* `emailrep`: required values `EMAILREP_API_KEY`.
### Input fields
Email to lookup.
Whether to include the summary of the email.
Default: `true`.
# Exa
Source: https://docs.tracecat.com/tools/exa
Reference for the Tracecat Exa integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Answer
Action ID: `tools.exa.answer`
Answer a question with Exa.
Reference: [https://exa.ai/docs/reference/answer](https://exa.ai/docs/reference/answer)
### Secrets
Required secrets:
* `exa`: required values `EXA_API_KEY`.
### Input fields
The question to answer.
## Create research task
Action ID: `tools.exa.research`
Start a research task that explores the web, gathers sources, and synthesizes findings. Returns immediately with a researchId for polling.
Reference: [https://exa.ai/docs/reference/research/create-a-task](https://exa.ai/docs/reference/research/create-a-task)
### Secrets
Required secrets:
* `exa`: required values `EXA_API_KEY`.
### Input fields
Instructions for what you would like research on.
The model to use for research.
Default: `"exa-research-fast"`.
Allowed values: `exa-research-fast`, `exa-research`, `exa-research-pro`.
## Get contents
Action ID: `tools.exa.get_contents`
Get full page contents, summaries, and metadata for a list of URLs.
Reference: [https://exa.ai/docs/reference/get-contents](https://exa.ai/docs/reference/get-contents)
### Secrets
Required secrets:
* `exa`: required values `EXA_API_KEY`.
### Input fields
The URLs to get the contents for.
## Get research task
Action ID: `tools.exa.get_research`
Retrieve the current status and results of a research task by its research\_id.
Reference: [https://exa.ai/docs/reference/research/get-a-task](https://exa.ai/docs/reference/research/get-a-task)
### Secrets
Required secrets:
* `exa`: required values `EXA_API_KEY`.
### Input fields
Unique identifier for the research task to retrieve.
## List research tasks
Action ID: `tools.exa.list_research`
Get a paginated list of research tasks. Use cursor for pagination and limit to control page size.
Reference: [https://exa.ai/docs/reference/research/list-tasks](https://exa.ai/docs/reference/research/list-tasks)
### Secrets
Required secrets:
* `exa`: required values `EXA_API_KEY`.
### Input fields
Cursor token from previous response for pagination.
Maximum number of results per page (maximum 50).
Default: `10`.
## Search the web
Action ID: `tools.exa.search`
Search the web with Exa.
Reference: [https://exa.ai/docs/reference/search](https://exa.ai/docs/reference/search)
### Secrets
Required secrets:
* `exa`: required values `EXA_API_KEY`.
### Input fields
The query to search for.
# FalconPy
Source: https://docs.tracecat.com/tools/falconpy
Reference for the Tracecat FalconPy integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Call command
Action ID: `tools.falconpy.call_command`
Instantiate a FalconPy Uber Class client and call a FalconPy API method.
Reference: [https://falconpy.io/Usage/Basic-Uber-Class-usage.html](https://falconpy.io/Usage/Basic-Uber-Class-usage.html)
### Secrets
Required secrets:
* `crowdstrike`: required values `CROWDSTRIKE_CLIENT_ID`, `CROWDSTRIKE_CLIENT_SECRET`.
### Input fields
Operation ID from [https://www.falconpy.io/Operations/All-Operations.html](https://www.falconpy.io/Operations/All-Operations.html)
Base URL for the Falcon API
Default: `null`.
Extra keyword arguments to pass to the Falcon API
Default: `null`.
Multi-tenant customer ID
Default: `null`.
Parameters to pass into the command
Default: `null`.
# GitHub MCP
Source: https://docs.tracecat.com/tools/github
Reference for the Tracecat GitHub MCP integration: registered actions, required secrets, expected inputs, and example workflow usage.
## GitHub MCP
Action ID: `tools.github.mcp`
Use AI to interact with GitHub.
Reference: [https://docs.github.com/en/copilot](https://docs.github.com/en/copilot)
### Secrets
Required secrets:
* `github_mcp_oauth`: OAuth token `GITHUB_MCP_USER_TOKEN`.
Optional secrets:
* `anthropic`: optional values `ANTHROPIC_API_KEY`.
* `openai`: optional values `OPENAI_API_KEY`.
* `gemini`: optional values `GEMINI_API_KEY`.
* `amazon_bedrock`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`, `AWS_SESSION_TOKEN`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_MODEL_ID`, `AWS_INFERENCE_PROFILE_ID`.
* `custom-model-provider`: optional values `CUSTOM_MODEL_PROVIDER_API_KEY`, `CUSTOM_MODEL_PROVIDER_MODEL_NAME`, `CUSTOM_MODEL_PROVIDER_BASE_URL`.
* `azure_openai`: optional values `AZURE_API_BASE`, `AZURE_API_VERSION`, `AZURE_DEPLOYMENT_NAME`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`.
* `azure_ai`: optional values `AZURE_API_BASE`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_API_VERSION`, `AZURE_AI_MODEL_NAME`.
* `litellm`: required values `LITELLM_BASE_URL`.
### Input fields
Instructions for the agent.
User prompt to the agent.
Model to use. Pick from the list of models enabled for this workspace. Provide this field, or both deprecated `model_name` and `model_provider`.
Default: `null`.
Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_provider`.
Default: `null`.
Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_name`.
Default: `null`.
# Gmail
Source: https://docs.tracecat.com/tools/gmail
Reference for the Tracecat Gmail integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Get Gmail attachment
Action ID: `tools.gmail.get_attachment`
Download an attachment from a Gmail message.
### Secrets
Required secrets:
* `google_gmail_oauth`: OAuth token `GOOGLE_GMAIL_USER_TOKEN`.
### Input fields
The attachment ID to retrieve
The message ID containing the attachment
User ID or 'me' for authenticated user
Default: `"me"`.
## Get Gmail message
Action ID: `tools.gmail.get_message`
Get the full content of a Gmail message.
### Secrets
Required secrets:
* `google_gmail_oauth`: OAuth token `GOOGLE_GMAIL_USER_TOKEN`.
### Input fields
The message ID to retrieve
Format: 'full' (complete), 'metadata' (headers only), 'minimal' (IDs only), 'raw' (RFC 2822)
Default: `"full"`.
User ID or 'me' for authenticated user
Default: `"me"`.
## Get Gmail message headers
Action ID: `tools.gmail.get_message_headers`
Get only the headers of a Gmail message.
### Secrets
Required secrets:
* `google_gmail_oauth`: OAuth token `GOOGLE_GMAIL_USER_TOKEN`.
### Input fields
The message ID to retrieve headers for
Specific headers to return (e.g., \['From', 'To', 'Subject']). If not specified, returns all headers.
Default: `null`.
User ID or 'me' for authenticated user
Default: `"me"`.
## Get Gmail thread
Action ID: `tools.gmail.get_thread`
Get all messages in an email thread.
### Secrets
Required secrets:
* `google_gmail_oauth`: OAuth token `GOOGLE_GMAIL_USER_TOKEN`.
### Input fields
The thread ID to retrieve
Format: 'full' (complete), 'metadata' (headers only), 'minimal' (IDs only)
Default: `"full"`.
User ID or 'me' for authenticated user
Default: `"me"`.
## List Gmail labels
Action ID: `tools.gmail.list_labels`
List all Gmail labels for a user.
### Secrets
Required secrets:
* `google_gmail_oauth`: OAuth token `GOOGLE_GMAIL_USER_TOKEN`.
### Input fields
User ID or 'me' for authenticated user
Default: `"me"`.
## Search Gmail messages
Action ID: `tools.gmail.search_messages`
Search Gmail messages using Gmail's search syntax.
### Secrets
Required secrets:
* `google_gmail_oauth`: OAuth token `GOOGLE_GMAIL_USER_TOKEN`.
### Input fields
Gmail search query (e.g., 'from:[suspicious@evil.com](mailto:suspicious@evil.com) has:attachment')
Maximum number of results to return
Default: `10`.
Page token for pagination
Default: `null`.
User ID or 'me' for authenticated user
Default: `"me"`.
# Google API
Source: https://docs.tracecat.com/tools/google_api
Reference for the Tracecat Google API integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Call API
Action ID: `tools.google_api.call_api`
Instantiate a Google API client and call a Google API method.
Reference: [https://googleapis.github.io/google-api-python-client/docs/dyn/](https://googleapis.github.io/google-api-python-client/docs/dyn/)
### Secrets
Optional secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
* `google_api`: required values `GOOGLE_API_CREDENTIALS`.
### Input fields
Google API method name, e.g. `list` or `get`.
Resource path, e.g. `files` or `spreadsheets.values`.
Google API service name, e.g. `drive` or `sheets`.
Google API version, e.g. `v3` or `v4`.
Parameters for the Google API method.
Default: `null`.
Service account scopes. Defaults to \["[https://www.googleapis.com/auth/cloud-platform](https://www.googleapis.com/auth/cloud-platform)"].
Default: `null`.
Optional service account domain-wide delegation subject.
Default: `null`.
## Call paginated API
Action ID: `tools.google_api.call_paginated_api`
Instantiate a Google API client and call a paginated Google API method.
Reference: [https://googleapis.github.io/google-api-python-client/docs/dyn/](https://googleapis.github.io/google-api-python-client/docs/dyn/)
### Secrets
Optional secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
* `google_api`: required values `GOOGLE_API_CREDENTIALS`.
### Input fields
Google API method name, e.g. `list` or `get`.
Resource path, e.g. `files` or `spreadsheets.values`.
Google API service name, e.g. `drive` or `sheets`.
Google API version, e.g. `v3` or `v4`.
Dot-separated response path for the next page token. Defaults to "nextPageToken".
Default: `"nextPageToken"`.
Request parameter name for the next page token. Defaults to "pageToken".
Default: `"pageToken"`.
Parameters for the Google API method.
Default: `null`.
Service account scopes. Defaults to \["[https://www.googleapis.com/auth/cloud-platform](https://www.googleapis.com/auth/cloud-platform)"].
Default: `null`.
Optional service account domain-wide delegation subject.
Default: `null`.
# Google Docs
Source: https://docs.tracecat.com/tools/google_docs
Reference for the Tracecat Google Docs integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Batch update document
Action ID: `tools.google_docs.batch_update_document`
Apply multiple updates to a Google Doc in a single request.
Reference: [https://developers.google.com/workspace/docs/api/reference/rest/v1/documents/batchUpdate](https://developers.google.com/workspace/docs/api/reference/rest/v1/documents/batchUpdate)
### Secrets
Optional secrets:
* `google_docs_oauth`: OAuth token `GOOGLE_DOCS_SERVICE_TOKEN`.
### Input fields
ID of the document to update.
List of Docs API request objects to apply.
Optional write control configuration (e.g., requiredRevisionId).
Default: `null`.
## Create document
Action ID: `tools.google_docs.create_document`
Create a new Google Doc.
Reference: [https://developers.google.com/workspace/docs/api/reference/rest/v1/documents/create](https://developers.google.com/workspace/docs/api/reference/rest/v1/documents/create)
### Secrets
Optional secrets:
* `google_docs_oauth`: OAuth token `GOOGLE_DOCS_SERVICE_TOKEN`.
### Input fields
Optional document title.
Default: `null`.
## Get document
Action ID: `tools.google_docs.get_document`
Retrieve a Google Doc with optional suggestions view mode.
Reference: [https://developers.google.com/workspace/docs/api/reference/rest/v1/documents/get](https://developers.google.com/workspace/docs/api/reference/rest/v1/documents/get)
### Secrets
Optional secrets:
* `google_docs_oauth`: OAuth token `GOOGLE_DOCS_SERVICE_TOKEN`.
### Input fields
ID of the document to fetch.
How to display suggestions in the response.
Default: `null`.
# Google Drive
Source: https://docs.tracecat.com/tools/google_drive
Reference for the Tracecat Google Drive integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Add Drive permission
Action ID: `tools.google_drive.add_permission`
Grant access to a file or folder.
### Secrets
Required secrets:
* `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`.
### Input fields
Email address to grant access to
The file or folder ID
Fields to return ('\*' for all)
Default: `"*"`.
Role: reader, writer, commenter, owner
Default: `"reader"`.
Send email notification
Default: `false`.
## Create Drive folder
Action ID: `tools.google_drive.create_folder`
Create a new folder in Google Drive.
### Secrets
Required secrets:
* `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`.
### Input fields
Name for the new folder
Fields to return ('\*' for all)
Default: `"*"`.
Parent folder ID (empty = root)
Default: `""`.
## Delete Drive file
Action ID: `tools.google_drive.delete_file`
Move a file or folder to trash.
### Secrets
Required secrets:
* `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`.
### Input fields
The file or folder ID to delete
Fields to return ('\*' for all)
Default: `"*"`.
## Get Drive file
Action ID: `tools.google_drive.get_file`
Get detailed metadata for a specific file.
### Secrets
Required secrets:
* `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`.
### Input fields
The file ID
Fields to return ('\*' for all)
Default: `"*"`.
## Get Drive file permissions
Action ID: `tools.google_drive.get_file_permissions`
List all permissions for a file or folder.
### Secrets
Required secrets:
* `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`.
### Input fields
The file ID
Fields to return ('\*' for all)
Default: `"*"`.
## List Drive files
Action ID: `tools.google_drive.list_files`
List and search files in Google Drive.
### Secrets
Required secrets:
* `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`.
### Input fields
Fields to return (e.g., 'files(id,name,mimeType)' or '\*' for all)
Default: `"*"`.
Maximum number of results
Default: `10`.
Sort order
Default: `"modifiedTime desc"`.
Search query (e.g., 'name contains "report"')
Default: `""`.
## Permanently delete Drive file
Action ID: `tools.google_drive.permanently_delete_file`
Permanently delete a file or folder (bypass trash).
### Secrets
Required secrets:
* `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`.
### Input fields
The file or folder ID to permanently delete
## Revoke Drive permission
Action ID: `tools.google_drive.revoke_permission`
Remove a permission (revoke access).
### Secrets
Required secrets:
* `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`.
### Input fields
The file or folder ID
The permission ID to revoke
## Update Drive permission
Action ID: `tools.google_drive.update_permission`
Update an existing permission (change role).
### Secrets
Required secrets:
* `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`.
### Input fields
The file or folder ID
The permission ID to update
New role: reader, writer, commenter
Fields to return ('\*' for all)
Default: `"*"`.
## Upload Drive file
Action ID: `tools.google_drive.upload_file`
Upload a file to Google Drive.
### Secrets
Required secrets:
* `google_drive_oauth`: OAuth token `GOOGLE_DRIVE_USER_TOKEN`.
### Input fields
Base64-encoded file content
Name for the uploaded file
Fields to return ('\*' for all)
Default: `"*"`.
MIME type of file
Default: `"application/octet-stream"`.
Parent folder ID (empty = root)
Default: `""`.
# Google Maps
Source: https://docs.tracecat.com/tools/google_maps
Reference for the Tracecat Google Maps integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Get location data
Action ID: `tools.google_maps.get_location_data`
Get location data from Google Maps.
Reference: [https://developers.google.com/maps/documentation/geocoding/guides-v3/overview](https://developers.google.com/maps/documentation/geocoding/guides-v3/overview)
### Secrets
Required secrets:
* `google_maps`: required values `GOOGLE_MAPS_API_KEY`.
### Input fields
The address to get the location data for.
# Google SecOps Detection Engine
Source: https://docs.tracecat.com/tools/google_secops_detection
Reference for the Tracecat Google SecOps Detection Engine integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Cancel retrohunt
Action ID: `tools.google_secops_detection.cancel_retrohunt`
Cancel a running retrohunt operation.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
The retrohunt ID to cancel
The rule ID
## Create detection rule
Action ID: `tools.google_secops_detection.create_rule`
Create a new detection rule in Chronicle.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
YARA-L 2.0 rule text
## Create retrohunt
Action ID: `tools.google_secops_detection.create_retrohunt`
Create a retrohunt to run a rule against historical data.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
End time (RFC 3339 format)
The rule ID to run retrohunt for
Start time (RFC 3339 format, e.g., '2024-01-01T00:00:00Z')
## Delete detection rule
Action ID: `tools.google_secops_detection.delete_rule`
Delete a detection rule.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
The rule ID to delete
## Disable detection rule
Action ID: `tools.google_secops_detection.disable_rule`
Disable a detection rule to stop live alerting.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
The rule ID to disable
## Enable detection rule
Action ID: `tools.google_secops_detection.enable_rule`
Enable a detection rule for live alerting.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
The rule ID to enable
## Get detection rule
Action ID: `tools.google_secops_detection.get_rule`
Get detailed information about a specific detection rule.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
The rule ID (e.g., 'ru\_12345678-1234-1234-1234-123456789012')
## Get retrohunt status
Action ID: `tools.google_secops_detection.get_retrohunt`
Get the status and results of a retrohunt operation.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
The retrohunt ID
The rule ID
## Get rule deployment status
Action ID: `tools.google_secops_detection.get_rule_deployment`
Get the deployment status of a detection rule.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
The rule ID
## List detection rules
Action ID: `tools.google_secops_detection.list_rules`
List all detection rules in Chronicle.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
Maximum number of rules to return
Default: `100`.
Token for pagination
Default: `null`.
## List detections for rule
Action ID: `tools.google_secops_detection.list_detections`
List detections generated by a specific rule.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
The rule ID to get detections for
End time (RFC 3339 format)
Default: `null`.
Maximum detections to return
Default: `100`.
Token for pagination
Default: `null`.
Start time (RFC 3339 format, e.g., '2024-01-01T00:00:00Z')
Default: `null`.
## List retrohunts
Action ID: `tools.google_secops_detection.list_retrohunts`
List all retrohunt operations for a specific rule.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
The rule ID
Maximum retrohunts to return
Default: `100`.
Token for pagination
Default: `null`.
## List rule errors
Action ID: `tools.google_secops_detection.list_rule_errors`
List compilation or execution errors for a detection rule.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
The rule ID
Maximum errors to return
Default: `100`.
Token for pagination
Default: `null`.
## Update detection rule
Action ID: `tools.google_secops_detection.update_rule`
Update an existing detection rule.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
The rule ID to update
Updated YARA-L 2.0 rule text
## Verify detection rule
Action ID: `tools.google_secops_detection.verify_rule`
Verify YARA-L rule syntax without creating the rule.
### Secrets
Required secrets:
* `google_oauth`: OAuth token `GOOGLE_SERVICE_TOKEN`.
### Input fields
Chronicle API base URL (e.g., '[https://backstory.googleapis.com](https://backstory.googleapis.com)' for US, '[https://europe-backstory.googleapis.com](https://europe-backstory.googleapis.com)' for EU, '[https://asia-southeast1-backstory.googleapis.com](https://asia-southeast1-backstory.googleapis.com)' for Asia)
YARA-L 2.0 rule text to validate
# Google SecOps SOAR
Source: https://docs.tracecat.com/tools/google_secops_soar
Reference for the Tracecat Google SecOps SOAR integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Add case tag
Action ID: `tools.google_secops_soar.add_case_tag`
Add a tag to a Chronicle SOAR case.
### Secrets
Required secrets:
* `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`.
### Input fields
Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)')
The case ID
Tag to add to the case
Optional alert identifier within the case
Default: `null`.
## Assign user to case
Action ID: `tools.google_secops_soar.assign_user_to_case`
Assign a user or SOC role to a Chronicle SOAR case.
### Secrets
Required secrets:
* `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`.
### Input fields
Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)')
The case ID
User ID (GUID) or @RoleName to assign
Optional alert identifier within the case
Default: `null`.
## Bulk close cases
Action ID: `tools.google_secops_soar.bulk_close_cases`
Close multiple Chronicle SOAR cases in a single operation.
### Secrets
Required secrets:
* `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`.
### Input fields
Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)')
List of case IDs to close
Comment for all closed cases
Close reason enum: 0=Malicious, 1=NotMalicious, 2=Maintenance, 3=Inconclusive, 4=Unknown
Root cause description
## Change case stage
Action ID: `tools.google_secops_soar.change_case_stage`
Change the stage of a Chronicle SOAR case.
### Secrets
Required secrets:
* `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`.
### Input fields
Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)')
The case ID
New stage: Triage, Assessment, Investigation, Incident, Improvement, or Research
## Close alert
Action ID: `tools.google_secops_soar.close_alert`
Close a specific alert within a Chronicle SOAR case.
### Secrets
Required secrets:
* `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`.
### Input fields
The alert identifier to close
Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)')
Comment explaining why the alert is being closed
Close reason: Malicious, NotMalicious, Maintenance, or Inconclusive
Root cause description
The case ID where the alert is being closed
Alert usefulness: None, NotUseful, or Useful
Default: `"None"`.
## Create case comment
Action ID: `tools.google_secops_soar.create_case_comment`
Add a comment to a Chronicle SOAR case.
### Secrets
Required secrets:
* `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`.
### Input fields
Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)')
The case ID
Comment text to add to the case
Optional alert identifier
Default: `null`.
Optional base64-encoded file content
Default: `null`.
Optional attachment filename
Default: `null`.
Optional file type (e.g., '.pdf', '.txt')
Default: `null`.
## Reopen alert
Action ID: `tools.google_secops_soar.reopen_alert`
Reopen a previously closed alert in a Chronicle SOAR case.
### Secrets
Required secrets:
* `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`.
### Input fields
The alert identifier to reopen
Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)')
The case ID
## Search SOAR cases
Action ID: `tools.google_secops_soar.search_cases`
Search Chronicle SOAR cases with advanced filtering.
### Secrets
Required secrets:
* `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`.
### Input fields
Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)')
List of user IDs or @Role names
Default: `null`.
List of specific case IDs to retrieve
Default: `null`.
UTC end time (ISO 8601 format). Only used when time\_range\_filter=0 (CUSTOM)
Default: `null`.
List of environments to filter by
Default: `null`.
Filter by importance: \['True'] for important cases only
Default: `null`.
Filter by incident flag: \['True'] for incidents only
Default: `null`.
Filter by case status (true=closed, false=open, null=all)
Default: `null`.
Number of results per page (max 100)
Default: `50`.
List of priorities: Informative, Low, Medium, High, Critical
Default: `null`.
Page number (0-indexed)
Default: `0`.
List of stages: Triage, Assessment, Investigation, Incident, Improvement, Research
Default: `null`.
UTC start time (ISO 8601 format, e.g., '2024-01-01T00:00:00.000Z'). Only used when time\_range\_filter=0 (CUSTOM)
Default: `null`.
List of case tags to filter by
Default: `null`.
Predefined time range in days: 0=CUSTOM, 1=LAST\_DAY, 2=LAST\_2\_DAYS, 3=LAST\_3\_DAYS, 4=LAST\_4\_DAYS, 7=LAST\_WEEK, 14=LAST\_2\_WEEKS, 30=LAST\_MONTH, 90=LAST\_3\_MONTHS, 180=LAST\_6\_MONTHS, 365=LAST\_YEAR, 395=LAST\_13\_MONTHS
Default: `null`.
Search by case title/name (partial match supported)
Default: `null`.
## Update alert priority
Action ID: `tools.google_secops_soar.update_alert_priority`
Update the priority of a specific alert within a case.
### Secrets
Required secrets:
* `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`.
### Input fields
The alert identifier
The alert name
Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)')
The case ID
New priority: -1=Informative, 40=Low, 60=Medium, 80=High, 100=Critical
Previous priority (0=Unchanged if unknown)
Default: `0`.
## Update case comment
Action ID: `tools.google_secops_soar.update_case_comment`
Update an existing comment in a Chronicle SOAR case.
### Secrets
Required secrets:
* `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`.
### Input fields
Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)')
Updated comment text
The comment ID to update
Optional attachment ID to update
Default: `null`.
Optional updated base64-encoded file content
Default: `null`.
Optional updated filename
Default: `null`.
Optional updated file type
Default: `null`.
## Update case priority
Action ID: `tools.google_secops_soar.update_case_priority`
Update the priority of a Chronicle SOAR case.
### Secrets
Required secrets:
* `google_secops_soar`: required values `GOOGLE_SECOPS_API_KEY`.
### Input fields
Chronicle SOAR API base URL (e.g., '[https://your-instance.siemplify-soar.com/api/external/v1](https://your-instance.siemplify-soar.com/api/external/v1)')
The case ID
Priority: -1=Informative, 40=Low, 60=Medium, 80=High, 100=Critical
# Google Sheets
Source: https://docs.tracecat.com/tools/google_sheets
Reference for the Tracecat Google Sheets integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Append values
Action ID: `tools.google_sheets.append_values`
Append rows to a Google Sheets range.
Reference: [https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/append](https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/append)
### Secrets
Optional secrets:
* `google_sheets_oauth`: OAuth token `GOOGLE_SHEETS_SERVICE_TOKEN`.
### Input fields
A1 notation range to append to.
Target spreadsheet ID.
Two-dimensional array of values to append.
Include the appended values in the response payload.
Default: `false`.
How the input data should be inserted.
Default: `"INSERT_ROWS"`.
Allowed values: `OVERWRITE`, `INSERT_ROWS`.
Orientation of the values array.
Default: `null`.
How input data should be interpreted.
Default: `"USER_ENTERED"`.
Allowed values: `RAW`, `USER_ENTERED`.
## Batch clear values
Action ID: `tools.google_sheets.batch_clear_values`
Clear values from one or more ranges in a spreadsheet.
Reference: [https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/batchClear](https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/batchClear)
### Secrets
Optional secrets:
* `google_sheets_oauth`: OAuth token `GOOGLE_SHEETS_SERVICE_TOKEN`.
### Input fields
List of A1 notation ranges to clear.
Spreadsheet ID to clear.
## Batch get values
Action ID: `tools.google_sheets.batch_get_values`
Retrieve values from multiple ranges in a spreadsheet.
Reference: [https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/batchGet](https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/batchGet)
### Secrets
Optional secrets:
* `google_sheets_oauth`: OAuth token `GOOGLE_SHEETS_SERVICE_TOKEN`.
### Input fields
A1 notation ranges to retrieve.
Spreadsheet ID to read from.
How dates and times should be represented.
Default: `null`.
Orientation of the returned values.
Default: `null`.
How values should be rendered in the response.
Default: `null`.
## Batch update values
Action ID: `tools.google_sheets.batch_update_values`
Update cell values across multiple ranges in one request.
Reference: [https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/batchUpdate](https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.values/batchUpdate)
### Secrets
Optional secrets:
* `google_sheets_oauth`: OAuth token `GOOGLE_SHEETS_SERVICE_TOKEN`.
### Input fields
Spreadsheet ID to update.
List of updates with range, values, and optional major\_dimension per entry.
Include the updated values in the response payload.
Default: `false`.
How dates and times should be represented in the response.
Default: `null`.
How updated values should be rendered in the response.
Default: `null`.
How input data should be interpreted.
Default: `"USER_ENTERED"`.
Allowed values: `RAW`, `USER_ENTERED`.
## Copy sheet
Action ID: `tools.google_sheets.copy_sheet`
Copy a sheet to another spreadsheet.
Reference: [https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.sheets/copyTo](https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets.sheets/copyTo)
### Secrets
Optional secrets:
* `google_sheets_oauth`: OAuth token `GOOGLE_SHEETS_SERVICE_TOKEN`.
### Input fields
Destination spreadsheet ID.
ID of the sheet to copy.
Source spreadsheet ID.
## Create spreadsheet
Action ID: `tools.google_sheets.create_spreadsheet`
Create a new Google Spreadsheet with an optional set of sheets.
Reference: [https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets/create](https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets/create)
### Secrets
Optional secrets:
* `google_sheets_oauth`: OAuth token `GOOGLE_SHEETS_SERVICE_TOKEN`.
### Input fields
Spreadsheet title.
Optional list of sheet titles to create.
Default: `null`.
## Get spreadsheet
Action ID: `tools.google_sheets.get_spreadsheet`
Retrieve spreadsheet metadata and optional grid data.
Reference: [https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets/get](https://developers.google.com/workspace/sheets/api/reference/rest/v4/spreadsheets/get)
### Secrets
Optional secrets:
* `google_sheets_oauth`: OAuth token `GOOGLE_SHEETS_SERVICE_TOKEN`.
### Input fields
Spreadsheet ID to fetch.
Return grid data along with metadata.
Default: `false`.
Optional A1 notation ranges to include.
Default: `null`.
# Gophish
Source: https://docs.tracecat.com/tools/gophish
Reference for the Tracecat Gophish integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Create campaign
Action ID: `tools.gophish.create_campaign`
Create a campaign in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/campaigns#create-campaign](https://docs.getgophish.com/api-documentation/campaigns#create-campaign)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The body of the campaign to create. Look at the Gophish API documentation for the expected body.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Create group
Action ID: `tools.gophish.create_group`
Create a group in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/users-and-groups#create-group](https://docs.getgophish.com/api-documentation/users-and-groups#create-group)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The body of the group to create. Look at the Gophish API documentation for the expected body.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Create landing page
Action ID: `tools.gophish.create_landing_page`
Create a landing page in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/landing-pages#create-landing-page](https://docs.getgophish.com/api-documentation/landing-pages#create-landing-page)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The body of the landing page to create. Look at the Gophish API documentation for the expected body.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Create sending profile
Action ID: `tools.gophish.create_sending_profile`
Create a sending profile in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/sending-profiles#create-sending-profile](https://docs.getgophish.com/api-documentation/sending-profiles#create-sending-profile)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The body of the sending profile to create. Look at the Gophish API documentation for the expected body.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Create template
Action ID: `tools.gophish.create_template`
Create a template in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/templates#create-template](https://docs.getgophish.com/api-documentation/templates#create-template)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The body of the template to create. Look at the Gophish API documentation for the expected body.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Delete campaign
Action ID: `tools.gophish.delete_campaign`
Delete a campaign in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/campaigns#delete-campaign](https://docs.getgophish.com/api-documentation/campaigns#delete-campaign)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the campaign to delete.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Delete group
Action ID: `tools.gophish.delete_group`
Delete a group in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/users-and-groups#delete-group](https://docs.getgophish.com/api-documentation/users-and-groups#delete-group)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the group to delete.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Delete landing page
Action ID: `tools.gophish.delete_landing_page`
Delete a landing page in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/landing-pages#delete-landing-page](https://docs.getgophish.com/api-documentation/landing-pages#delete-landing-page)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the landing page to delete.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Delete sending profile
Action ID: `tools.gophish.delete_sending_profile`
Delete a sending profile in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/sending-profiles#delete-sending-profile](https://docs.getgophish.com/api-documentation/sending-profiles#delete-sending-profile)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the sending profile to delete.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Delete template
Action ID: `tools.gophish.delete_template`
Delete a template in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/templates#delete-template](https://docs.getgophish.com/api-documentation/templates#delete-template)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the template to delete.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Get campaign
Action ID: `tools.gophish.get_campaign`
Get a campaign from Gophish.
Reference: [https://docs.getgophish.com/api-documentation/campaigns#get-campaign](https://docs.getgophish.com/api-documentation/campaigns#get-campaign)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the campaign to get.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Get campaign results
Action ID: `tools.gophish.get_campaign_results`
Get a campaign's results from Gophish.
Reference: [https://docs.getgophish.com/api-documentation/campaigns#get-campaign-results](https://docs.getgophish.com/api-documentation/campaigns#get-campaign-results)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the campaign to get results for.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Get campaign summary
Action ID: `tools.gophish.get_campaign_summary`
Get a campaign summary from Gophish.
Reference: [https://docs.getgophish.com/api-documentation/campaigns#get-campaign-summary](https://docs.getgophish.com/api-documentation/campaigns#get-campaign-summary)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the campaign to get summary for.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Get group
Action ID: `tools.gophish.get_group`
Get a group from Gophish.
Reference: [https://docs.getgophish.com/api-documentation/users-and-groups#get-group](https://docs.getgophish.com/api-documentation/users-and-groups#get-group)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the group to get.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Get group summary
Action ID: `tools.gophish.get_group_summary`
Get a group summary from Gophish.
Reference: [https://docs.getgophish.com/api-documentation/users-and-groups#get-group-summary](https://docs.getgophish.com/api-documentation/users-and-groups#get-group-summary)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the group to get.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Get landing page
Action ID: `tools.gophish.get_landing_page`
Get a landing page in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/landing-pages#get-landing-page](https://docs.getgophish.com/api-documentation/landing-pages#get-landing-page)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the landing page to get.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Get sending profile
Action ID: `tools.gophish.get_sending_profile`
Get a sending profile in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/sending-profiles#get-sending-profile](https://docs.getgophish.com/api-documentation/sending-profiles#get-sending-profile)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the sending profile to get.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Get template
Action ID: `tools.gophish.get_template`
Get a template in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/templates#get-template](https://docs.getgophish.com/api-documentation/templates#get-template)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the template to get.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## List campaigns
Action ID: `tools.gophish.list_campaigns`
List campaigns from Gophish.
Reference: [https://docs.getgophish.com/api-documentation/campaigns#get-campaigns](https://docs.getgophish.com/api-documentation/campaigns#get-campaigns)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## List groups
Action ID: `tools.gophish.list_groups`
List groups from Gophish.
Reference: [https://docs.getgophish.com/api-documentation/users-and-groups#get-groups](https://docs.getgophish.com/api-documentation/users-and-groups#get-groups)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## List groups summary
Action ID: `tools.gophish.list_groups_summary`
List groups summary from Gophish.
Reference: [https://docs.getgophish.com/api-documentation/users-and-groups#get-groups-summary](https://docs.getgophish.com/api-documentation/users-and-groups#get-groups-summary)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## List landing pages
Action ID: `tools.gophish.list_landing_pages`
List landing pages from Gophish.
Reference: [https://docs.getgophish.com/api-documentation/landing-pages#get-landing-pages](https://docs.getgophish.com/api-documentation/landing-pages#get-landing-pages)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## List sending profiles
Action ID: `tools.gophish.list_sending_profiles`
List sending profiles from Gophish.
Reference: [https://docs.getgophish.com/api-documentation/sending-profiles#get-sending-profiles](https://docs.getgophish.com/api-documentation/sending-profiles#get-sending-profiles)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## List templates
Action ID: `tools.gophish.list_templates`
List templates from Gophish.
Reference: [https://docs.getgophish.com/api-documentation/templates#get-templates](https://docs.getgophish.com/api-documentation/templates#get-templates)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Modify group
Action ID: `tools.gophish.modify_group`
Modify a group in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/users-and-groups#modify-group](https://docs.getgophish.com/api-documentation/users-and-groups#modify-group)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the group to modify.
The body of the group to modify. Look at the Gophish API documentation for the expected body.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Modify landing page
Action ID: `tools.gophish.modify_landing_page`
Modify a landing page in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/landing-pages#modify-landing-page](https://docs.getgophish.com/api-documentation/landing-pages#modify-landing-page)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The ID of the landing page to modify.
The body of the landing page to modify. Look at the Gophish API documentation for the expected body.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Modify sending profile
Action ID: `tools.gophish.modify_sending_profile`
Modify a sending profile in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/sending-profiles#modify-sending-profile](https://docs.getgophish.com/api-documentation/sending-profiles#modify-sending-profile)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The body of the sending profile to modify. Look at the Gophish API documentation for the expected body.
The ID of the sending profile to modify.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Modify template
Action ID: `tools.gophish.modify_template`
Modify a template in Gophish.
Reference: [https://docs.getgophish.com/api-documentation/templates#modify-template](https://docs.getgophish.com/api-documentation/templates#modify-template)
### Secrets
Required secrets:
* `gophish`: required values `GOPHISH_API_KEY`.
### Input fields
The body of the template to modify. Look at the Gophish API documentation for the expected body.
The ID of the template to modify.
The base URL of the Gophish instance.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
# HackerOne
Source: https://docs.tracecat.com/tools/hackerone
Reference for the Tracecat HackerOne integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Get program
Action ID: `tools.hackerone.get_program`
Get details of a specific program from HackerOne.
Reference: [https://api.hackerone.com/customer-resources/?python#programs-get-program](https://api.hackerone.com/customer-resources/?python#programs-get-program)
### Secrets
Required secrets:
* `hackerone`: required values `HACKERONE_API_USERNAME`, `HACKERONE_API_TOKEN`.
### Input fields
The ID of the program to retrieve.
## Get programs
Action ID: `tools.hackerone.get_programs`
Get a paginated list of programs from HackerOne.
Reference: [https://api.hackerone.com/customer-resources/?python#programs-get-programs](https://api.hackerone.com/customer-resources/?python#programs-get-programs)
### Secrets
Required secrets:
* `hackerone`: required values `HACKERONE_API_USERNAME`, `HACKERONE_API_TOKEN`.
### Input fields
The page number to retrieve (starts at 1).
Default: `1`.
Number of programs per page (1-100).
Default: `25`.
## Get report
Action ID: `tools.hackerone.get_report`
Get details of a specific report from HackerOne.
Reference: [https://api.hackerone.com/customer-resources/?python#reports-get-report](https://api.hackerone.com/customer-resources/?python#reports-get-report)
### Secrets
Required secrets:
* `hackerone`: required values `HACKERONE_API_USERNAME`, `HACKERONE_API_TOKEN`.
### Input fields
The ID of the report to retrieve.
## Get reports
Action ID: `tools.hackerone.get_reports`
Get a paginated list of reports from HackerOne.
Reference: [https://api.hackerone.com/customer-resources/?python#reports-update-weakness](https://api.hackerone.com/customer-resources/?python#reports-update-weakness)
### Secrets
Required secrets:
* `hackerone`: required values `HACKERONE_API_USERNAME`, `HACKERONE_API_TOKEN`.
### Input fields
Filters to apply to the reports. For example, \{'filter\[program]\[]': 'tracecat', 'filter\[state]\[]': \['new', 'triaged'], 'filter\[assignee]\[]': 'Tracecat Team'}
The page number to retrieve (starts at 1).
Default: `1`.
Number of reports per page (1-100).
Default: `25`.
# Have I Been Pwned
Source: https://docs.tracecat.com/tools/hibp
Reference for the Tracecat Have I Been Pwned integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Check email for breaches
Action ID: `tools.hibp.check_email_breaches`
Check if an email address has been compromised in known data breaches.
Reference: [https://haveibeenpwned.com/API/v3#BreachesForAccount](https://haveibeenpwned.com/API/v3#BreachesForAccount)
### Secrets
Required secrets:
* `hibp`: required values `HIBP_API_KEY`.
### Input fields
Email address to check for breaches.
Filter results to only breaches from this domain.
Default: `null`.
Include unverified breaches in results.
Default: `true`.
Return only breach names (True) or full breach details (False).
Default: `true`.
## Check email for pastes
Action ID: `tools.hibp.check_email_pastes`
Check if an email address has been found in any pastes.
Reference: [https://haveibeenpwned.com/API/v3#PastesForAccount](https://haveibeenpwned.com/API/v3#PastesForAccount)
### Secrets
Required secrets:
* `hibp`: required values `HIBP_API_KEY`.
### Input fields
Email address to check for pastes.
## Get all breaches
Action ID: `tools.hibp.get_all_breaches`
Get a list of all data breaches in the system.
Reference: [https://haveibeenpwned.com/API/v3#AllBreaches](https://haveibeenpwned.com/API/v3#AllBreaches)
### Input fields
Filter breaches to only those affecting this domain.
Default: `null`.
## Get breach details
Action ID: `tools.hibp.get_breach_details`
Get detailed information about a specific data breach.
Reference: [https://haveibeenpwned.com/API/v3#SingleBreach](https://haveibeenpwned.com/API/v3#SingleBreach)
### Input fields
Name of the breach to get details for.
## Get data classes
Action ID: `tools.hibp.get_data_classes`
Get all data classes in the system.
Reference: [https://haveibeenpwned.com/API/v3#DataClasses](https://haveibeenpwned.com/API/v3#DataClasses)
### Input fields
This action does not take input fields.
## Get latest breach
Action ID: `tools.hibp.get_latest_breach`
Get the most recently added breach in the system.
Reference: [https://haveibeenpwned.com/API/v3#LatestBreach](https://haveibeenpwned.com/API/v3#LatestBreach)
### Input fields
This action does not take input fields.
# Hybrid Analysis
Source: https://docs.tracecat.com/tools/hybrid_analysis
Reference for the Tracecat Hybrid Analysis integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Get sandbox report
Action ID: `tools.hybrid_analysis.get_sandbox_report`
Get sandbox report summary from Hybrid Analysis.
Reference: [https://hybrid-analysis.com/docs/api/v2#/Sandbox%20Report/b7bf5dba3bdd7e12a97034ad679b7358](https://hybrid-analysis.com/docs/api/v2#/Sandbox%20Report/b7bf5dba3bdd7e12a97034ad679b7358)
### Secrets
Required secrets:
* `hybrid_analysis`: required values `HYBRID_ANALYSIS_API_KEY`.
### Input fields
Job ID to get the report for.
## Lookup file
Action ID: `tools.hybrid_analysis.lookup_file`
Lookup a file with Hybrid Analysis.
Reference: [https://hybrid-analysis.com/docs/api/v2#/Analysis%20Overview/052627a17af8cc6ae5240f4684040902](https://hybrid-analysis.com/docs/api/v2#/Analysis%20Overview/052627a17af8cc6ae5240f4684040902)
### Secrets
Required secrets:
* `hybrid_analysis`: required values `HYBRID_ANALYSIS_API_KEY`.
### Input fields
SHA256 hash of the file to lookup.
## Submit file
Action ID: `tools.hybrid_analysis.submit_file`
Submit a file to Hybrid Analysis sandbox for analysis.
Reference: [https://hybrid-analysis.com/docs/api/v2#/Sandbox%20Submission/e306d626e3fbbe3f10982ff88251b2b7](https://hybrid-analysis.com/docs/api/v2#/Sandbox%20Submission/e306d626e3fbbe3f10982ff88251b2b7)
### Secrets
Required secrets:
* `hybrid_analysis`: required values `HYBRID_ANALYSIS_API_KEY`.
### Input fields
File to submit for analysis.
400 (Mac Catalina 64 bit x86);
310 (Linux (Ubuntu 20.04, 64 bit));
200 (Android Static Analysis);
160 (Windows 10 64 bit);
140 (Windows 11 64 bit);
120 (Windows 7 64 bit);
110 (Windows 7 32 bit HWP Support);
100 (Windows 7 32 bit);
Default: `310`.
## Submit URL
Action ID: `tools.hybrid_analysis.submit_url`
Submit a URL for analysis with Hybrid Analysis.
Reference: [https://hybrid-analysis.com/docs/api/v2#/Sandbox%20Submission/22e1723d4cec5c9b20d50715e4e5de8f](https://hybrid-analysis.com/docs/api/v2#/Sandbox%20Submission/22e1723d4cec5c9b20d50715e4e5de8f)
### Secrets
Required secrets:
* `hybrid_analysis`: required values `HYBRID_ANALYSIS_API_KEY`.
### Input fields
URL to submit for analysis.
400 (Mac Catalina 64 bit x86);
310 (Linux (Ubuntu 20.04, 64 bit));
200 (Android Static Analysis);
160 (Windows 10 64 bit);
140 (Windows 11 64 bit);
120 (Windows 7 64 bit);
110 (Windows 7 32 bit HWP Support);
100 (Windows 7 32 bit);
Default: `160`.
# IPinfo
Source: https://docs.tracecat.com/tools/ipinfo
Reference for the Tracecat IPinfo integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Lookup IP address
Action ID: `tools.ipinfo.lookup_ip_address`
Get IPinfo.io report for an IP address.
Reference: [https://ipinfo.io/developers](https://ipinfo.io/developers)
### Secrets
Required secrets:
* `ipinfo`: required values `IPINFO_API_TOKEN`.
### Input fields
IP address to lookup.
# Jira MCP
Source: https://docs.tracecat.com/tools/jira
Reference for the Tracecat Jira MCP integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Add comment to issue
Action ID: `tools.jira.add_issue_comment`
Add a comment to an issue in Jira.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-comments/#api-rest-api-3-issue-issueidorkey-comment-post](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-comments/#api-rest-api-3-issue-issueidorkey-comment-post)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
Comment to add to the issue. Plain strings are wrapped as ADF text paragraphs. JSON object strings are deserialized. Dictionaries are sent as the Jira comment `body` value.
ID or key of the issue to add a comment to.
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)).
Default: `null`.
## Assign issue
Action ID: `tools.jira.assign_issue`
Assign an issue to a user.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-assignee-put](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-assignee-put)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
Jira issue key (e.g. TC-123)
Jira user ID (e.g. 1234567890)
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net))
Default: `null`.
## Create issue
Action ID: `tools.jira.create_issue`
Create a new issue in Jira.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-post](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-post)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
Detailed description of the incident. Plain strings are wrapped as ADF text paragraphs. JSON object strings are deserialized. Dictionaries are sent as provided.
Jira issue type ID.
Priority ID. Must be one of the priorities in the priority scheme.
Jira project ID.
Brief one-line summary of the incident.
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)).
Default: `null`.
List of fields to add to the issue. ADF values can be passed as objects.
For example usage: `[
{"customfield_10000": "New value"},
{"customfield_10001": {"version": 1, "type": "doc", "content": []}}
]`
Default: `[]`.
Tags to categorize the incident. Added as Jira labels.
Default: `[]`.
## Get fields
Action ID: `tools.jira.get_fields`
Get a list of fields from Jira.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-fields/#api-group-issue-fields](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-fields/#api-group-issue-fields)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net))
Default: `null`.
## Get issue
Action ID: `tools.jira.get_issue`
Get an issue from Jira by ID or key.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-get](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-get)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
ID or key of the issue to get.
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net))
Default: `null`.
A list of fields to return for each issue, use it to retrieve a subset of fields. This parameter accepts a comma-separated list of strings. Expand options include: \*all, \*navigable, summary, comment,-description, -comment (defaults to \*all).
Default: `"*all"`.
## Get priorities by scheme
Action ID: `tools.jira.get_priorities`
Get a list of priorities from Jira for a given priority scheme.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-priority-schemes/#api-rest-api-3-priorityscheme-schemeid-priorities-get](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-priority-schemes/#api-rest-api-3-priorityscheme-schemeid-priorities-get)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
Jira priority scheme ID.
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net))
Default: `null`.
Maximum number of priorities to return.
Default: `50`.
## Get priority schemes
Action ID: `tools.jira.get_priority_schemes`
Get a list of priority schemes from Jira.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-priority-schemes/#api-rest-api-3-priorityscheme-get](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-priority-schemes/#api-rest-api-3-priorityscheme-get)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net))
Default: `null`.
Maximum number of priority schemes to return.
Default: `50`.
## Get projects
Action ID: `tools.jira.get_projects`
Get a list of projects from Jira.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-projects/#api-rest-api-3-project-search-get](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-projects/#api-rest-api-3-project-search-get)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net))
Default: `null`.
Maximum number of projects to return.
Default: `50`.
## Get transitions
Action ID: `tools.jira.get_transitions`
Get a list of available transitions for an issue.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-transitions-get](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-transitions-get)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
ID or key of the issue to get transitions for.
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)).
Default: `null`.
## Get user ID
Action ID: `tools.jira.get_user_id`
Get a user ID from Jira.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-user-search/#api-rest-api-3-user-search-get](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-user-search/#api-rest-api-3-user-search-get)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
Jira username (e.g. [john.doe@example.com](mailto:john.doe@example.com))
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net))
Default: `null`.
## Jira MCP
Action ID: `tools.jira.mcp`
Use AI to interact with Jira through Atlassian's remote MCP server.
Reference: [https://support.atlassian.com/atlassian-rovo-mcp-server/docs/getting-started-with-the-atlassian-remote-mcp-server/](https://support.atlassian.com/atlassian-rovo-mcp-server/docs/getting-started-with-the-atlassian-remote-mcp-server/)
### Secrets
Required secrets:
* `jira_mcp_oauth`: OAuth token `JIRA_MCP_USER_TOKEN`.
Optional secrets:
* `anthropic`: optional values `ANTHROPIC_API_KEY`.
* `openai`: optional values `OPENAI_API_KEY`.
* `gemini`: optional values `GEMINI_API_KEY`.
* `amazon_bedrock`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`, `AWS_SESSION_TOKEN`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_MODEL_ID`, `AWS_INFERENCE_PROFILE_ID`.
* `custom-model-provider`: optional values `CUSTOM_MODEL_PROVIDER_API_KEY`, `CUSTOM_MODEL_PROVIDER_MODEL_NAME`, `CUSTOM_MODEL_PROVIDER_BASE_URL`.
* `azure_openai`: optional values `AZURE_API_BASE`, `AZURE_API_VERSION`, `AZURE_DEPLOYMENT_NAME`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`.
* `azure_ai`: optional values `AZURE_API_BASE`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_API_VERSION`, `AZURE_AI_MODEL_NAME`.
* `litellm`: required values `LITELLM_BASE_URL`.
### Input fields
Instructions for the agent.
User prompt to the agent.
Model to use. Pick from the list of models enabled for this workspace. Provide this field, or both deprecated `model_name` and `model_provider`.
Default: `null`.
Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_provider`.
Default: `null`.
Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_name`.
Default: `null`.
## Search issues
Action ID: `tools.jira.search_issues`
Search for issues in Jira using JQL.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-search/#api-rest-api-3-search-jql-get](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-search/#api-rest-api-3-search-jql-get)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
JQL query to search for issues.
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net))
Default: `null`.
A list of fields to return for each issue, use it to retrieve a subset of fields. This parameter accepts a comma-separated list. Expand options include: \*all, \*navigable, summary, comment, -description, -comment (defaults to id).
Default: `"id"`.
Maximum number of results to return.
Default: `100`.
Next page token to get the next page of results. If not provided, the first page of results will be returned.
Default: `null`.
## Update issue description
Action ID: `tools.jira.update_issue_description`
Update the description of an existing issue in Jira.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-put](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-put)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
Updated description of the incident. Plain strings are wrapped as ADF text paragraphs. JSON object strings are deserialized. Dictionaries are sent as provided.
ID or key of the issue to update.
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)).
Default: `null`.
## Update issue fields
Action ID: `tools.jira.update_issue_fields`
Update the fields of an existing issue in Jira.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-put](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-put)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
List of fields to update in the issue. ADF values can be passed as objects.
For example usage: `[
{"customfield_10000": "New value"},
{"customfield_10001": {"version": 1, "type": "doc", "content": []}}
]`
ID or key of the issue to update.
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)).
Default: `null`.
## Update issue status
Action ID: `tools.jira.update_issue_status`
Update the status of an issue.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-transitions-post](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-issueidorkey-transitions-post)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
ID or key of the issue to update.
ID of the transition to perform.
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)).
Default: `null`.
## Upload attachment
Action ID: `tools.jira.upload_attachment`
Upload an attachment to a Jira issue.
Reference: [https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-attachments/#api-rest-api-3-issue-issueidorkey-attachments-post](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issue-attachments/#api-rest-api-3-issue-issueidorkey-attachments-post)
### Secrets
Required secrets:
* `jira`: required values `JIRA_USEREMAIL`, `JIRA_API_TOKEN`.
### Input fields
Base64 encoded content of the file to upload.
MIME type of the file (e.g., "application/pdf", "image/png", "text/plain").
Name of the file to upload.
Jira issue key or ID to upload the attachment to (e.g., "PROJ-123").
Jira tenant URL (e.g. [https://your-domain.atlassian.net](https://your-domain.atlassian.net)).
Default: `null`.
# Kubernetes SDK
Source: https://docs.tracecat.com/tools/kubernetes_sdk
Reference for the Tracecat Kubernetes SDK integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Call API
Action ID: `tools.kubernetes_sdk.call_api`
Instantiate an isolated Kubernetes SDK client and call an API method.
Reference: [https://github.com/kubernetes-client/python](https://github.com/kubernetes-client/python)
### Secrets
Required secrets:
* `kubernetes`: required values `KUBECONFIG`; optional values `KUBECONFIG_CONTEXT`.
### Input fields
Kubernetes API class, e.g. `CoreV1Api`.
Kubernetes API method, e.g. `list_namespaced_pod`.
Parameters for the Kubernetes API method.
Default: `null`.
# LDAP
Source: https://docs.tracecat.com/tools/ldap
Reference for the Tracecat LDAP integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Add LDAP entry
Action ID: `tools.ldap.add_entry`
Add an entry to the LDAP directory.
Reference: [https://ldap3.readthedocs.io/en/latest/add.html](https://ldap3.readthedocs.io/en/latest/add.html)
### Secrets
Required secrets:
* `ldap`: required values `LDAP_HOST`, `LDAP_PORT`, `LDAP_USER`, `LDAP_PASSWORD`.
### Input fields
Attributes of the entry
Distinguished name of the entry
Object class of the entry
Additional connection parameters
Default: `null`.
Additional server parameters
Default: `null`.
## Delete LDAP entry
Action ID: `tools.ldap.delete_entry`
Delete an entry from the LDAP directory.
Reference: [https://ldap3.readthedocs.io/en/latest/delete.html](https://ldap3.readthedocs.io/en/latest/delete.html)
### Secrets
Required secrets:
* `ldap`: required values `LDAP_HOST`, `LDAP_PORT`, `LDAP_USER`, `LDAP_PASSWORD`.
### Input fields
Distinguished name of the entry
Additional connection parameters
Default: `null`.
Additional server parameters
Default: `null`.
## Modify LDAP entry
Action ID: `tools.ldap.modify_entry`
Modify an LDAP entry in the directory.
Reference: [https://ldap3.readthedocs.io/en/latest/modify.html](https://ldap3.readthedocs.io/en/latest/modify.html)
### Secrets
Required secrets:
* `ldap`: required values `LDAP_HOST`, `LDAP_PORT`, `LDAP_USER`, `LDAP_PASSWORD`.
### Input fields
Changes to the entry
Distinguished name of the entry
Additional connection parameters
Default: `null`.
Additional server parameters
Default: `null`.
## Search LDAP directory
Action ID: `tools.ldap.search_entries`
Search the LDAP directory for entries matching the query.
Reference: [https://ldap3.readthedocs.io/en/latest/searches.html](https://ldap3.readthedocs.io/en/latest/searches.html)
### Secrets
Required secrets:
* `ldap`: required values `LDAP_HOST`, `LDAP_PORT`, `LDAP_USER`, `LDAP_PASSWORD`.
### Input fields
Search base DN
LDAP search filter (RFC4515 syntax). Example: '(cn=John\*)' or '(&(objectClass=person)(mail=\*@example.com))'
Additional connection parameters
Default: `null`.
Additional server parameters
Default: `null`.
# LeakCheck
Source: https://docs.tracecat.com/tools/leakcheck
Reference for the Tracecat LeakCheck integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Lookup Domain leak
Action ID: `tools.leakcheck.search_domain_leak`
Retrieve leaks linked to a domain name
Reference: [https://wiki.leakcheck.io/en/api](https://wiki.leakcheck.io/en/api)
### Secrets
Required secrets:
* `leakcheck`: required values `LEAKCHECK_API_KEY`.
### Input fields
Domain name to search for leaks.
## Lookup Email leak
Action ID: `tools.leakcheck.search_email_leak`
Retrieve leaks linked to an email address
Reference: [https://wiki.leakcheck.io/en/api](https://wiki.leakcheck.io/en/api)
### Secrets
Required secrets:
* `leakcheck`: required values `LEAKCHECK_API_KEY`.
### Input fields
Email address to search for leaks.
# Linear MCP
Source: https://docs.tracecat.com/tools/linear
Reference for the Tracecat Linear MCP integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Linear MCP
Action ID: `tools.linear.mcp`
Use AI to interact with Linear.
Reference: [https://linear.app/docs/mcp](https://linear.app/docs/mcp)
### Secrets
Required secrets:
* `linear_mcp_oauth`: OAuth token `LINEAR_MCP_USER_TOKEN`.
Optional secrets:
* `anthropic`: optional values `ANTHROPIC_API_KEY`.
* `openai`: optional values `OPENAI_API_KEY`.
* `gemini`: optional values `GEMINI_API_KEY`.
* `amazon_bedrock`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`, `AWS_SESSION_TOKEN`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_MODEL_ID`, `AWS_INFERENCE_PROFILE_ID`.
* `custom-model-provider`: optional values `CUSTOM_MODEL_PROVIDER_API_KEY`, `CUSTOM_MODEL_PROVIDER_MODEL_NAME`, `CUSTOM_MODEL_PROVIDER_BASE_URL`.
* `azure_openai`: optional values `AZURE_API_BASE`, `AZURE_API_VERSION`, `AZURE_DEPLOYMENT_NAME`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`.
* `azure_ai`: optional values `AZURE_API_BASE`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_API_VERSION`, `AZURE_AI_MODEL_NAME`.
* `litellm`: required values `LITELLM_BASE_URL`.
### Input fields
Instructions for the agent.
User prompt to the agent.
Model to use. Pick from the list of models enabled for this workspace. Provide this field, or both deprecated `model_name` and `model_provider`.
Default: `null`.
Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_provider`.
Default: `null`.
Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_name`.
Default: `null`.
# Microsoft Defender for Endpoint
Source: https://docs.tracecat.com/tools/microsoft_defender_endpoint
Reference for the Tracecat Microsoft Defender for Endpoint integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Create machine action
Action ID: `tools.microsoft_defender_endpoint.create_machine_action`
Submit a machine action (for example, isolate or run an antivirus scan) in Microsoft Defender for Endpoint.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/machineaction](https://learn.microsoft.com/en-us/defender-endpoint/api/machineaction)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Type of machine action to perform.
Allowed values: `Isolate`, `Unisolate`, `CollectInvestigationPackage`, `RunAntivirusScan`, `RestrictCodeExecution`, `UnrestrictCodeExecution`, `StopAndQuarantineFile`, `LiveResponse`, `Offboard`, `RequestSample`.
Comment describing why the action is being taken.
Machine ID to target with the action.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
Optional action parameters payload (for example, \{"scanType": "Quick"} for RunAntivirusScan).
Default: `null`.
## Create or update indicator
Action ID: `tools.microsoft_defender_endpoint.create_or_update_indicator`
Create or update a Microsoft Defender for Endpoint custom indicator of compromise.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/post-ti-indicator](https://learn.microsoft.com/en-us/defender-endpoint/api/post-ti-indicator)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Enforcement action for the indicator.
Allowed values: `Alert`, `Warn`, `Block`, `Audit`, `BlockAndRemediate`, `AlertAndBlock`, `Allowed`.
Indicator description.
Indicator type.
Allowed values: `FileSha1`, `FileSha256`, `FileMd5`, `CertificateThumbprint`, `IpAddress`, `DomainName`, `Url`.
Indicator value (for example, SHA1 hash, domain, URL, or IP address).
Indicator alert title.
Friendly application name to display in end-user notifications.
Default: `null`.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
Optional ISO 8601 timestamp when the indicator expires (for example, 2025-12-31T00:00:00Z).
Default: `null`.
Whether Defender should generate an alert when the indicator matches.
Default: `null`.
Optional list of RBAC device group names that the indicator applies to.
Default: `null`.
Recommended remediation steps to include with the indicator.
Default: `null`.
Optional severity to associate with the indicator.
Default: `null`.
## Get alert
Action ID: `tools.microsoft_defender_endpoint.get_alert`
Retrieve a Microsoft Defender for Endpoint alert by ID.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id](https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Alert ID to retrieve.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
## Get file from machine
Action ID: `tools.microsoft_defender_endpoint.get_file_from_machine`
Request a file from a device using Microsoft Defender Live Response.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response](https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Absolute file path on the device (escape backslashes, for example C:\\\Windows\\\Temp\\\sample.txt).
Machine ID to collect the file from.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
Comment describing the Live Response action.
Default: `null`.
## Get incident
Action ID: `tools.microsoft_defender_endpoint.get_incident`
Retrieve a Microsoft Defender for Endpoint incident by ID.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Incident ID to retrieve.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
## Get machine
Action ID: `tools.microsoft_defender_endpoint.get_machine`
Retrieve detailed information about a device from Microsoft Defender for Endpoint.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/get-machine-by-id](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machine-by-id)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Machine ID to retrieve, as returned by the alerts or incidents APIs.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
## Isolate machine
Action ID: `tools.microsoft_defender_endpoint.isolate_machine`
Isolate a device from the network using Microsoft Defender for Endpoint.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/isolate-machine](https://learn.microsoft.com/en-us/defender-endpoint/api/isolate-machine)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Comment describing why the device is being isolated.
Machine ID to isolate.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
Isolation scope to apply.
Default: `"Full"`.
Allowed values: `Full`, `Selective`, `UnManagedDevice`.
## List alerts
Action ID: `tools.microsoft_defender_endpoint.list_alerts`
List Microsoft Defender for Endpoint alerts with optional filtering and time range.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/get-alerts](https://learn.microsoft.com/en-us/defender-endpoint/api/get-alerts)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
OData filter expression to apply (for example, status eq 'Active' and severity eq 'High').
Default: `null`.
OData order by clause (for example, lastUpdateTime desc).
Default: `null`.
ISO 8601 timestamp to restrict alerts updated after this time (convenience filter applied as lastUpdateTime ge).
Default: `null`.
Maximum number of alerts to return (maps to \$top OData query option).
Default: `null`.
## List incidents
Action ID: `tools.microsoft_defender_endpoint.list_incidents`
List Microsoft Defender for Endpoint incidents with optional OData filtering.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
OData filter expression to apply (for example, status eq 'Active' and severity eq 'High').
Default: `null`.
OData order by clause (for example, lastUpdateTime desc).
Default: `null`.
Maximum number of incidents to return (maps to \$top OData query option).
Default: `null`.
## List indicators
Action ID: `tools.microsoft_defender_endpoint.list_indicators`
Retrieve Microsoft Defender for Endpoint indicators with optional OData filters.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/get-ti-indicators-collection](https://learn.microsoft.com/en-us/defender-endpoint/api/get-ti-indicators-collection)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
OData filter expression to apply (for example, action eq 'AlertAndBlock').
Default: `null`.
OData order by clause (for example, creationTimeDateTimeUtc desc).
Default: `null`.
OData skip token to continue pagination.
Default: `null`.
Maximum number of indicators to return (maps to \$top).
Default: `null`.
## List machine actions
Action ID: `tools.microsoft_defender_endpoint.list_machine_actions`
List Microsoft Defender for Endpoint machine actions with optional filters.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/get-machineactions-collection](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machineactions-collection)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
OData filter expression to apply (for example, machineId eq 'deviceId').
Default: `null`.
OData order by clause (for example, creationDateTimeUtc desc).
Default: `null`.
OData skip token to continue pagination.
Default: `null`.
Maximum number of machine actions to return (maps to \$top).
Default: `null`.
## List machines
Action ID: `tools.microsoft_defender_endpoint.list_machines`
List Microsoft Defender for Endpoint machines with optional filters.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
OData filter expression to apply (for example, healthStatus eq 'Active').
Default: `null`.
OData order by clause (for example, lastSeen desc).
Default: `null`.
OData skip token to continue pagination.
Default: `null`.
Maximum number of machines to return (maps to \$top).
Default: `null`.
## Put file on machine
Action ID: `tools.microsoft_defender_endpoint.put_file_on_machine`
Copy a file from the Live Response library onto a device.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response](https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Name of the file in the Live Response library to push to the device.
Machine ID to receive the file.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
Comment describing why the file was delivered.
Default: `null`.
## Release machine from isolation
Action ID: `tools.microsoft_defender_endpoint.unisolate_machine`
Release a device from network isolation in Microsoft Defender for Endpoint.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/unisolate-machine](https://learn.microsoft.com/en-us/defender-endpoint/api/unisolate-machine)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Comment describing why the device is being released.
Machine ID to release from isolation.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
## Run advanced hunting query
Action ID: `tools.microsoft_defender_endpoint.run_advanced_hunting_query`
Execute a Microsoft Defender advanced hunting query across Defender for Endpoint data.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/run-advanced-query-api](https://learn.microsoft.com/en-us/defender-endpoint/api/run-advanced-query-api)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Kusto Query Language (KQL) query to run (for example, "DeviceNetworkEvents | take 25").
Optional AdvancedQueryRunSettings object (for example, \{"TimeoutInSeconds": 120}).
Default: `null`.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
## Run antivirus scan
Action ID: `tools.microsoft_defender_endpoint.run_antivirus_scan`
Trigger a Microsoft Defender Antivirus scan on a device.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/run-av-scan](https://learn.microsoft.com/en-us/defender-endpoint/api/run-av-scan)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Comment describing why the scan was requested.
Machine ID to scan.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
Type of antivirus scan to perform.
Default: `"Quick"`.
Allowed values: `Quick`, `Full`.
## Run live response
Action ID: `tools.microsoft_defender_endpoint.run_live_response`
Run a sequence of Live Response commands on a device in Microsoft Defender for Endpoint.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response](https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Ordered list of Live Response commands (each object requires at least a 'type' key and optional 'params' list of key/value objects).
Machine ID to target with Live Response commands.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
Comment describing the purpose of the Live Response session.
Default: `null`.
## Run script on machine
Action ID: `tools.microsoft_defender_endpoint.run_script_on_machine`
Execute a script from the Live Response library on a device.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response](https://learn.microsoft.com/en-us/defender-endpoint/api/run-live-response)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Machine ID to target with the script.
Name of the uploaded Live Response script to run.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
Comment describing the Live Response action.
Default: `null`.
Optional arguments passed to the script (quoted as a single string).
Default: `null`.
## Update alert
Action ID: `tools.microsoft_defender_endpoint.update_alert`
Update status, ownership, or classification details for a Microsoft Defender for Endpoint alert.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/update-alert](https://learn.microsoft.com/en-us/defender-endpoint/api/update-alert)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Alert ID to update.
User principal name (UPN) or email address to assign the alert to.
Default: `null`.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
Updated alert classification.
Default: `null`.
Comment to append to the alert.
Default: `null`.
Determination that provides additional context for the classification (for example, Malware, SecurityTesting, NotMalicious).
Default: `null`.
Updated alert status.
Default: `null`.
## Update incident
Action ID: `tools.microsoft_defender_endpoint.update_incident`
Update classification, determination, or assignment details for a Microsoft Defender for Endpoint incident.
Reference: [https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list)
### Secrets
Optional secrets:
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_USER_TOKEN`.
* `microsoft_defender_endpoint_oauth`: OAuth token `MICROSOFT_DEFENDER_ENDPOINT_SERVICE_TOKEN`.
### Input fields
Incident ID to update.
User principal name (UPN) or email to assign the incident to.
Default: `null`.
Base URL for the Microsoft Defender for Endpoint API.
Default: `"https://api.securitycenter.microsoft.com"`.
Allowed values: `https://api.securitycenter.microsoft.com`, `https://api-gcc.securitycenter.microsoft.us`, `https://api-gov.securitycenter.microsoft.us`.
Classification to apply to the incident (for example, Unknown, TruePositive, FalsePositive, InformationalExpectedActivity).
Default: `null`.
Comment to add to the incident history.
Default: `null`.
Determination that provides additional context for the classification (for example, Unknown, Malware, SecurityTesting).
Default: `null`.
Incident status (for example, Active, Resolved, InProgress, Redirected).
Default: `null`.
Tags to associate with the incident.
Default: `null`.
# Microsoft Entra
Source: https://docs.tracecat.com/tools/microsoft_entra
Reference for the Tracecat Microsoft Entra integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Add user to group
Action ID: `tools.microsoft_entra.add_user_to_group`
Add a Microsoft Entra ID user to a group.
Reference: [https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0)
### Secrets
Optional secrets:
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`.
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`.
### Input fields
The unique identifier of the group.
The unique identifier of the user (directory object) to add.
Microsoft Graph API version.
Default: `"v1.0"`.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
## Create group
Action ID: `tools.microsoft_entra.create_group`
Create a Microsoft Entra ID group.
Reference: [https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0)
### Secrets
Optional secrets:
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`.
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`.
### Input fields
Properties for the new group resource (displayName, mailEnabled, mailNickname, securityEnabled, etc.).
Microsoft Graph API version.
Default: `"v1.0"`.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
## Create user
Action ID: `tools.microsoft_entra.create_user`
Create a Microsoft Entra ID user account.
Reference: [https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0)
### Secrets
Optional secrets:
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`.
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`.
### Input fields
User properties for the request body (e.g. accountEnabled, displayName, mailNickname, userPrincipalName, passwordProfile).
Microsoft Graph API version.
Default: `"v1.0"`.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
## Delete group
Action ID: `tools.microsoft_entra.delete_group`
Delete a Microsoft Entra ID group.
Reference: [https://learn.microsoft.com/en-us/graph/api/group-delete?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-delete?view=graph-rest-1.0)
### Secrets
Optional secrets:
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`.
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`.
### Input fields
The unique identifier of the group to delete.
Microsoft Graph API version.
Default: `"v1.0"`.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
## Delete user
Action ID: `tools.microsoft_entra.delete_user`
Delete a Microsoft Entra ID user.
Reference: [https://learn.microsoft.com/en-us/graph/api/user-delete?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/user-delete?view=graph-rest-1.0)
### Secrets
Optional secrets:
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`.
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`.
### Input fields
The unique identifier of the user to delete.
Microsoft Graph API version.
Default: `"v1.0"`.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
## Get group
Action ID: `tools.microsoft_entra.get_group`
Retrieve details for a Microsoft Entra ID group.
Reference: [https://learn.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0)
### Secrets
Optional secrets:
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`.
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`.
### Input fields
The unique identifier of the group to retrieve.
Microsoft Graph API version.
Default: `"v1.0"`.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
Optional related entities to expand in the response.
Default: `null`.
Optional set of group properties to return.
Default: `null`.
## Get user
Action ID: `tools.microsoft_entra.get_user`
Retrieve details for a Microsoft Entra ID user.
Reference: [https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0)
### Secrets
Optional secrets:
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`.
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`.
### Input fields
The unique identifier of the user to retrieve.
Microsoft Graph API version.
Default: `"v1.0"`.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
Optional related entities to expand in the response.
Default: `null`.
Optional set of user properties to return.
Default: `null`.
## Get user ID by email
Action ID: `tools.microsoft_entra.get_user_id_by_email`
Get a user's ID by searching for their email address in mail or userPrincipalName.
Reference: [https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0)
### Secrets
Optional secrets:
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`.
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`.
### Input fields
The email address to search for.
Microsoft Graph API version.
Default: `"v1.0"`.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
## List groups
Action ID: `tools.microsoft_entra.list_groups`
List Microsoft Entra ID groups with optional OData queries.
Reference: [https://learn.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0)
### Secrets
Optional secrets:
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`.
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`.
### Input fields
Microsoft Graph API version.
Default: `"v1.0"`.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
Set ConsistencyLevel=eventual for advanced queries when required by Microsoft Graph.
Default: `false`.
Optional related entities to expand in the response.
Default: `null`.
Optional OData \$filter expression.
Default: `null`.
Optional maximum page size to request via Prefer=odata.maxpagesize.
Default: `null`.
Optional OData \$orderby expression.
Default: `null`.
Optional search phrase. Use quoted property names as documented, for example "displayName:Engineering".
Default: `null`.
Optional set of group properties to return.
Default: `null`.
Opaque continuation token from a previous response (\$skiptoken).
Default: `null`.
Maximum number of results to return in a single page (\$top).
Default: `null`.
## List users
Action ID: `tools.microsoft_entra.list_users`
List Microsoft Entra ID users with optional OData query parameters.
Reference: [https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0)
### Secrets
Optional secrets:
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`.
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`.
### Input fields
Microsoft Graph API version.
Default: `"v1.0"`.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
Set ConsistencyLevel=eventual for advanced queries when required by Microsoft Graph.
Default: `false`.
Include @odata.count in the response by setting \$count=true.
Default: `false`.
Optional related entities to expand in the response.
Default: `null`.
Optional OData \$filter expression.
Default: `null`.
Optional maximum page size to request via Prefer=odata.maxpagesize.
Default: `null`.
Optional OData \$orderby expression.
Default: `null`.
Optional search phrase. Use quoted property names per Microsoft Graph syntax, for example "displayName:Alex".
Default: `null`.
Optional set of user properties to return.
Default: `null`.
Opaque continuation token from a previous response (\$skiptoken).
Default: `null`.
Maximum number of results to return in a single page (\$top).
Default: `null`.
## Remove user from group
Action ID: `tools.microsoft_entra.remove_user_from_group`
Remove a Microsoft Entra ID user from a group.
Reference: [https://learn.microsoft.com/en-us/graph/api/group-delete-members?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-delete-members?view=graph-rest-1.0)
### Secrets
Optional secrets:
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`.
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`.
### Input fields
The unique identifier of the group.
The unique identifier of the user (directory object) to remove.
Microsoft Graph API version.
Default: `"v1.0"`.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
## Update group
Action ID: `tools.microsoft_entra.update_group`
Update properties on a Microsoft Entra ID group.
Reference: [https://learn.microsoft.com/en-us/graph/api/group-update?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/group-update?view=graph-rest-1.0)
### Secrets
Optional secrets:
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`.
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`.
### Input fields
The unique identifier of the group to update.
Group properties to update as defined in the Microsoft Graph group resource.
Microsoft Graph API version.
Default: `"v1.0"`.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
## Update user
Action ID: `tools.microsoft_entra.update_user`
Update properties on a Microsoft Entra ID user.
Reference: [https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0)
### Secrets
Optional secrets:
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_USER_TOKEN`.
* `microsoft_entra_oauth`: OAuth token `MICROSOFT_ENTRA_SERVICE_TOKEN`.
### Input fields
User properties to update as defined in the Microsoft Graph user resource.
The unique identifier of the user to update.
Microsoft Graph API version.
Default: `"v1.0"`.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
# Microsoft Sentinel
Source: https://docs.tracecat.com/tools/microsoft_sentinel
Reference for the Tracecat Microsoft Sentinel integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Create incident comment
Action ID: `tools.microsoft_sentinel.create_incident_comment`
Create a comment on an incident in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/create-or-update?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Comment ID (GUID).
Incident ID.
Comment message text.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Create or update alert rule
Action ID: `tools.microsoft_sentinel.create_or_update_alert_rule`
Create or update an alert rule in Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/create-or-update?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Alert rule properties including kind, displayName, enabled, query, etc.
Azure resource group name.
Alert rule ID.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Create or update bookmark
Action ID: `tools.microsoft_sentinel.create_or_update_bookmark`
Create or update a bookmark in Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/create-or-update?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Bookmark ID.
Bookmark properties including displayName, notes, query, labels, etc.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Create or update incident
Action ID: `tools.microsoft_sentinel.create_or_update_incident`
Create or update an incident in Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/create-or-update?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Incident ID.
Incident properties including title, severity, status, description, etc.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Create or update incident relation
Action ID: `tools.microsoft_sentinel.create_or_update_incident_relation`
Create or update a relation for an incident in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/create-or-update?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Incident ID.
Relation properties including relatedResourceId.
Relation name (GUID).
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Create or update watchlist
Action ID: `tools.microsoft_sentinel.create_or_update_watchlist`
Create or update a watchlist in Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/create-or-update?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Watchlist properties including displayName, provider, source, itemsSearchKey, etc.
Azure resource group name.
Azure subscription ID.
Watchlist alias.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Create or update watchlist item
Action ID: `tools.microsoft_sentinel.create_or_update_watchlist_item`
Create or update an item in a watchlist in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/create-or-update?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Watchlist item properties including itemsKeyValue.
Azure resource group name.
Azure subscription ID.
Watchlist alias.
Watchlist item ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Create threat intelligence indicator
Action ID: `tools.microsoft_sentinel.create_threat_intelligence_indicator`
Create a threat intelligence indicator in Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/create?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/create?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Threat intelligence indicator name (GUID).
Indicator properties including kind, pattern, patternType, source, displayName, etc.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Delete alert rule
Action ID: `tools.microsoft_sentinel.delete_alert_rule`
Delete an alert rule from Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/delete?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Azure resource group name.
Alert rule ID.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Delete bookmark
Action ID: `tools.microsoft_sentinel.delete_bookmark`
Delete a bookmark from Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/delete?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Bookmark ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Delete incident
Action ID: `tools.microsoft_sentinel.delete_incident`
Delete an incident from Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/delete?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Delete incident comment
Action ID: `tools.microsoft_sentinel.delete_incident_comment`
Delete a comment from an incident in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/delete?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Comment ID.
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Delete incident relation
Action ID: `tools.microsoft_sentinel.delete_incident_relation`
Delete a relation from an incident in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/delete?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Incident ID.
Relation name.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Delete threat intelligence indicator
Action ID: `tools.microsoft_sentinel.delete_threat_intelligence_indicator`
Delete a threat intelligence indicator from Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/delete?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Threat intelligence indicator name.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Delete watchlist
Action ID: `tools.microsoft_sentinel.delete_watchlist`
Delete a watchlist from Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/delete?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Azure resource group name.
Azure subscription ID.
Watchlist alias.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Delete watchlist item
Action ID: `tools.microsoft_sentinel.delete_watchlist_item`
Delete an item from a watchlist in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/delete?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Azure resource group name.
Azure subscription ID.
Watchlist alias.
Watchlist item ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Get alert rule
Action ID: `tools.microsoft_sentinel.get_alert_rule`
Get a specific alert rule by ID from Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/get?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Azure resource group name.
Alert rule ID.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Get alert rule template
Action ID: `tools.microsoft_sentinel.get_alert_rule_template`
Get a specific alert rule template by ID from Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rule-templates/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rule-templates/get?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Alert rule template ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Get bookmark
Action ID: `tools.microsoft_sentinel.get_bookmark`
Get a specific bookmark by ID from Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/get?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Bookmark ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Get incident
Action ID: `tools.microsoft_sentinel.get_incident`
Get a specific incident by ID from Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/get?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Get incident relation
Action ID: `tools.microsoft_sentinel.get_incident_relation`
Get a specific relation for an incident in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/get?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Incident ID.
Relation name (GUID).
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Get threat intelligence indicator
Action ID: `tools.microsoft_sentinel.get_threat_intelligence_indicator`
Get a specific threat intelligence indicator by name from Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/get?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Threat intelligence indicator name (GUID).
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Get watchlist
Action ID: `tools.microsoft_sentinel.get_watchlist`
Get a specific watchlist by alias from Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/get?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Azure resource group name.
Azure subscription ID.
Watchlist alias.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Get watchlist item
Action ID: `tools.microsoft_sentinel.get_watchlist_item`
Get a specific item from a watchlist in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/get?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Azure resource group name.
Azure subscription ID.
Watchlist alias.
Watchlist item ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## List alert rule templates
Action ID: `tools.microsoft_sentinel.list_alert_rule_templates`
Get all alert rule templates available in Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rule-templates/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rule-templates/list?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## List alert rules
Action ID: `tools.microsoft_sentinel.list_alert_rules`
Get all alert rules in Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/list?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## List bookmarks
Action ID: `tools.microsoft_sentinel.list_bookmarks`
Get all bookmarks in Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/list?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## List incident alerts
Action ID: `tools.microsoft_sentinel.list_incident_alerts`
Get all alerts related to a specific incident in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-alerts?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-alerts?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## List incident bookmarks
Action ID: `tools.microsoft_sentinel.list_incident_bookmarks`
Get all bookmarks related to a specific incident in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-bookmarks?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-bookmarks?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## List incident comments
Action ID: `tools.microsoft_sentinel.list_incident_comments`
Get all comments for a specific incident in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/list?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## List incident entities
Action ID: `tools.microsoft_sentinel.list_incident_entities`
Get all entities related to a specific incident in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-entities?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-entities?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## List incident relations
Action ID: `tools.microsoft_sentinel.list_incident_relations`
Get all relations for a specific incident in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/list?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## List incidents
Action ID: `tools.microsoft_sentinel.list_incidents`
Get all incidents in Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
OData filter expression (e.g., "properties/status eq 'Active'").
Default: `null`.
OData orderby expression (e.g., "properties/createdTimeUtc desc").
Default: `null`.
Skiptoken for pagination.
Default: `null`.
Maximum number of incidents to return.
Default: `null`.
## List threat intelligence indicators
Action ID: `tools.microsoft_sentinel.list_threat_intelligence_indicators`
Get all threat intelligence indicators in Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators/list?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
OData filter expression.
Default: `null`.
OData orderby expression.
Default: `null`.
Skiptoken for pagination.
Default: `null`.
Maximum number of indicators to return.
Default: `null`.
## List watchlist items
Action ID: `tools.microsoft_sentinel.list_watchlist_items`
Get all items in a specific watchlist in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/list?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Azure resource group name.
Azure subscription ID.
Watchlist alias.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## List watchlists
Action ID: `tools.microsoft_sentinel.list_watchlists`
Get all watchlists in Microsoft Sentinel workspace.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/list?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
## Query threat intelligence indicators
Action ID: `tools.microsoft_sentinel.query_threat_intelligence_indicators`
Query threat intelligence indicators using advanced filters in Microsoft Sentinel.
Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators?view=rest-securityinsights-2025-09-01)
### Secrets
Optional secrets:
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`.
* `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`.
### Input fields
Query parameters including keywords, patternTypes, sources, threatTypes, etc.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.
Default: `"2025-09-01"`.
Base URL for the Azure Management API.
Default: `"https://management.azure.com"`.
Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.
# Microsoft Teams
Source: https://docs.tracecat.com/tools/microsoft_teams
Reference for the Tracecat Microsoft Teams integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Create Teams channel
Action ID: `tools.microsoft_teams.create_channel`
Create a new channel in a Microsoft Teams team. Can create either public (standard) or private channels.
Reference: [https://learn.microsoft.com/en-us/graph/api/channel-post?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/channel-post?view=graph-rest-1.0)
### Secrets
Required secrets:
* `microsoft_teams_oauth`: OAuth token `MICROSOFT_TEAMS_USER_TOKEN`.
### Input fields
The display name for the channel.
The ID of the team.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
Description for the channel.
Default: `null`.
Whether to create a private channel (requires members).
Default: `false`.
List of user IDs to add as owners (required for private channels).
Default: `null`.
## Delete Teams channel
Action ID: `tools.microsoft_teams.delete_channel`
Delete a channel from a Microsoft Teams team.
Reference: [https://learn.microsoft.com/en-us/graph/api/channel-delete?view=graph-rest-beta\&tabs=http](https://learn.microsoft.com/en-us/graph/api/channel-delete?view=graph-rest-beta\&tabs=http)
### Secrets
Required secrets:
* `microsoft_teams_oauth`: OAuth token `MICROSOFT_TEAMS_USER_TOKEN`.
### Input fields
The ID of the channel.
The ID of the team.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
## List channel messages
Action ID: `tools.microsoft_teams.list_channel_messages`
Retrieve the list of messages (without the replies) in a channel of a team.
Reference: [https://learn.microsoft.com/en-us/graph/api/channel-list-messages?view=graph-rest-beta\&tabs=python](https://learn.microsoft.com/en-us/graph/api/channel-list-messages?view=graph-rest-beta\&tabs=python)
### Secrets
Required secrets:
* `microsoft_teams_oauth`: OAuth token `MICROSOFT_TEAMS_USER_TOKEN`.
### Input fields
The ID of the channel.
The ID of the team.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
Whether to expand replies for each message.
Default: `false`.
Number of messages to return per page (default 20, max 50).
Default: `null`.
## Send adaptive card
Action ID: `tools.microsoft_teams.send_adaptive_card`
Send a message with Adaptive Cards to a Microsoft Teams channel.
Reference: [https://learn.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0)
### Secrets
Required secrets:
* `microsoft_teams_oauth`: OAuth token `MICROSOFT_TEAMS_USER_TOKEN`.
### Input fields
List of Adaptive Card elements.
The ID of the channel.
The ID of the team.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
Title for the card (appears as subject).
Default: `null`.
## Send replies to a Teams message
Action ID: `tools.microsoft_teams.post_replies`
Send a reply to a Microsoft Teams message.
Reference: [https://learn.microsoft.com/en-us/graph/api/chatmessage-post-replies?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/chatmessage-post-replies?view=graph-rest-1.0)
### Secrets
Required secrets:
* `microsoft_teams_oauth`: OAuth token `MICROSOFT_TEAMS_USER_TOKEN`.
### Input fields
The ID of the channel.
The reply message to send.
The ID of the message to reply to.
The ID of the team.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
The content type of the reply message.
Default: `"html"`.
## Send Teams message
Action ID: `tools.microsoft_teams.send_message`
Send a message to a Microsoft Teams channel.
Reference: [https://learn.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0)
### Secrets
Required secrets:
* `microsoft_teams_oauth`: OAuth token `MICROSOFT_TEAMS_USER_TOKEN`.
### Input fields
The ID of the channel.
The message to send.
The ID of the team.
Base URL for the Microsoft Graph API.
Default: `"https://graph.microsoft.com"`.
Allowed values: `https://graph.microsoft.com`, `https://graph.microsoft.us`.
# MinIO
Source: https://docs.tracecat.com/tools/minio
Reference for the Tracecat MinIO integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Call MinIO method
Action ID: `tools.minio.call_method`
Instantiate a MinIO client and call a MinIO method.
Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/](https://docs.min.io/enterprise/aistor-object-store/developers/)
### Secrets
Required secrets:
* `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`.
### Input fields
MinIO method name.
MinIO method parameters.
Whether to check the server certificate for HTTPS connection.
Default: `true`.
MinIO endpoint URL.
Default: `null`.
Whether to use HTTPS connection.
Default: `true`.
## Copy MinIO objects
Action ID: `tools.minio.copy_objects`
Copy MinIO objects from one bucket to another.
Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/#copy\_object](https://docs.min.io/enterprise/aistor-object-store/developers/#copy_object)
### Secrets
Required secrets:
* `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`.
### Input fields
Destination MinIO bucket name.
Prefix to filter objects.
Source MinIO bucket name.
Whether to check the server certificate for HTTPS connection.
Default: `true`.
MinIO endpoint URL.
Default: `null`.
Whether to use HTTPS connection.
Default: `true`.
## Delete MinIO object
Action ID: `tools.minio.delete_object`
Delete an object from MinIO.
Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/#remove\_object](https://docs.min.io/enterprise/aistor-object-store/developers/#remove_object)
### Secrets
Required secrets:
* `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`.
### Input fields
MinIO bucket name.
MinIO object key.
Whether to check the server certificate for HTTPS connection.
Default: `true`.
MinIO endpoint URL.
Default: `null`.
Whether to use HTTPS connection.
Default: `true`.
## Get MinIO object
Action ID: `tools.minio.get_object`
Download an object from MinIO and return its body as a string.
Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/#get\_object](https://docs.min.io/enterprise/aistor-object-store/developers/#get_object)
### Secrets
Required secrets:
* `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`.
### Input fields
MinIO bucket name.
MinIO object key.
Whether to check the server certificate for HTTPS connection.
Default: `true`.
MinIO endpoint URL.
Default: `null`.
Whether to use HTTPS connection.
Default: `true`.
## Get MinIO objects
Action ID: `tools.minio.get_objects`
Download multiple MinIO objects and return their bodies as strings.
Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/#get\_object](https://docs.min.io/enterprise/aistor-object-store/developers/#get_object)
### Secrets
Required secrets:
* `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`.
### Input fields
MinIO bucket name.
MinIO object keys.
Whether to check the server certificate for HTTPS connection.
Default: `true`.
MinIO endpoint URL.
Default: `null`.
Whether to use HTTPS connection.
Default: `true`.
## List MinIO buckets
Action ID: `tools.minio.list_buckets`
List MinIO buckets
Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/#list\_buckets](https://docs.min.io/enterprise/aistor-object-store/developers/#list_buckets)
### Secrets
Required secrets:
* `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`.
### Input fields
Whether to check the server certificate for HTTPS connection.
Default: `true`.
MinIO endpoint URL.
Default: `null`.
Whether to use HTTPS connection.
Default: `true`.
## List MinIO objects
Action ID: `tools.minio.list_objects`
List objects in a MinIO bucket.
Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/#list\_objects](https://docs.min.io/enterprise/aistor-object-store/developers/#list_objects)
### Secrets
Required secrets:
* `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`.
### Input fields
MinIO bucket name.
Whether to check the server certificate for HTTPS connection.
Default: `true`.
MinIO endpoint URL.
Default: `null`.
MinIO object key prefix.
Default: `null`.
List recursively.
Default: `true`.
Whether to use HTTPS connection.
Default: `true`.
## Put MinIO object
Action ID: `tools.minio.put_object`
Put an object to MinIO.
Reference: [https://docs.min.io/enterprise/aistor-object-store/developers/#put\_object](https://docs.min.io/enterprise/aistor-object-store/developers/#put_object)
### Secrets
Required secrets:
* `minio`: required values `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`; optional values `MINIO_ENDPOINT`, `MINIO_REGION`.
### Input fields
MinIO bucket name.
Base64 encoded content of the file to upload.
MinIO object key.
Whether to check the server certificate for HTTPS connection.
Default: `true`.
MinIO endpoint URL.
Default: `null`.
Whether to use HTTPS connection.
Default: `true`.
# Notion MCP
Source: https://docs.tracecat.com/tools/notion
Reference for the Tracecat Notion MCP integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Notion MCP
Action ID: `tools.notion.mcp`
Use AI to interact with Notion.
Reference: [https://developers.notion.com/guides/mcp/overview](https://developers.notion.com/guides/mcp/overview)
### Secrets
Required secrets:
* `notion_mcp_oauth`: OAuth token `NOTION_MCP_USER_TOKEN`.
Optional secrets:
* `anthropic`: optional values `ANTHROPIC_API_KEY`.
* `openai`: optional values `OPENAI_API_KEY`.
* `gemini`: optional values `GEMINI_API_KEY`.
* `amazon_bedrock`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`, `AWS_SESSION_TOKEN`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_MODEL_ID`, `AWS_INFERENCE_PROFILE_ID`.
* `custom-model-provider`: optional values `CUSTOM_MODEL_PROVIDER_API_KEY`, `CUSTOM_MODEL_PROVIDER_MODEL_NAME`, `CUSTOM_MODEL_PROVIDER_BASE_URL`.
* `azure_openai`: optional values `AZURE_API_BASE`, `AZURE_API_VERSION`, `AZURE_DEPLOYMENT_NAME`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`.
* `azure_ai`: optional values `AZURE_API_BASE`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_API_VERSION`, `AZURE_AI_MODEL_NAME`.
* `litellm`: required values `LITELLM_BASE_URL`.
### Input fields
Instructions for the agent.
User prompt to the agent.
Model to use. Pick from the list of models enabled for this workspace. Provide this field, or both deprecated `model_name` and `model_provider`.
Default: `null`.
Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_provider`.
Default: `null`.
Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_name`.
Default: `null`.
# Okta
Source: https://docs.tracecat.com/tools/okta
Reference for the Tracecat Okta integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Activate user
Action ID: `tools.okta.activate_user`
Activate a user account in Okta.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userlifecycle/#tag/UserLifecycle/operation/activateUser](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userlifecycle/#tag/UserLifecycle/operation/activateUser)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
User ID, login, or email of the user to activate
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
Whether to send an activation email to the user
Default: `true`.
## Add user to group
Action ID: `tools.okta.add_to_group`
Add a user to a specific group in Okta.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/assignUserToGroup](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/assignUserToGroup)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
ID of the group to add the user to
User ID, login, or email to add to the group
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
## Assign group to application
Action ID: `tools.okta.assign_group_to_app`
Assign a group to an application in Okta.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/applicationgroups/#tag/ApplicationGroups/operation/updateGroupAssignmentToApplication](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/applicationgroups/#tag/ApplicationGroups/operation/updateGroupAssignmentToApplication)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
Application ID to assign the group to
Group ID to assign to the application
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
Priority of the group assignment (0-100)
Default: `null`.
## Clear user sessions
Action ID: `tools.okta.clear_user_sessions`
Clear all active sessions for a user in Okta.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usersessions/#tag/UserSessions/operation/revokeUserSessions](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usersessions/#tag/UserSessions/operation/revokeUserSessions)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
User ID, login, or email of the user whose sessions to clear
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
## Create user
Action ID: `tools.okta.create_user`
Create a new user in your Okta organization.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/createUser](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/createUser)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
Email address of the new user
First name of the new user
Last name of the new user
Whether to activate the user immediately
Default: `true`.
Additional user profile attributes
Default: `null`.
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
Login for the user (defaults to email if not provided)
Default: `null`.
## Expire password
Action ID: `tools.okta.expire_password`
Expire password for an Okta user and will force the user to set a new password on next sign-in.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usercred/#tag/UserCred/operation/expirePassword](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usercred/#tag/UserCred/operation/expirePassword)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
ID of an existing user.
Okta organization URL.
Default: `null`.
Revoke all sessions for the user.
Default: `false`.
## Expire password with temporary password
Action ID: `tools.okta.expire_password_with_temp_password`
Expire password for an Okta user and will return a temporary password.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usercred/#tag/UserCred/operation/expirePasswordWithTempPassword](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usercred/#tag/UserCred/operation/expirePasswordWithTempPassword)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
ID of an existing user.
Okta organization URL.
Default: `null`.
Revoke all sessions for the user.
Default: `false`.
## Get group members
Action ID: `tools.okta.get_group_members`
List all users that are members of a specific group.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/listGroupUsers](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/listGroupUsers)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
ID of the group to get members for
Pagination cursor to start from
Default: `null`.
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
Number of members to return (default 200)
Default: `200`.
## Get groups assigned to user
Action ID: `tools.okta.get_groups_assigned_to_user`
List all groups that a user is a member of.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userresources/#tag/UserResources/operation/listUserGroups](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userresources/#tag/UserResources/operation/listUserGroups)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
User ID, login, or email to get group memberships for
Pagination cursor to start from
Default: `null`.
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
Maximum number of groups to return (default 200)
Default: `200`.
## Get user
Action ID: `tools.okta.get_user`
Retrieve a specific user by ID, login, or email from your Okta organization.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/getUser](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/getUser)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
User ID, login, or email of the user to retrieve
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
## List groups in organization
Action ID: `tools.okta.list_groups_in_org`
List all groups in your Okta organization with optional filtering.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/listGroups](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/listGroups)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
Pagination cursor to start from
Default: `null`.
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
Number of groups to return (default 200)
Default: `200`.
Search expression for filtering groups
Default: `null`.
## List users
Action ID: `tools.okta.list_users`
List all users in your Okta organization with optional filtering and search.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/listUsers](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/listUsers)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
Pagination cursor to start from
Default: `null`.
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
Filter expression for users
Default: `null`.
Number of users to return (default 200)
Default: `200`.
## Lookup user by email
Action ID: `tools.okta.lookup_user_by_email`
Get an Okta user by email.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/listUsers](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/listUsers)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
Email of an existing user.
Okta organization URL.
Default: `null`.
## Remove user from group
Action ID: `tools.okta.remove_from_group`
Remove a user from a specific group in Okta.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/unassignUserFromGroup](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/group/#tag/Group/operation/unassignUserFromGroup)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
ID of the group to remove the user from
User ID, login, or email to remove from the group
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
## Reset password
Action ID: `tools.okta.reset_password`
Reset password for an Okta user and send a password reset email or return a password reset link.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usercred/#tag/UserCred/operation/resetPassword](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usercred/#tag/UserCred/operation/resetPassword)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
ID of an existing user.
Okta organization URL.
Default: `null`.
Revoke all sessions for the user.
Default: `false`.
Sends a OTT link email to the user, if false returns password reset link.
Default: `true`.
## Revoke sessions
Action ID: `tools.okta.revoke_sessions`
Revoke all IdP sessions for an Okta user.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usersessions/#tag/UserSessions/operation/revokeUserSessions](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/usersessions/#tag/UserSessions/operation/revokeUserSessions)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
ID of an existing user.
Okta organization URL.
Default: `null`.
## Search users
Action ID: `tools.okta.search_users`
Search for users using a query string that matches login, email, firstName, or lastName.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/listUsers](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#tag/User/operation/listUsers)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
Query string to search for users
Pagination cursor to start from
Default: `null`.
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
Number of users to return (default 10)
Default: `10`.
## Suspend user
Action ID: `tools.okta.suspend_user`
Suspend an Okta user.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userlifecycle/#tag/UserLifecycle/operation/suspendUser](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userlifecycle/#tag/UserLifecycle/operation/suspendUser)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
ID of an existing user.
Okta organization URL.
Default: `null`.
## Unsuspend user
Action ID: `tools.okta.unsuspend_user`
Unsuspend an Okta user.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userlifecycle/#tag/UserLifecycle/operation/unsuspendUser](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userlifecycle/#tag/UserLifecycle/operation/unsuspendUser)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
ID of the user to unsuspend.
Okta organization URL.
Default: `null`.
# Okta
Source: https://docs.tracecat.com/tools/okta_oar
Reference for the Tracecat Okta integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Create message
Action ID: `tools.okta_oar.create_message`
Create a message in an Okta Access Request ticket.
Reference: [https://developer.okta.com/docs/api/iga/openapi/governance-production-requests-admin-v1-reference/requests/#tag/Requests/operation/createRequestMessage](https://developer.okta.com/docs/api/iga/openapi/governance-production-requests-admin-v1-reference/requests/#tag/Requests/operation/createRequestMessage)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
Message content to add to the request
ID of the access request to add message to
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
## Get requests
Action ID: `tools.okta_oar.get_requests`
Get Okta Access Request tickets with optional filtering and pagination.
Reference: [https://developer.okta.com/docs/api/iga/openapi/governance-production-requests-admin-v1-reference/requests/](https://developer.okta.com/docs/api/iga/openapi/governance-production-requests-admin-v1-reference/requests/)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
Pagination cursor for retrieving next set of results
Default: `""`.
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
Filter expression for requests
Default: `""`.
Number of requests to return (default 20)
Default: `"20"`.
Field to order results by
Default: `""`.
## Get specific request
Action ID: `tools.okta_oar.get_specific_request`
Get a specific Okta Access Request ticket by ID.
Reference: [https://developer.okta.com/docs/api/iga/openapi/governance-production-requests-admin-v1-reference/requests/#tag/Requests/operation/getRequest](https://developer.okta.com/docs/api/iga/openapi/governance-production-requests-admin-v1-reference/requests/#tag/Requests/operation/getRequest)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
ID of the access request to retrieve
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
## Get user
Action ID: `tools.okta_oar.get_user`
Get an Okta user by ID.
Reference: [https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#get-user](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/user/#get-user)
### Secrets
Required secrets:
* `okta`: required values `OKTA_API_TOKEN`.
### Input fields
User ID, login, or email of the user to retrieve
Okta domain base URL (e.g., '[https://your-org.okta.com](https://your-org.okta.com)')
Default: `null`.
# Okta SDK Applications
Source: https://docs.tracecat.com/tools/okta_sdk
Reference for the Tracecat Okta SDK Applications integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Activate application
Action ID: `tools.okta_sdk.activate_application`
Activate an Okta application.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta application ID.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
## Call method
Action ID: `tools.okta_sdk.call_method`
Instantiate an Okta SDK client and call an async Okta SDK method.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta SDK client method name, e.g. `list_users`.
Auth mode. Auto prefers OAuth/bearer, then private key, then SSWS.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
Parameters for the Okta SDK method.
Default: `null`.
Okta SDK rate-limit retry count.
Default: `2`.
OAuth scopes for private-key auth.
Default: `null`.
## Call paginated method
Action ID: `tools.okta_sdk.call_paginated_method`
Call an Okta SDK list method and follow Okta `Link` pagination.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta SDK method name, e.g. `list_users`.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
Per-page item limit.
Default: `null`.
Maximum pages to fetch.
Default: `null`.
Parameters for the Okta SDK method.
Default: `null`.
Okta SDK rate-limit retry count.
Default: `2`.
OAuth scopes for private-key auth.
Default: `null`.
## Change user password
Action ID: `tools.okta_sdk.change_password`
Change an Okta user's password.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta change password request body.
Okta user ID or login.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
Apply Okta strict validation.
Default: `null`.
## Create group
Action ID: `tools.okta_sdk.add_group`
Create an Okta group.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta group body.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
## Deactivate application
Action ID: `tools.okta_sdk.deactivate_application`
Deactivate an Okta application.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta application ID.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
## Deactivate user
Action ID: `tools.okta_sdk.deactivate_user`
Deactivate an Okta user.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta user ID or login.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
Okta Prefer header value.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
Send Okta lifecycle email.
Default: `null`.
## Delete group
Action ID: `tools.okta_sdk.delete_group`
Delete an Okta group.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta group ID.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
## Delete user
Action ID: `tools.okta_sdk.delete_user`
Delete or clear an Okta user, depending on current user status.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta user ID or login.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
Okta Prefer header value.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
Send Okta lifecycle email.
Default: `null`.
## Forgot password
Action ID: `tools.okta_sdk.forgot_password`
Start Okta forgot-password flow for a user.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta user ID or login.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
Send Okta lifecycle email.
Default: `null`.
## Get application
Action ID: `tools.okta_sdk.get_application`
Get an Okta application.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta application ID.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
Okta expand expression.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
## Get factor
Action ID: `tools.okta_sdk.get_factor`
Get an Okta user factor.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta factor ID.
Okta user ID or login.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
## Get group
Action ID: `tools.okta_sdk.get_group`
Get an Okta group.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta group ID.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
## List applications
Action ID: `tools.okta_sdk.list_applications`
List Okta applications.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta pagination cursor.
Default: `null`.
Include VPN settings.
Default: `null`.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
Okta expand expression.
Default: `null`.
Okta filter expression.
Default: `null`.
Include non-deleted applications.
Default: `null`.
Per-page item limit.
Default: `null`.
Search query.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
Use Okta application-list optimization.
Default: `null`.
## List factors
Action ID: `tools.okta_sdk.list_factors`
List enrolled factors for an Okta user.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta user ID or login.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
## List group applications
Action ID: `tools.okta_sdk.list_assigned_applications_for_group`
List applications assigned to an Okta group.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta group ID.
Okta pagination cursor.
Default: `null`.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
Per-page item limit.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
## List log events
Action ID: `tools.okta_sdk.list_log_events`
List Okta System Log events.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta pagination cursor.
Default: `null`.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
Okta filter expression.
Default: `null`.
Per-page item limit.
Default: `null`.
Search query.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
Lower time bound for log events.
Default: `null`.
Sort order, e.g. `ASCENDING` or `DESCENDING`.
Default: `null`.
Upper time bound for log events.
Default: `null`.
## Reactivate user
Action ID: `tools.okta_sdk.reactivate_user`
Reactivate an Okta user.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta user ID or login.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
Send Okta lifecycle email.
Default: `null`.
## Replace group
Action ID: `tools.okta_sdk.replace_group`
Replace an Okta group.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta group body.
Okta group ID.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
## Replace user
Action ID: `tools.okta_sdk.replace_user`
Replace an Okta user profile and credentials.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta user request body.
Okta user ID or login.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
ETag value for conditional replace.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
Apply Okta strict validation.
Default: `null`.
## Reset user factors
Action ID: `tools.okta_sdk.reset_factors`
Reset all enrolled factors for an Okta user.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta user ID or login.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
## Revoke user sessions
Action ID: `tools.okta_sdk.revoke_user_sessions`
Revoke active Okta sessions for a user.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta user ID or login.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
Forget remembered devices.
Default: `null`.
Revoke OAuth tokens too.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
## Unenroll factor
Action ID: `tools.okta_sdk.unenroll_factor`
Unenroll an Okta user factor.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta factor ID.
Okta user ID or login.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
Remove recovery enrollment.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
## Unlock user
Action ID: `tools.okta_sdk.unlock_user`
Unlock an Okta user account.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta user ID or login.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
## Update user
Action ID: `tools.okta_sdk.update_user`
Partially update an Okta user profile and credentials.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta user request body.
Okta user ID or login.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
ETag value for conditional update.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
Apply Okta strict validation.
Default: `null`.
## Verify factor
Action ID: `tools.okta_sdk.verify_factor`
Verify an Okta user factor.
Reference: [https://github.com/okta/okta-sdk-python](https://github.com/okta/okta-sdk-python)
### Secrets
Optional secrets:
* `okta`: optional values `OKTA_BASE_URL`, `OKTA_API_TOKEN`, `OKTA_ACCESS_TOKEN`, `OKTA_SERVICE_TOKEN`, `OKTA_CLIENT_ID`, `OKTA_PRIVATE_KEY`, `OKTA_SCOPES`, `OKTA_KID`, `OKTA_DPOP_ENABLED`, `OKTA_DPOP_KEY_ROTATION_INTERVAL`.
* `okta_oauth`: OAuth token `OKTA_SERVICE_TOKEN`.
### Input fields
Okta factor ID.
Okta user ID or login.
Accept-Language header value.
Default: `null`.
Auth mode.
Default: `"auto"`.
Okta org URL. Defaults to `OKTA_BASE_URL`.
Default: `null`.
Okta verify factor request body.
Default: `null`.
OAuth scopes for private-key auth.
Default: `null`.
Okta template ID.
Default: `null`.
Token lifetime in seconds.
Default: `null`.
User-Agent header value.
Default: `null`.
X-Forwarded-For header value.
Default: `null`.
# PagerDuty
Source: https://docs.tracecat.com/tools/pagerduty
Reference for the Tracecat PagerDuty integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Acknowledge event
Action ID: `tools.pagerduty.acknowledge_event`
Resolves an existing event in PagerDuty
Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference)
### Input fields
Identifies the alert
The GUID of one of your Events API V2 integrations. This is the "Integration Key" listed on the Events API V2 integration's detail page.
## Get all schedules
Action ID: `tools.pagerduty.get_all_schedules`
Get all the on-call schedules.
Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference)
### Secrets
Required secrets:
* `pagerduty`: required values `PAGERDUTY_API_KEY`.
### Input fields
Filters the result, showing only the records whose name matches the query.
Default: `null`.
## Get contact methods
Action ID: `tools.pagerduty.get_contact_methods`
Get contact methods in PagerDuty.
Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference)
### Secrets
Required secrets:
* `pagerduty`: required values `PAGERDUTY_API_KEY`.
### Input fields
The ID of the user.
## Get incident data
Action ID: `tools.pagerduty.get_incident_data`
Show detailed information about an incident.
Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference)
### Secrets
Required secrets:
* `pagerduty`: required values `PAGERDUTY_API_KEY`.
### Input fields
The ID of the incident.
## Get incidents
Action ID: `tools.pagerduty.get_incidents`
List existing incidents.
Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference)
### Secrets
Required secrets:
* `pagerduty`: required values `PAGERDUTY_API_KEY`.
### Input fields
Incident de-duplication key.
Default: `null`.
The start of the date range over which you want to search. Maximum range is 6 months and default is 1 month.
Default: `null`.
Filter incidents by status.
Default: `null`.
The end of the date range over which you want to search. Maximum range is 6 months and default is 1 month.
Default: `null`.
## Get user notification rules
Action ID: `tools.pagerduty.get_user_notification_rules`
Get the notification rules of a PagerDuty user.
Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference)
### Secrets
Required secrets:
* `pagerduty`: required values `PAGERDUTY_API_KEY`.
### Input fields
The ID of the user.
## Get users on-call
Action ID: `tools.pagerduty.get_users_on_call`
Get the users on-call.
Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference)
### Secrets
Required secrets:
* `pagerduty`: required values `PAGERDUTY_API_KEY`.
### Input fields
The ID of the schedule(s).
The start of the time range over which you want to search. Defaults to current time.
Default: `null`.
The end of the time range over which you want to search. Defaults to current time.
Default: `null`.
## Resolve event
Action ID: `tools.pagerduty.resolve_event`
Resolves an existing event in PagerDuty
Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference)
### Input fields
Identifies the alert
The GUID of one of your Events API V2 integrations. This is the "Integration Key" listed on the Events API V2 integration's detail page.
## Trigger event
Action ID: `tools.pagerduty.trigger_event`
Trigger event to report a new problem
Reference: [https://developer.pagerduty.com/api-reference](https://developer.pagerduty.com/api-reference)
### Input fields
The GUID of one of your Events API V2 integrations. This is the "Integration Key" listed on the Events API V2 integration's detail page.
The perceived severity of the status the event is describing withrespect to the affected system.
Allowed values: `critical`, `warning`, `error`, `info`.
The unique location of the affected system, preferably a hostname or FQDN.
A brief text summary of the event, used to generate the summaries/titles of any associated alerts.
The class/type of the event.
Default: `""`.
Component of the source machine that is responsible for the event.
Default: `""`.
Logical grouping of components of a service.
Default: `""`.
Incident de-duplication key.
Default: `null`.
# Panther
Source: https://docs.tracecat.com/tools/panther
Reference for the Tracecat Panther integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Bulk update Panther alerts
Action ID: `tools.panther.bulk_update_alerts`
Update multiple Panther alerts at once.
### Secrets
Required secrets:
* `panther`: required values `PANTHER_API_KEY`.
### Input fields
List of alert IDs to update.
Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)).
User ID to assign the alerts to.
Default: `null`.
New status for the alerts.
Default: `null`.
## Create Panther query
Action ID: `tools.panther.create_query`
Create a new saved query in Panther.
### Secrets
Required secrets:
* `panther`: required values `PANTHER_API_KEY`.
### Input fields
Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)).
Name of the saved query.
SQL query to save. Must be valid SQL, not PantherFlow.
Description of the query.
Default: `null`.
Schedule configuration for the query.
Default: `null`.
## Delete Panther query
Action ID: `tools.panther.delete_query`
Delete a saved query from Panther.
### Secrets
Required secrets:
* `panther`: required values `PANTHER_API_KEY`.
### Input fields
Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)).
The unique identifier of the saved query.
## Execute Panther query
Action ID: `tools.panther.execute_query`
Execute a saved query in Panther.
### Secrets
Required secrets:
* `panther`: required values `PANTHER_API_KEY`.
### Input fields
Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)).
The unique identifier of the saved query.
Parameters to pass to the query.
Default: `null`.
## Get Panther alert
Action ID: `tools.panther.get_alert`
Get a single alert from Panther by ID.
### Secrets
Required secrets:
* `panther`: required values `PANTHER_API_KEY`.
### Input fields
The unique identifier of the alert.
Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)).
## Get Panther query
Action ID: `tools.panther.get_query`
Get a saved query from Panther by ID.
### Secrets
Required secrets:
* `panther`: required values `PANTHER_API_KEY`.
### Input fields
Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)).
The unique identifier of the saved query.
## List Panther alerts
Action ID: `tools.panther.list_alerts`
List alerts from Panther with optional filters.
### Secrets
Required secrets:
* `panther`: required values `PANTHER_API_KEY`.
### Input fields
Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)).
Pagination cursor for next page.
Default: `null`.
Maximum number of alerts to return.
Default: `null`.
Filter by alert severity.
Default: `null`.
Filter by alert status.
Default: `null`.
## List Panther queries
Action ID: `tools.panther.list_queries`
List saved queries from Panther.
### Secrets
Required secrets:
* `panther`: required values `PANTHER_API_KEY`.
### Input fields
Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)).
Pagination cursor for next page.
Default: `null`.
Maximum number of queries to return.
Default: `null`.
## Update Panther alert
Action ID: `tools.panther.update_alert`
Update a Panther alert's status or assignee.
### Secrets
Required secrets:
* `panther`: required values `PANTHER_API_KEY`.
### Input fields
The unique identifier of the alert.
Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)).
User ID to assign the alert to.
Default: `null`.
New status for the alert.
Default: `null`.
## Update Panther query
Action ID: `tools.panther.update_query`
Update a saved query in Panther.
### Secrets
Required secrets:
* `panther`: required values `PANTHER_API_KEY`.
### Input fields
Panther API URL (e.g. [https://api.runpanther.net](https://api.runpanther.net)).
The unique identifier of the saved query.
New description for the query.
Default: `null`.
New name for the query.
Default: `null`.
New schedule configuration for the query.
Default: `null`.
New SQL query. Must be valid SQL.
Default: `null`.
# PhishLabs
Source: https://docs.tracecat.com/tools/phishlabs
Reference for the Tracecat PhishLabs integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Get case data
Action ID: `tools.phishlabs.get_case_data`
Get PhishLabs case API data.
Reference: [https://caseapi.phishlabs.com/v1/data/docs/](https://caseapi.phishlabs.com/v1/data/docs/)
### Secrets
Required secrets:
* `phishlabs`: required values `PL_USERNAME`, `PL_PASSWORD`.
### Input fields
Filter cases based on the case status. Default is "Pending Input".
Default: `[
"Pending Input"
]`.
Filter cases by case type.
Default: `[]`.
Maximum number of cases to return. Default is 100, minimum is 20, maximum is 200.
Default: `100`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Get feed data
Action ID: `tools.phishlabs.get_feed_data`
Get PhishLabs feed API data.
Reference: [https://feed.phishlabs.com/redoc#operation/Feed\_GetBAFeed](https://feed.phishlabs.com/redoc#operation/Feed_GetBAFeed)
### Secrets
Required secrets:
* `phishlabs`: required values `PL_CUSTOMER_ID`, `PL_USERNAME`, `PL_PASSWORD`.
### Input fields
The start date of date range (date and time). eg. 2023-01-01 10:00.
Default: `null`.
Include the integer that maps to the type of incident you want returned. Default is 0.
Default: `0`.
The status of the incident as it appears in the Web App. Default is "Requires Input".
Default: `"Requires Input"`.
The end date of date range (date and time). eg. 2023-01-07 10:00.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Get threat intel data
Action ID: `tools.phishlabs.get_threat_data`
Get PhishLabs Threat Intel API data.
Reference: [https://threatintel.phishlabs.com/redoc/incidentexternalapi](https://threatintel.phishlabs.com/redoc/incidentexternalapi)
### Secrets
Required secrets:
* `phishlabs`: required values `PL_CLIENT_ID`, `PL_CLIENT_SECRET`.
### Input fields
The severity of incidents to be returned. 'Low', 'Medium', 'High'
Default: `[]`.
The status code(s) of the incident.
Default: `[
"RequiresInput",
"RequiresApproval"
]`.
The type of Incident to be returned. 'SocialMedia' or 'DarkWeb'
Default: `null`.
The number of records to return per page.
Default: `200`.
The type of Threats to be returned. Threat Types ending with "SM" are Social Media, "DW" are Dark Web.
Default: `[]`.
# PyMongo
Source: https://docs.tracecat.com/tools/pymongo
Reference for the Tracecat PyMongo integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Execute operation
Action ID: `tools.pymongo.execute_operation`
Instantiate a PyMongo client and execute an operation on a Collection object.
Reference: [https://pymongo.readthedocs.io/en/stable/api/pymongo/asynchronous/collection.html](https://pymongo.readthedocs.io/en/stable/api/pymongo/asynchronous/collection.html)
### Secrets
Required secrets:
* `mongodb`: required values `MONGODB_CONNECTION_STRING`.
### Input fields
Collection to operate on
Database to operate on
Operation to perform on the Collection, e.g. 'find', 'insert\_one'.
Parameters for the operation
Default: `null`.
# Rootly
Source: https://docs.tracecat.com/tools/rootly
Reference for the Tracecat Rootly integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Create alert
Action ID: `tools.rootly.create_alert`
Creates a new alert from provided data.
Reference: [https://docs.rootly.com/api-reference/alerts/creates-an-alert](https://docs.rootly.com/api-reference/alerts/creates-an-alert)
### Secrets
Required secrets:
* `rootly`: required values `ROOTLY_API_KEY`.
### Input fields
Alert data attributes
Default: `null`.
## Create incident
Action ID: `tools.rootly.create_incident`
Creates a new incident from provided data.
Reference: [https://docs.rootly.com/api-reference/incidents/creates-an-incident](https://docs.rootly.com/api-reference/incidents/creates-an-incident)
### Secrets
Required secrets:
* `rootly`: required values `ROOTLY_API_KEY`.
### Input fields
Incident data attributes
Default: `null`.
## Get alert
Action ID: `tools.rootly.get_alert`
Retrieves a specific alert by id.
Reference: [https://docs.rootly.com/api-reference/alerts/retrieves-an-alert](https://docs.rootly.com/api-reference/alerts/retrieves-an-alert)
### Secrets
Required secrets:
* `rootly`: required values `ROOTLY_API_KEY`.
### Input fields
The ID of the alert.
Include additional data. Comma separated if needed (e.g. environments,services,groups)
Default: `null`.
## Get incident
Action ID: `tools.rootly.get_incident`
Retrieves a specific incident by id.
Reference: [https://docs.rootly.com/api-reference/incidents/retrieves-an-incident](https://docs.rootly.com/api-reference/incidents/retrieves-an-incident)
### Secrets
Required secrets:
* `rootly`: required values `ROOTLY_API_KEY`.
### Input fields
The ID of the incident.
Include additional data. Comma separated if needed (e.g. sub\_statuses,causes,subscribers)
Default: `null`.
## List alerts
Action ID: `tools.rootly.list_alerts`
List alerts.
Reference: [https://docs.rootly.com/api-reference/alerts/list-alerts](https://docs.rootly.com/api-reference/alerts/list-alerts)
### Secrets
Required secrets:
* `rootly`: required values `ROOTLY_API_KEY`.
### Input fields
Include additional data. Comma separated if needed (e.g. environments,services,groups)
Default: `null`.
Page number.
Default: `null`.
Page size.
Default: `null`.
Filter by status (e.g. triggered, acknowledged, resolved)
Default: `null`.
## List incidents
Action ID: `tools.rootly.list_incidents`
List incidents.
Reference: [https://docs.rootly.com/api-reference/incidents/list-incidents](https://docs.rootly.com/api-reference/incidents/list-incidents)
### Secrets
Required secrets:
* `rootly`: required values `ROOTLY_API_KEY`.
### Input fields
Include additional data. Comma separated if needed (e.g. sub\_statuses,causes,subscribers)
Default: `null`.
Page number.
Default: `null`.
Page size.
Default: `null`.
Filter by severity (e.g. not-sure-yet, sev4-minor-issue)
Default: `null`.
Filter by status (e.g. started, mitigated, resolved)
Default: `null`.
## List incidents alerts
Action ID: `tools.rootly.list_incident_alerts`
List incidents alerts.
Reference: [https://docs.rootly.com/api-reference/alerts/list-incident-alerts](https://docs.rootly.com/api-reference/alerts/list-incident-alerts)
### Secrets
Required secrets:
* `rootly`: required values `ROOTLY_API_KEY`.
### Input fields
The ID of the incident.
Include additional data. Comma separated if needed (e.g. environments,services,groups)
Default: `null`.
# RunReveal MCP
Source: https://docs.tracecat.com/tools/runreveal
Reference for the Tracecat RunReveal MCP integration: registered actions, required secrets, expected inputs, and example workflow usage.
## RunReveal MCP
Action ID: `tools.runreveal.mcp`
Use AI to interact with RunReveal.
Reference: [https://docs.runreveal.com/ai-chat/model-context-protocol](https://docs.runreveal.com/ai-chat/model-context-protocol)
### Secrets
Required secrets:
* `runreveal_mcp_oauth`: OAuth token `RUNREVEAL_MCP_USER_TOKEN`.
Optional secrets:
* `anthropic`: optional values `ANTHROPIC_API_KEY`.
* `openai`: optional values `OPENAI_API_KEY`.
* `gemini`: optional values `GEMINI_API_KEY`.
* `amazon_bedrock`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`, `AWS_SESSION_TOKEN`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_MODEL_ID`, `AWS_INFERENCE_PROFILE_ID`.
* `custom-model-provider`: optional values `CUSTOM_MODEL_PROVIDER_API_KEY`, `CUSTOM_MODEL_PROVIDER_MODEL_NAME`, `CUSTOM_MODEL_PROVIDER_BASE_URL`.
* `azure_openai`: optional values `AZURE_API_BASE`, `AZURE_API_VERSION`, `AZURE_DEPLOYMENT_NAME`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`.
* `azure_ai`: optional values `AZURE_API_BASE`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_API_VERSION`, `AZURE_AI_MODEL_NAME`.
* `litellm`: required values `LITELLM_BASE_URL`.
### Input fields
Instructions for the agent.
User prompt to the agent.
Model to use. Pick from the list of models enabled for this workspace. Provide this field, or both deprecated `model_name` and `model_provider`.
Default: `null`.
Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_provider`.
Default: `null`.
Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_name`.
Default: `null`.
# SentinelOne
Source: https://docs.tracecat.com/tools/sentinel_one
Reference for the Tracecat SentinelOne integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Abort scan
Action ID: `tools.sentinel_one.abort_scan`
Abort a running scan on SentinelOne agents.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
ID of the agent/device to abort scan on.
SentinelOne tenant URL.
Default: `null`.
## Disable agent
Action ID: `tools.sentinel_one.disable_agent`
Disable a SentinelOne agent.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
ID of the agent to disable.
SentinelOne tenant URL.
Default: `null`.
Whether the agent should reboot after disabling.
Default: `false`.
## Enable agent
Action ID: `tools.sentinel_one.enable_agent`
Enable a SentinelOne agent.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
ID of the agent to enable.
SentinelOne tenant URL.
Default: `null`.
Whether the agent should reboot after enabling.
Default: `false`.
## Initiate scan
Action ID: `tools.sentinel_one.initiate_scan`
Initiate a scan on SentinelOne agents.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
ID of the agent/device to scan.
SentinelOne tenant URL.
Default: `null`.
## Isolate endpoint
Action ID: `tools.sentinel_one.disconnect_device`
Disconnect a SentinelOne agent from the network.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
ID of the endpoint/agent to disconnect.
SentinelOne tenant URL.
Default: `null`.
## List agent IDs
Action ID: `tools.sentinel_one.list_agent_ids`
Get a simple list of SentinelOne agent IDs.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
SentinelOne tenant URL.
Default: `null`.
The maximum number of agents to return.
Default: `1000`.
## List alerts
Action ID: `tools.sentinel_one.list_alerts`
Query for SentinelOne alerts.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
End time for the query (exclusive).
Start time for the query (inclusive).
SentinelOne tenant URL.
Default: `null`.
Maximum number of alerts to return.
Default: `100`.
SentinelOne search query.
Default: `null`.
## List threats
Action ID: `tools.sentinel_one.list_threats`
Query for SentinelOne threats.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
End time for the query (exclusive).
Start time for the query (inclusive).
SentinelOne tenant URL.
Default: `null`.
Maximum number of alerts to return.
Default: `100`.
SentinelOne search query.
Default: `null`.
## Lookup agents by account ID
Action ID: `tools.sentinel_one.lookup_agent_account_id`
Find all SentinelOne agents in a specific account.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
Account ID to filter agents by.
SentinelOne tenant URL.
Default: `null`.
The maximum number of agents to return.
Default: `100`.
## Lookup agents by email
Action ID: `tools.sentinel_one.lookup_agent_email`
Find all SentinelOne agents associated with a user email address.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
Email address to search for in agent user fields.
SentinelOne tenant URL.
Default: `null`.
The maximum number of agents to return.
Default: `100`.
## Lookup agents by file hash
Action ID: `tools.sentinel_one.lookup_agent_hash`
Find all SentinelOne agents that have encountered threats with a specific file hash.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
File hash (MD5, SHA1, SHA256) to search for in agent threats.
SentinelOne tenant URL.
Default: `null`.
The maximum number of agents to return.
Default: `100`.
## Lookup agents by group ID
Action ID: `tools.sentinel_one.lookup_agent_groupid`
Find all SentinelOne agents in a specific group.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
Group ID to filter agents by.
SentinelOne tenant URL.
Default: `null`.
The maximum number of agents to return.
Default: `100`.
## Lookup agents by hostname
Action ID: `tools.sentinel_one.lookup_agent_hostname`
Find all SentinelOne agents by hostname/computer name.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
Hostname/computer name to search for (supports partial matches).
SentinelOne tenant URL.
Default: `null`.
The maximum number of agents to return.
Default: `100`.
## Lookup agents by IP address
Action ID: `tools.sentinel_one.lookup_agent_ip`
Find all SentinelOne agents by IP address (external IP, network interface, or gateway).
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
IP address to search for (supports partial matches).
SentinelOne tenant URL.
Default: `null`.
The maximum number of agents to return.
Default: `100`.
## Lookup agents by MAC address
Action ID: `tools.sentinel_one.lookup_agent_mac_address`
Find all SentinelOne agents by MAC address (network interface physical address or gateway MAC).
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
MAC address to search for (supports partial matches, e.g., "aa:0f" or "41:")
SentinelOne console base URL (e.g., [https://your-tenant.sentinelone.net](https://your-tenant.sentinelone.net))
Default: `null`.
Maximum number of agents to return (1-1000)
Default: `100`.
Whether to also search gateway MAC addresses
Default: `false`.
## Lookup agents by machine type
Action ID: `tools.sentinel_one.lookup_agent_machine_type`
Find all SentinelOne agents filtered by machine type (laptop, desktop, server, etc.).
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
Machine types to include (e.g., laptop, desktop, server)
SentinelOne console base URL (e.g., [https://your-tenant.sentinelone.net](https://your-tenant.sentinelone.net))
Default: `null`.
Machine types to exclude (optional)
Default: `[]`.
Maximum number of agents to return (1-1000)
Default: `100`.
## Lookup agents by operating system
Action ID: `tools.sentinel_one.lookup_agent_os`
Find all SentinelOne agents filtered by operating system type, name, revision, and version information.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
OS types to include (e.g., windows, linux, macos, windows\_legacy)
SentinelOne console base URL (e.g., [https://your-tenant.sentinelone.net](https://your-tenant.sentinelone.net))
Default: `null`.
Maximum number of agents to return (1-1000)
Default: `100`.
Free-text filter by OS full name (optional)
Default: `""`.
OS revision filter (optional)
Default: `""`.
Free-text filter by OS full name and version (supports multiple values)
Default: `[]`.
## Unisolate endpoint
Action ID: `tools.sentinel_one.connect_to_network`
Connect a SentinelOne agent to the network.
Reference: [https://github.com/Sentinel-One/purple-mcp](https://github.com/Sentinel-One/purple-mcp)
### Secrets
Required secrets:
* `sentinel_one`: required values `SENTINEL_ONE_API_TOKEN`.
### Input fields
ID of the endpoint/agent to connect.
SentinelOne tenant URL.
Default: `null`.
# Sentry MCP
Source: https://docs.tracecat.com/tools/sentry
Reference for the Tracecat Sentry MCP integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Sentry MCP
Action ID: `tools.sentry.mcp`
Use AI to interact with Sentry.
Reference: [https://docs.sentry.io/ai/mcp/](https://docs.sentry.io/ai/mcp/)
### Secrets
Required secrets:
* `sentry_mcp_oauth`: OAuth token `SENTRY_MCP_USER_TOKEN`.
Optional secrets:
* `anthropic`: optional values `ANTHROPIC_API_KEY`.
* `openai`: optional values `OPENAI_API_KEY`.
* `gemini`: optional values `GEMINI_API_KEY`.
* `amazon_bedrock`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`, `AWS_SESSION_TOKEN`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_MODEL_ID`, `AWS_INFERENCE_PROFILE_ID`.
* `custom-model-provider`: optional values `CUSTOM_MODEL_PROVIDER_API_KEY`, `CUSTOM_MODEL_PROVIDER_MODEL_NAME`, `CUSTOM_MODEL_PROVIDER_BASE_URL`.
* `azure_openai`: optional values `AZURE_API_BASE`, `AZURE_API_VERSION`, `AZURE_DEPLOYMENT_NAME`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`.
* `azure_ai`: optional values `AZURE_API_BASE`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_API_VERSION`, `AZURE_AI_MODEL_NAME`.
* `litellm`: required values `LITELLM_BASE_URL`.
### Input fields
Instructions for the agent.
User prompt to the agent.
Model to use. Pick from the list of models enabled for this workspace. Provide this field, or both deprecated `model_name` and `model_provider`.
Default: `null`.
Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_provider`.
Default: `null`.
Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_name`.
Default: `null`.
# ServiceNow
Source: https://docs.tracecat.com/tools/servicenow
Reference for the Tracecat ServiceNow integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Create ServiceNow record
Action ID: `tools.servicenow.create_record`
Create a record in a ServiceNow table.
Reference: [https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html](https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html)
### Secrets
Required secrets:
* `servicenow_oauth`: OAuth token `SERVICENOW_SERVICE_TOKEN`.
### Input fields
Base API URL, e.g. [https://example.service-now.com/api/now](https://example.service-now.com/api/now).
JSON payload for the new record.
ServiceNow table name, e.g. 'incident', 'sys\_user'.
Optional query parameters such as sysparm\_display\_value.
Default: `null`.
## Delete ServiceNow record
Action ID: `tools.servicenow.delete_record`
Delete a ServiceNow table record by sys\_id.
Reference: [https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html](https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html)
### Secrets
Required secrets:
* `servicenow_oauth`: OAuth token `SERVICENOW_SERVICE_TOKEN`.
### Input fields
Base API URL, e.g. [https://example.service-now.com/api/now](https://example.service-now.com/api/now).
Unique record identifier (sys\_id).
ServiceNow table name, e.g. 'incident', 'sys\_user'.
Optional query parameters such as sysparm\_display\_value.
Default: `null`.
## Get ServiceNow record
Action ID: `tools.servicenow.get_record`
Retrieve a record from a ServiceNow table by sys\_id.
Reference: [https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html](https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html)
### Secrets
Required secrets:
* `servicenow_oauth`: OAuth token `SERVICENOW_SERVICE_TOKEN`.
### Input fields
Base API URL, e.g. [https://example.service-now.com/api/now](https://example.service-now.com/api/now).
Unique record identifier (sys\_id).
ServiceNow table name, e.g. 'incident', 'sys\_user'.
Optional query parameters such as sysparm\_fields or sysparm\_display\_value.
Default: `null`.
## Query ServiceNow records
Action ID: `tools.servicenow.query_records`
Query a ServiceNow table with optional filters.
Reference: [https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html](https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html)
### Secrets
Required secrets:
* `servicenow_oauth`: OAuth token `SERVICENOW_SERVICE_TOKEN`.
### Input fields
Base API URL, e.g. [https://example.service-now.com/api/now](https://example.service-now.com/api/now).
ServiceNow table name, e.g. 'incident', 'sys\_user'.
Optional query parameters such as sysparm\_query, sysparm\_fields, or sysparm\_limit.
Default: `null`.
## Update ServiceNow record
Action ID: `tools.servicenow.update_record`
Update fields on a ServiceNow table record.
Reference: [https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html](https://www.servicenow.com/docs/bundle/zurich-api-reference/page/build/applications/concept/api-rest.html)
### Secrets
Required secrets:
* `servicenow_oauth`: OAuth token `SERVICENOW_SERVICE_TOKEN`.
### Input fields
Base API URL, e.g. [https://example.service-now.com/api/now](https://example.service-now.com/api/now).
Fields to update on the record.
Unique record identifier (sys\_id).
ServiceNow table name, e.g. 'incident', 'sys\_user'.
Optional query parameters such as sysparm\_display\_value.
Default: `null`.
# Slack
Source: https://docs.tracecat.com/tools/slack
Reference for the Tracecat Slack integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Add reaction
Action ID: `tools.slack.add_reaction`
Add a reaction to a message in a Slack channel.
Reference: [https://docs.slack.dev/reference/methods/reactions.add/](https://docs.slack.dev/reference/methods/reactions.add/)
### Input fields
ID of the channel to add the reaction to.
Name of the reaction to add.
Timestamp of the message to add the reaction to.
## Append stream
Action ID: `tools.slack.append_stream`
Append text or chunks to an existing Slack streaming message.
Reference: [https://docs.slack.dev/reference/methods/chat.appendStream/](https://docs.slack.dev/reference/methods/chat.appendStream/)
### Input fields
ID of the channel containing the streaming message.
Timestamp of the streaming message.
Streaming chunks, such as markdown\_text, task\_update, plan\_update, or blocks chunks.
Default: `null`.
Markdown-formatted text to append to the stream.
Default: `null`.
## Archive channel
Action ID: `tools.slack.archive_channel`
Archive a Slack channel.
Reference: [https://docs.slack.dev/reference/methods/conversations.archive/](https://docs.slack.dev/reference/methods/conversations.archive/)
### Input fields
ID of the channel to archive.
## Assistant search context
Action ID: `tools.slack.assistant_search_context`
Search Slack messages, files, channels, and users for AI assistant context.
Reference: [https://docs.slack.dev/reference/methods/assistant.search.context/](https://docs.slack.dev/reference/methods/assistant.search.context/)
### Input fields
Action token from a Slack assistant message event.
User prompt or search query.
UNIX timestamp filter for results after this time.
Default: `null`.
UNIX timestamp filter for results before this time.
Default: `null`.
Slack channel types to search.
Default: `[
"public_channel"
]`.
Slack content types to include in search results.
Default: `[
"messages"
]`.
Context channel ID to scope the search when applicable.
Default: `null`.
Cursor returned by Slack for the next page of results.
Default: `null`.
Whether to disable semantic search and use keyword search only.
Default: `false`.
Whether to highlight the search query in results.
Default: `false`.
Whether to include archived channels in search results.
Default: `false`.
Whether to include bot-authored results.
Default: `false`.
Whether to include context messages around message results.
Default: `false`.
Whether to include deleted users in user search results.
Default: `false`.
Whether to include message blocks in the response.
Default: `false`.
Number of results to return, up to a maximum of 20.
Default: `20`.
Slack search modifiers, such as has:pin before:yesterday.
Default: `null`.
Field to sort results by. Supported values are score and timestamp.
Default: `"score"`.
Direction to sort results by. Supported values are asc and desc.
Default: `"desc"`.
Term clauses that every returned search result should match.
Default: `[]`.
## Assistant search info
Action ID: `tools.slack.assistant_search_info`
Return Slack assistant search capabilities for the workspace.
Reference: [https://docs.slack.dev/reference/methods/assistant.search.info/](https://docs.slack.dev/reference/methods/assistant.search.info/)
### Input fields
This action does not take input fields.
## Create channel
Action ID: `tools.slack.create_channel`
Create a new Slack channel.
Reference: [https://docs.slack.dev/reference/methods/conversations.create/](https://docs.slack.dev/reference/methods/conversations.create/)
### Input fields
Name of the channel to create.
Whether the channel is private.
Default: `false`.
## Delete message
Action ID: `tools.slack.delete_message`
Delete a message from a Slack channel.
Reference: [https://docs.slack.dev/reference/methods/chat.delete/](https://docs.slack.dev/reference/methods/chat.delete/)
### Input fields
ID of the channel to delete the message from.
Timestamp of the message to delete.
## Get reactions
Action ID: `tools.slack.get_reactions`
Get reactions to a message.
Reference: [https://docs.slack.dev/reference/methods/reactions.get/](https://docs.slack.dev/reference/methods/reactions.get/)
### Input fields
The channel to get reactions from.
The timestamp of the message to get reactions from.
## Get user profile
Action ID: `tools.slack.get_profile`
Get a user's profile.
Reference: [https://docs.slack.dev/reference/methods/users.profile.get/](https://docs.slack.dev/reference/methods/users.profile.get/)
### Input fields
ID of the user to get the profile of.
## Invite members to channel
Action ID: `tools.slack.invite_members`
Invite members to a Slack channel.
Reference: [https://docs.slack.dev/reference/methods/conversations.invite/](https://docs.slack.dev/reference/methods/conversations.invite/)
### Input fields
ID of the channel to invite members to.
List of user IDs to invite to the channel.
## Kick member
Action ID: `tools.slack.kick_member`
Kick a member from a Slack channel.
Reference: [https://docs.slack.dev/reference/methods/conversations.kick/](https://docs.slack.dev/reference/methods/conversations.kick/)
### Input fields
ID of the channel to kick members from.
ID of the user to kick from the channel.
## List channels
Action ID: `tools.slack.list_channels`
List all channels.
Reference: [https://docs.slack.dev/reference/methods/conversations.list/](https://docs.slack.dev/reference/methods/conversations.list/)
### Input fields
Whether to exclude archived channels from the list.
Default: `false`.
Maximum number of channels to return.
Default: `100`.
Types of channels to return.
Default: `[
"public_channel",
"private_channel"
]`.
## List conversation replies
Action ID: `tools.slack.list_replies`
List replies to a conversation in a Slack channel.
Reference: [https://docs.slack.dev/reference/methods/conversations.replies/](https://docs.slack.dev/reference/methods/conversations.replies/)
### Input fields
ID of the channel to list replies from.
Timestamp of the thread's parent message or message in the thread to list replies from. Also known as `thread_ts` in some Slack responses.
## List members
Action ID: `tools.slack.list_members`
List members of a Slack channel.
Reference: [https://docs.slack.dev/reference/methods/conversations.members/](https://docs.slack.dev/reference/methods/conversations.members/)
### Input fields
ID of the channel to list members of.
Maximum number of members to return.
Default: `100`.
## List messages
Action ID: `tools.slack.list_messages`
List messages from a Slack channel.
Reference: [https://docs.slack.dev/reference/methods/conversations.history/](https://docs.slack.dev/reference/methods/conversations.history/)
### Input fields
ID of the channel to list messages from.
Unix timestamp of the latest message to return.
Default: `null`.
Maximum number of messages to return.
Default: `100`.
Unix timestamp of the oldest message to return.
Default: `null`.
## List users
Action ID: `tools.slack.list_users`
List users in a Slack workspace.
Reference: [https://docs.slack.dev/reference/methods/users.list/](https://docs.slack.dev/reference/methods/users.list/)
### Input fields
Whether to include the locale in the response.
Default: `false`.
The maximum number of users to return.
Default: `100`.
## Lookup many users by email
Action ID: `tools.slack.lookup_users_by_email`
Lookup users by emails. Returns a list of users found and a list of users not found.
Reference: [https://docs.slack.dev/reference/methods/users.lookupByEmail/](https://docs.slack.dev/reference/methods/users.lookupByEmail/)
### Secrets
Required secrets:
* `slack`: required values `SLACK_BOT_TOKEN`.
### Input fields
List of user emails.
## Lookup user by email
Action ID: `tools.slack.lookup_user_by_email`
Get a Slack user by email.
Reference: [https://docs.slack.dev/reference/methods/users.lookupByEmail/](https://docs.slack.dev/reference/methods/users.lookupByEmail/)
### Input fields
Email of an existing user.
## Open view
Action ID: `tools.slack.open_view`
Open a view. Used to create a pop up modal.
Reference: [https://docs.slack.dev/reference/methods/views.open/](https://docs.slack.dev/reference/methods/views.open/)
### Input fields
Trigger ID from a Slack interaction payload. See: [https://docs.slack.dev/reference/interaction-payloads/block\_actions-payload/](https://docs.slack.dev/reference/interaction-payloads/block_actions-payload/)
View payload for the modal to open. See: [https://docs.slack.dev/reference/views/modal-views/](https://docs.slack.dev/reference/views/modal-views/)
## Post ephemeral message
Action ID: `tools.slack.post_ephemeral`
Send an ephemeral Slack message to a user in a channel.
Reference: [https://docs.slack.dev/reference/methods/chat.postEphemeral/](https://docs.slack.dev/reference/methods/chat.postEphemeral/)
### Input fields
Channel, private group, or IM channel to send the ephemeral message to.
ID of the user who will receive the ephemeral message.
Legacy option to post the message as the authenticated user.
Default: `null`.
List of JSON-based attachments.
Default: `null`.
List of JSON-based blocks.
Default: `null`.
Emoji to use as the icon for this message.
Default: `null`.
URL to an image to use as the icon for this message.
Default: `null`.
Whether Slack should find and link channel names and usernames.
Default: `false`.
Markdown-formatted message text. Do not use with blocks or text.
Default: `null`.
How Slack should parse message text.
Default: `null`.
Message text. Used as fallback text when blocks are provided.
Default: `null`.
Parent message timestamp for posting the ephemeral message in a thread.
Default: `null`.
Bot username to display.
Default: `null`.
## Post message
Action ID: `tools.slack.post_message`
Post a message to a Slack channel.
Reference: [https://docs.slack.dev/reference/methods/chat.postMessage/](https://docs.slack.dev/reference/methods/chat.postMessage/)
### Input fields
The channel to post the message to.
List of JSON-based blocks.
Default: `null`.
The text to post to Slack, in Markdown format.
Default: `null`.
The message to post to Slack.
Default: `null`.
The timestamp of the thread to reply to.
Default: `null`.
Whether to unfurl links in the message.
Default: `true`.
Whether to unfurl media in the message.
Default: `false`.
## Remove reaction
Action ID: `tools.slack.remove_reaction`
Remove a reaction from a message in a Slack channel.
Reference: [https://docs.slack.dev/reference/methods/reactions.remove/](https://docs.slack.dev/reference/methods/reactions.remove/)
### Input fields
ID of the channel to remove the reaction from.
Name of the reaction to remove.
Timestamp of the message to remove the reaction from.
## Revoke sessions
Action ID: `tools.slack.revoke_sessions`
Revoke all sessions on all devices for a Slack user.
Reference: [https://docs.slack.dev/reference/methods/admin.users.session.reset/](https://docs.slack.dev/reference/methods/admin.users.session.reset/)
### Input fields
ID of an existing user.
## Search messages
Action ID: `tools.slack.search_messages`
Search for messages matching a query in a Slack workspace.
Reference: [https://docs.slack.dev/reference/methods/search.messages/](https://docs.slack.dev/reference/methods/search.messages/)
### Secrets
Required secrets:
* `slack_oauth`: OAuth token `SLACK_USER_TOKEN`.
### Input fields
Search query. To search within a channel / specific user, add `in:channel_name` / `from:<@user_id>` to the query.
Number of messages to return.
Default: `20`.
For the first call send '\*', for subsequent calls send the value of `next_cursor` from the previous call.
Default: `null`.
Sort by score or timestamp.
Default: `"score"`.
Allowed values: `score`, `timestamp`.
## Set assistant thread status
Action ID: `tools.slack.set_assistant_thread_status`
Set the status for a Slack AI assistant thread.
Reference: [https://docs.slack.dev/reference/methods/assistant.threads.setStatus/](https://docs.slack.dev/reference/methods/assistant.threads.setStatus/)
### Input fields
Channel ID containing the assistant thread.
Status to display for the bot user. Use an empty string to clear it.
Message timestamp of the assistant thread.
Emoji to use as the icon for this message.
Default: `null`.
Image URL to use as the icon for this message.
Default: `null`.
Loading indicator messages to rotate through, up to 10 messages.
Default: `[]`.
Bot username to display.
Default: `null`.
## Set assistant thread suggested prompts
Action ID: `tools.slack.set_assistant_thread_suggested_prompts`
Set suggested prompts for a Slack AI assistant thread.
Reference: [https://docs.slack.dev/reference/methods/assistant.threads.setSuggestedPrompts/](https://docs.slack.dev/reference/methods/assistant.threads.setSuggestedPrompts/)
### Input fields
Channel ID containing the assistant thread.
Suggested prompts, each with title and message attributes.
Message timestamp of the assistant thread.
Optional title for the suggested prompts list.
Default: `null`.
## Set assistant thread title
Action ID: `tools.slack.set_assistant_thread_title`
Set the title for a Slack AI assistant thread.
Reference: [https://docs.slack.dev/reference/methods/assistant.threads.setTitle/](https://docs.slack.dev/reference/methods/assistant.threads.setTitle/)
### Input fields
Channel ID containing the assistant thread.
Message timestamp of the assistant thread.
Title to use for the assistant thread.
## Set channel description
Action ID: `tools.slack.set_channel_description`
Set the description of a Slack channel.
Reference: [https://docs.slack.dev/reference/methods/conversations.setPurpose/](https://docs.slack.dev/reference/methods/conversations.setPurpose/)
### Input fields
The ID of the channel to set the description for.
The description to set for the channel.
## Set channel topic
Action ID: `tools.slack.set_channel_topic`
Set the topic of a Slack channel.
Reference: [https://docs.slack.dev/reference/methods/conversations.setTopic/](https://docs.slack.dev/reference/methods/conversations.setTopic/)
### Input fields
The ID of the channel to set the topic for.
The topic to set for the channel.
## Start stream
Action ID: `tools.slack.start_stream`
Start a new Slack streaming message in a thread.
Reference: [https://docs.slack.dev/reference/methods/chat.startStream/](https://docs.slack.dev/reference/methods/chat.startStream/)
### Input fields
ID of the channel, private group, or DM for the stream.
Parent message timestamp to reply to with the stream.
Initial streaming chunks, such as markdown\_text, task\_update, plan\_update, or blocks chunks.
Default: `null`.
Emoji to use as the icon for this message.
Default: `null`.
URL to an image to use as the icon for this message.
Default: `null`.
Initial markdown-formatted text for the stream.
Default: `null`.
ID of the recipient user's team. Required by Slack when streaming to channels.
Default: `null`.
ID of the user receiving the stream. Required by Slack when streaming to channels.
Default: `null`.
How task chunks are displayed. Accepts timeline, plan, or dense.
Default: `null`.
Bot username to display.
Default: `null`.
## Stop stream
Action ID: `tools.slack.stop_stream`
Stop and finalize a Slack streaming message.
Reference: [https://docs.slack.dev/reference/methods/chat.stopStream/](https://docs.slack.dev/reference/methods/chat.stopStream/)
### Input fields
ID of the channel containing the streaming message.
Timestamp of the streaming message.
Blocks rendered at the bottom of the finalized message.
Default: `null`.
Final streaming chunks, such as markdown\_text, task\_update, plan\_update, or blocks chunks.
Default: `null`.
Final markdown-formatted text to append before stopping the stream.
Default: `null`.
Slack message metadata with event\_type and event\_payload fields.
Default: `null`.
## Update message
Action ID: `tools.slack.update_message`
Update a message in a Slack channel.
Reference: [https://docs.slack.dev/reference/methods/chat.update/](https://docs.slack.dev/reference/methods/chat.update/)
### Input fields
ID of the channel to update the message in.
Timestamp of the message to update.
List of JSON-based blocks.
Default: `null`.
The text to update the message with, in Markdown format.
Default: `null`.
New text for the message.
Default: `null`.
## Update view
Action ID: `tools.slack.update_view`
Update a view. Used to update a pop up modal.
Reference: [https://docs.slack.dev/reference/methods/views.update/](https://docs.slack.dev/reference/methods/views.update/)
### Input fields
Updated view payload for the modal. See: [https://docs.slack.dev/reference/views/modal-views/](https://docs.slack.dev/reference/views/modal-views/)
ID of the view to update.
# Slack SDK
Source: https://docs.tracecat.com/tools/slack_sdk
Reference for the Tracecat Slack SDK integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Call method
Action ID: `tools.slack_sdk.call_method`
Instantiate a Slack client and call a Slack SDK or Web API method.
Reference: [https://docs.slack.dev/reference/methods](https://docs.slack.dev/reference/methods)
### Secrets
Required secrets:
* `slack`: required values `SLACK_BOT_TOKEN`.
### Input fields
Slack Python SDK method name or Web API method name (e.g. `chat_postMessage` or `chat.postMessage`)
Slack Python SDK method parameters
Default: `null`.
## Call paginated method
Action ID: `tools.slack_sdk.call_paginated_method`
Instantiate a Slack client and call a paginated Slack SDK method.
Reference: [https://docs.slack.dev/apis/web-api/pagination#methods](https://docs.slack.dev/apis/web-api/pagination#methods)
### Secrets
Required secrets:
* `slack`: required values `SLACK_BOT_TOKEN`.
### Input fields
Slack Python SDK method name that supports cursor pagination (e.g. `conversations_history`)
Key to extract from the response.
Default: `null`.
Maximum number of items to retrieve. Must be less than 1000
Default: `200`.
Slack Python SDK method parameters
Default: `null`.
## Post response
Action ID: `tools.slack_sdk.post_response`
Post messsage back to Slack interaction via `response_url`.
Reference: [https://docs.slack.dev/interactivity/handling-user-interaction#message\_responses](https://docs.slack.dev/interactivity/handling-user-interaction#message_responses)
### Input fields
Webhook URL.
Blocks to send to the webhook.
Default: `null`.
Whether to replace the original message.
Default: `false`.
Response type. Defaults to `ephemeral`.
Default: `"ephemeral"`.
Allowed values: `in_channel`, `ephemeral`.
Text to send to the webhook.
Default: `null`.
Thread timestamp. If None, defaults to the current timestamp.
Default: `null`.
# Splunk
Source: https://docs.tracecat.com/tools/splunk
Reference for the Tracecat Splunk integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Add fields to collection
Action ID: `tools.splunk.add_kv_fields`
Add field definitions to a KV Store collection in Splunk.
Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-9](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-9)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Name of the KV Store collection to add fields to. Must be unique and
contain only alphanumeric characters, underscores, and hyphens.
List of field definitions to add. Each field requires name and type.
Supported types: array, number, bool, string, cidr, time
Example: \[\{"name": "username", "type": "string"}, \{"name": "age", "type": "number"}]
Splunk app context where the collection resides (e.g. "search" for default).
Default: `"search"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)).
Default: `null`.
Splunk namespace owner for access control (use "nobody" for shared access).
Default: `"nobody"`.
Whether to verify SSL certificates.
Default: `true`.
## Batch save KV entries
Action ID: `tools.splunk.batch_save_kv_entries`
Insert or update multiple entries in a Splunk KV Store collection in a single request. If an entry includes a \_key that matches an existing document, it is updated; otherwise a new document is created. Processing stops on the first failure.
Reference: [https://help.splunk.com/en/splunk-cloud-platform/leverage-rest-apis/rest-api-reference/10.0.2503/kv-store-endpoints/kv-store-endpoint-descriptions#ariaid-title16](https://help.splunk.com/en/splunk-cloud-platform/leverage-rest-apis/rest-api-reference/10.0.2503/kv-store-endpoints/kv-store-endpoint-descriptions#ariaid-title16)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Name of the KV Store collection to save entries into.
List of documents to save. Each document is a dict of field-value pairs.
Include a \_key field to update an existing document; omit it to create a new one
(Splunk auto-generates the key). Maximum 1000 documents per request (Splunk default).
Example: \[\{"username": "john", "email": "[john@example.com](mailto:john@example.com)", "active": true}, \{"username": "jane", "email": "[jane@example.com](mailto:jane@example.com)", "active": false}]
Splunk app context where the collection resides (e.g. "search" for default).
Default: `"search"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)).
Default: `null`.
Splunk namespace owner for access control (use "nobody" for shared access).
Default: `"nobody"`.
Whether to verify SSL certificates.
Default: `true`.
## Create KV collection
Action ID: `tools.splunk.create_kv_collection`
Create a new KV Store collection in Splunk.
Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-9](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-9)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Name of the KV Store collection. Must be unique and contain only
alphanumeric characters, underscores, and hyphens.
Splunk app context where the collection will be created (e.g. "search" for default).
Default: `"search"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)).
Default: `null`.
Splunk namespace owner for access control (use "nobody" for shared access).
Default: `"nobody"`.
Whether to verify SSL certificates.
Default: `true`.
## Create KV entry
Action ID: `tools.splunk.create_kv_entry`
Create a new entry in a Splunk KV Store collection.
Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-2](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-2)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Name of the KV Store collection where the entry will be created.
Key-value pairs to store in the collection. The \_key field is automatically
generated by Splunk if not provided.
Example: \{"username": "john", "email": "[john@example.com](mailto:john@example.com)", "active": true}
Splunk app context where the collection resides (e.g. "search" for default).
Default: `"search"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)).
Default: `null`.
Splunk namespace owner for access control (use "nobody" for shared access).
Default: `"nobody"`.
Whether to verify SSL certificates.
Default: `true`.
## Delete KV collection
Action ID: `tools.splunk.delete_kv_collection`
Delete a KV Store collection from Splunk.
Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#delete-0](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#delete-0)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Name of the KV Store collection to delete.
Splunk app context where the collection resides (e.g. "search" for default).
Default: `"search"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)).
Default: `null`.
Splunk namespace owner for access control (use "nobody" for shared access).
Default: `"nobody"`.
Whether to verify SSL certificates.
Default: `true`.
## Delete KV entry
Action ID: `tools.splunk.delete_kv_entry`
Delete an entry from a KV Store collection in Splunk.
Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#delete-1](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#delete-1)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Name of the KV Store collection containing the entry.
The \_key value of the entry to delete from the collection.
Example: "5f3a1b2c3d4e5f6a7b8c9d0e"
Splunk app context where the collection resides (e.g. "search" for default).
Default: `"search"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)).
Default: `null`.
Splunk namespace owner for access control (use "nobody" for shared access).
Default: `"nobody"`.
Whether to verify SSL certificates.
Default: `true`.
## Discover fields
Action ID: `tools.splunk.discover_fields`
Discover fields in Splunk data using the fieldsummary command with statistics and sample values.
Reference: [https://help.splunk.com/en?resourceId=Splunk\_SearchReference\_Fieldsummary\&version=splunk-9\_4](https://help.splunk.com/en?resourceId=Splunk_SearchReference_Fieldsummary\&version=splunk-9_4)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
End time for the search.
Start time for the search.
Adhoc search level.
Default: `"fast"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)).
Default: `null`.
Index to search for fields. Use \* for all indexes.
Default: `"*"`.
Maximum number of fields to return.
Default: `100`.
Maximum number of sample values to return per field.
Default: `5`.
Whether to verify SSL certificates.
Default: `true`.
## Get KV collection
Action ID: `tools.splunk.get_kv_collection`
Get configuration details for a specific KV Store collection from Splunk.
Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-5](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-5)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Name of the KV Store collection to retrieve.
Splunk app context where the collection resides (e.g. "search" for default).
Default: `"search"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)).
Default: `null`.
Splunk namespace owner for access control (use "nobody" for shared access).
Default: `"nobody"`.
Whether to verify SSL certificates.
Default: `true`.
## Get KV entry
Action ID: `tools.splunk.get_kv_entry`
Get a specific entry from a KV Store collection in Splunk.
Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-7](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-7)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Name of the KV Store collection containing the entry.
The \_key value of the entry to retrieve from the collection.
Example: "5f3a1b2c3d4e5f6a7b8c9d0e"
Splunk app context where the collection resides (e.g. "search" for default).
Default: `"search"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)).
Default: `null`.
Splunk namespace owner for access control (use "nobody" for shared access).
Default: `"nobody"`.
Whether to verify SSL certificates.
Default: `true`.
## List data models
Action ID: `tools.splunk.list_data_models`
List all data models on the Splunk server using native Splunk search.
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Adhoc search level.
Default: `"fast"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)).
Default: `null`.
Whether to verify SSL certificates.
Default: `true`.
## List field extractions
Action ID: `tools.splunk.list_field_extractions`
List all configured field extraction rules using a simple Splunk query.
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Adhoc search level.
Default: `"fast"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)).
Default: `null`.
Whether to verify SSL certificates.
Default: `true`.
## List indexes
Action ID: `tools.splunk.list_indexes`
List all indexes on the Splunk server using native Splunk search.
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Adhoc search level.
Default: `"fast"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)).
Default: `null`.
Whether to verify SSL certificates.
Default: `true`.
## List KV collections
Action ID: `tools.splunk.list_kv_collections`
List all KV Store collections in Splunk.
Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-4](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-4)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Splunk app context to list collections from (e.g. "search" for default).
Default: `"search"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)).
Default: `null`.
Maximum number of collections to return.
Default: `100`.
Number of collections to skip for pagination.
Default: `0`.
Splunk namespace owner for access control (use "nobody" for shared access).
Default: `"nobody"`.
Search query to filter collections.
Example: "name=*whitelist*" to find collections with "whitelist" in the name.
Default: `""`.
Field to sort results by.
Default: `"_key"`.
How to sort values ("auto", "num", "alpha\_case", or "alpha").
Default: `"auto"`.
Sort order ("asc" or "desc").
Default: `"asc"`.
Return summarized response with fewer details for faster response.
Default: `false`.
Whether to verify SSL certificates.
Default: `true`.
## List KV entries
Action ID: `tools.splunk.list_kv_entries`
List entries in a KV Store collection from Splunk.
Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-6](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#get-6)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Name of the KV Store collection to list entries from.
Splunk app context where the collection resides (e.g. "search" for default).
Default: `"search"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)).
Default: `null`.
Maximum number of entries to return.
Default: `100`.
Number of entries to skip for pagination.
Default: `0`.
Splunk namespace owner for access control (use "nobody" for shared access).
Default: `"nobody"`.
MongoDB-style query to filter entries.
Supported operators:
* Conditional: $gt, $gte, $lt, $lte, \$ne
* Regex: \$regex
* Logical: $and, $or, \$not
Examples:
* \{"title": "Item"} - Find entries where title equals "Item"
* \{"price": \{"\$gt": 5}} - Find entries where price > 5
* \{"ip": \{"\$regex": "192.168.1.\*"}} - Find entries matching IP pattern
Default: `{}`.
Include entries from both specified owner and "nobody" user.
Default: `false`.
Number of items to skip from the start (alternative to offset).
Default: `0`.
Field to sort entries by.
Default: `"_key"`.
Whether to verify SSL certificates.
Default: `true`.
## List sourcetypes
Action ID: `tools.splunk.list_sourcetypes`
List all defined sourcetypes on the Splunk server.
Reference: [https://help.splunk.com/en?resourceId=Splunk\_RESTREF\_RESTsearch\&version=splunk-9\_4](https://help.splunk.com/en?resourceId=Splunk_RESTREF_RESTsearch\&version=splunk-9_4)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Adhoc search level.
Default: `"fast"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)).
Default: `null`.
Whether to verify SSL certificates.
Default: `true`.
## Search events
Action ID: `tools.splunk.search_events`
Search events from Splunk.
Reference: [https://help.splunk.com/en?resourceId=Splunk\_RESTREF\_RESTsearch\&version=splunk-9\_4#search.2Fjobs](https://help.splunk.com/en?resourceId=Splunk_RESTREF_RESTsearch\&version=splunk-9_4#search.2Fjobs)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
End time for the search.
Maximum number of events to return.
Splunk (Splunk Query Language) search query. You MUST start the query with `search`, e.g. `search index=main | head 10`
Start time for the search.
Adhoc search level.
Default: `"fast"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089)).
Default: `null`.
Whether to verify SSL certificates.
Default: `true`.
## Submit HEC event
Action ID: `tools.splunk.submit_hec_event`
Submit an event to Splunk using the HTTP Event Collector (HEC). Uses HEC token authentication.
Reference: [https://help.splunk.com/en/splunk-enterprise/get-data-in/get-started-with-getting-data-in/9.4/get-data-with-http-event-collector/format-events-for-http-event-collector](https://help.splunk.com/en/splunk-enterprise/get-data-in/get-started-with-getting-data-in/9.4/get-data-with-http-event-collector/format-events-for-http-event-collector)
### Secrets
Required secrets:
* `splunk_hec`: required values `SPLUNK_HEC_TOKEN`.
### Input fields
Event data to send to Splunk. Can contain any key-value pairs.
Example: \{"action": "login", "username": "john", "ip": "192.168.1.100"}
Splunk HEC endpoint URL (e.g. [https://localhost:8088](https://localhost:8088) or [https://tracecat.splunkcloud.com:8088](https://tracecat.splunkcloud.com:8088)).
Default: `null`.
Host field value for the event.
Default: `"tracecat.com"`.
Splunk index to send the event to. If not specified, uses the default index configured for the HEC token.
Default: `null`.
Event source identifier (e.g. application name, script name).
Default: `"tracecat_workflow"`.
Event source type for categorization and parsing rules.
Default: `"tracecat_log"`.
Whether to verify SSL certificates.
Default: `true`.
## Update KV entry
Action ID: `tools.splunk.update_kv_entry`
Update an existing entry in a KV Store collection in Splunk.
Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-12](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions#post-12)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Name of the KV Store collection containing the entry.
The \_key value of the entry to update in the collection.
Example: "5f3a1b2c3d4e5f6a7b8c9d0e"
Fields to update in the entry. Only specified fields will be updated.
Example: \{"status": "completed", "updated\_at": "2024-01-15"}
Splunk app context where the collection resides (e.g. "search" for default).
Default: `"search"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://tracecat.splunkcloud.com:8089](https://tracecat.splunkcloud.com:8089)).
Default: `null`.
Splunk namespace owner for access control (use "nobody" for shared access).
Default: `"nobody"`.
Whether to verify SSL certificates.
Default: `true`.
## Upload CSV to KV Collection
Action ID: `tools.splunk.upload_csv_to_kv_collection`
Download a CSV file and upload its rows to a Splunk KV Store collection with create, append, or override modes.
Reference: [https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions](https://help.splunk.com/en/splunk-enterprise/rest-api-reference/9.4/kv-store-endpoints/kv-store-endpoint-descriptions)
### Secrets
Required secrets:
* `splunk`: required values `SPLUNK_API_KEY`.
### Input fields
Name of the KV Store collection to target.
URL pointing to the CSV file to ingest.
Splunk app context (e.g. search).
Default: `"search"`.
Splunk base URL (e.g. [https://localhost:8089](https://localhost:8089) or [https://example.splunkcloud.com:8089](https://example.splunkcloud.com:8089)). If not provided, falls back to the workspace variable `splunk.base_url`.
Default: `null`.
Number of CSV rows to send per request. Lower this if you hit payload limits.
Default: `500`.
Optional HTTP headers for downloading the CSV (e.g. Authorization).
Default: `null`.
create: new collection, error if it exists. append: add to existing collection, error if missing. override: replace existing collection if present.
Default: `"create"`.
Allowed values: `create`, `append`, `override`.
Splunk namespace owner (use "nobody" for shared access).
Default: `"nobody"`.
Whether to verify SSL certificates when downloading and uploading.
Default: `true`.
# Sublime
Source: https://docs.tracecat.com/tools/sublime
Reference for the Tracecat Sublime integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Analyze EML
Action ID: `tools.sublime.analyze_eml`
Analyze an EML message against active detection rules and ML attack score in Sublime.
Reference: [https://docs.sublime.security/reference/analyzemessage](https://docs.sublime.security/reference/analyzemessage)
### Secrets
Required secrets:
* `sublime`: required values `SUBLIME_API_KEY`.
### Input fields
Base64-encoded EML file.
Base URL of the Sublime API.
Default: `null`.
## Analyze URL
Action ID: `tools.sublime.analyze_url`
Analyze a URL with ML link analysis in Sublime.
Reference: [https://docs.sublime.security/docs/enrichment-functions#mllink\_analysis](https://docs.sublime.security/docs/enrichment-functions#mllink_analysis)
### Secrets
Required secrets:
* `sublime`: required values `SUBLIME_API_KEY`.
### Input fields
URL to analyze.
Base URL of the Sublime API.
Default: `null`.
## Attack score for EML
Action ID: `tools.sublime.score_eml`
Evaluate attack score of an EML message using the Sublime API.
Reference: [https://docs.sublime.security/reference/attackscoreforrawmessage](https://docs.sublime.security/reference/attackscoreforrawmessage)
### Secrets
Required secrets:
* `sublime`: required values `SUBLIME_API_KEY`.
### Input fields
Base64-encoded EML file.
Base URL of the Sublime API.
Default: `"https://platform.sublime.security"`.
## Scan file with BinExplode
Action ID: `tools.sublime.scan_file`
Scan a file with BinExplode. Returns
Reference: [https://docs.sublime.security/reference/postscan-1](https://docs.sublime.security/reference/postscan-1)
### Secrets
Required secrets:
* `sublime`: required values `SUBLIME_API_KEY`.
### Input fields
Base64-encoded file.
Name of the file.
Base URL of the Sublime API.
Default: `null`.
# Tavily
Source: https://docs.tracecat.com/tools/tavily
Reference for the Tracecat Tavily integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Search the web
Action ID: `tools.tavily.web_search`
Search the web with Tavily for a given search query.
Reference: [https://docs.tavily.com/documentation/api-reference/endpoint/search](https://docs.tavily.com/documentation/api-reference/endpoint/search)
### Secrets
Required secrets:
* `tavily`: required values `TAVILY_API_KEY`.
### Input fields
Search query to execute with Tavily.
Depth of the search.
Allowed values: `basic`, `advanced`.
Time range back from the current date to filter results.
Allowed values: `day`, `week`, `month`, `year`.
Category of the search.
Allowed values: `general`, `news`.
# Tenable Security Center
Source: https://docs.tracecat.com/tools/tenable_sc
Reference for the Tracecat Tenable Security Center integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Create active scan
Action ID: `tools.tenable_sc.create_active_scan`
Create a Tenable Security Center scan using an existing policy and set of assets or targets.
Reference: [https://docs.tenable.com/security-center/api/Scan.htm](https://docs.tenable.com/security-center/api/Scan.htm)
### Secrets
Required secrets:
* `tenable_sc`: required values `TENABLE_SC_ACCESS_KEY`, `TENABLE_SC_SECRET_KEY`.
### Input fields
Name of the scan to create.
Repository ID targeted by the scan.
Asset object IDs that the scan should target.
Default: `[]`.
Tenable Security Center base URL (e.g. [https://security-center.example.com](https://security-center.example.com)).
Default: `null`.
Credential objects to use for authenticated scanning.
Default: `[]`.
Optional scan description shown in Tenable Security Center.
Default: `null`.
Comma-separated list of additional targets/IP ranges.
Default: `null`.
Policy ID to associate with the scan (required for policy scans).
Default: `null`.
Scan type (e.g. policy, discovery, agent).
Default: `"policy"`.
Whether to verify TLS certificates when calling the API.
Default: `true`.
## Run analysis query
Action ID: `tools.tenable_sc.run_analysis_query`
Execute a Tenable Security Center analysis query (e.g. vuln details for a scan).
Reference: [https://docs.tenable.com/security-center/api/Analysis.htm](https://docs.tenable.com/security-center/api/Analysis.htm)
### Secrets
Required secrets:
* `tenable_sc`: required values `TENABLE_SC_ACCESS_KEY`, `TENABLE_SC_SECRET_KEY`.
### Input fields
ID of the scan whose results the query should evaluate.
Analysis type to pass to the Analysis API.
Default: `"vuln"`.
Tenable Security Center base URL (e.g. [https://security-center.example.com](https://security-center.example.com)).
Default: `null`.
Ending offset for pagination.
Default: `100`.
Tenable Security Center analysis query block (tool, type, filters, etc.).
Default: `{
"tool": "vulndetails",
"type": "vuln"
}`.
Sort direction for the results.
Default: `"desc"`.
Field to sort results by.
Default: `"severity"`.
Result source type (e.g. individual, cumulative, lce).
Default: `"individual"`.
Starting offset for pagination.
Default: `0`.
Whether to verify TLS certificates when calling the API.
Default: `true`.
View applied to the result set (e.g. all, exploitable, accepted).
Default: `"all"`.
# Terraform Cloud
Source: https://docs.tracecat.com/tools/terraform
Reference for the Tracecat Terraform Cloud integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Apply run
Action ID: `tools.terraform.apply_run`
Apply a planned Terraform Cloud run to execute infrastructure changes.
Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run)
### Secrets
Required secrets:
* `terraform`: required values `TERRAFORM_API_TOKEN`.
### Input fields
The ID of the run to apply.
Optional comment explaining why the run is being applied.
Default: `null`.
## Create workspace variable
Action ID: `tools.terraform.create_workspace_variable`
Create a new variable in a Terraform Cloud workspace.
Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspace-variables](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspace-variables)
### Secrets
Required secrets:
* `terraform`: required values `TERRAFORM_API_TOKEN`.
### Input fields
The name of the variable.
The value of the variable.
The ID of the workspace to create the variable in.
Whether this is a Terraform variable or environment variable.
Default: `"terraform"`.
Allowed values: `terraform`, `env`.
Whether the value is in HCL format.
Default: `false`.
Whether the value is sensitive and should be hidden in the UI.
Default: `false`.
## Get run details
Action ID: `tools.terraform.get_run_details`
Get details for a specific Terraform Cloud run.
Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run)
### Secrets
Required secrets:
* `terraform`: required values `TERRAFORM_API_TOKEN`.
### Input fields
The ID of the run to get details for.
## Get workspace details
Action ID: `tools.terraform.get_workspace_details`
Get details for a workspace by ID or by organization and workspace name.
Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspaces](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspaces)
### Secrets
Required secrets:
* `terraform`: required values `TERRAFORM_API_TOKEN`.
### Input fields
The organization name. Required if workspace\_id is not provided.
Default: `null`.
The workspace ID. If provided, organization and workspace\_name are ignored.
Default: `null`.
The workspace name. Required if workspace\_id is not provided.
Default: `null`.
## List projects
Action ID: `tools.terraform.list_projects`
List all projects in a Terraform Cloud organization.
Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/projects](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/projects)
### Secrets
Required secrets:
* `terraform`: required values `TERRAFORM_API_TOKEN`.
### Input fields
The name of the Terraform Cloud organization.
The page number to return.
Default: `1`.
The number of projects to return per page.
Default: `20`.
## List runs
Action ID: `tools.terraform.list_runs`
List all runs for a Terraform Cloud workspace.
Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run)
### Secrets
Required secrets:
* `terraform`: required values `TERRAFORM_API_TOKEN`.
### Input fields
The ID of the workspace to list runs for.
The page number to return.
Default: `1`.
The number of runs to return per page.
Default: `20`.
## List workspace variables
Action ID: `tools.terraform.list_workspace_variables`
List all variables configured for a Terraform Cloud workspace.
Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspace-variables](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspace-variables)
### Secrets
Required secrets:
* `terraform`: required values `TERRAFORM_API_TOKEN`.
### Input fields
The ID of the workspace to list variables for.
## List workspaces
Action ID: `tools.terraform.list_workspaces`
List all workspaces in a Terraform Cloud organization, optionally filtered by project.
Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspaces](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspaces)
### Secrets
Required secrets:
* `terraform`: required values `TERRAFORM_API_TOKEN`.
### Input fields
The name of the Terraform Cloud organization.
The page number to return.
Default: `1`.
The number of workspaces to return per page.
Default: `20`.
Optional project ID to filter workspaces by project.
Default: `null`.
## Plan run
Action ID: `tools.terraform.plan_run`
Create a plan-only run in Terraform Cloud to preview infrastructure changes.
Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run)
### Secrets
Required secrets:
* `terraform`: required values `TERRAFORM_API_TOKEN`.
### Input fields
The ID of the workspace to create the plan run for.
Optional message to describe the purpose of the run.
Default: `null`.
## Refresh state
Action ID: `tools.terraform.refresh_state`
Create a refresh-only run to update Terraform state with real infrastructure.
Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/run)
### Secrets
Required secrets:
* `terraform`: required values `TERRAFORM_API_TOKEN`.
### Input fields
The ID of the workspace to refresh state for.
Optional message to describe the purpose of the refresh.
Default: `null`.
## Update workspace variable
Action ID: `tools.terraform.update_workspace_variable`
Update an existing variable in a Terraform Cloud workspace.
Reference: [https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspace-variables](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspace-variables)
### Secrets
Required secrets:
* `terraform`: required values `TERRAFORM_API_TOKEN`.
### Input fields
The ID of the variable to update.
The ID of the workspace containing the variable.
Whether the value is in HCL format.
Default: `null`.
The name of the variable. Only required if changing the key.
Default: `null`.
Whether the value is sensitive.
Default: `null`.
The value of the variable. Only required if changing the value.
Default: `null`.
# Anomali ThreatStream
Source: https://docs.tracecat.com/tools/threatstream
Reference for the Tracecat Anomali ThreatStream integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Lookup domain
Action ID: `tools.threatstream.lookup_domain`
Search Anomali ThreatStream for reputation of a domain.
### Secrets
Required secrets:
* `threatstream`: required values `ANOMALI_USERNAME`, `ANOMALI_API_KEY`.
### Input fields
Domain to lookup.
## Lookup email
Action ID: `tools.threatstream.lookup_email`
Search Anomali ThreatStream for reputation of an email address.
### Secrets
Required secrets:
* `threatstream`: required values `ANOMALI_USERNAME`, `ANOMALI_API_KEY`.
### Input fields
Email address to lookup.
## Lookup File Hash
Action ID: `tools.threatstream.lookup_file_hash`
Search Anomali ThreatStream for reputation of a file hash.
### Secrets
Required secrets:
* `threatstream`: required values `ANOMALI_USERNAME`, `ANOMALI_API_KEY`.
### Input fields
File hash to lookup.
## Lookup IP address
Action ID: `tools.threatstream.lookup_ip_address`
Search Anomali ThreatStream for reputation of an IP address.
### Secrets
Required secrets:
* `threatstream`: required values `ANOMALI_USERNAME`, `ANOMALI_API_KEY`.
### Input fields
IP address to lookup.
## Lookup URL
Action ID: `tools.threatstream.lookup_url`
Search Anomali ThreatStream for reputation of an URL.
### Secrets
Required secrets:
* `threatstream`: required values `ANOMALI_USERNAME`, `ANOMALI_API_KEY`.
### Input fields
URL to lookup.
# URLhaus
Source: https://docs.tracecat.com/tools/urlhaus
Reference for the Tracecat URLhaus integration: registered actions, required secrets, expected inputs, and example workflow usage.
## List URL blocklist
Action ID: `tools.urlhaus.list_url_threats`
List recent URLs from URLhaus blocklist
Reference: [https://urlhaus-api.abuse.ch/#urls-recent](https://urlhaus-api.abuse.ch/#urls-recent)
### Secrets
Required secrets:
* `abusech`: required values `ABUSECH_API_KEY`.
### Input fields
Maximum number of URLs to return.
Default: `100`.
# URLScan
Source: https://docs.tracecat.com/tools/urlscan
Reference for the Tracecat URLScan integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Lookup URL
Action ID: `tools.urlscan.lookup_url`
Lookup a URL using URLScan.
Reference: [https://urlscan.io/docs/result/](https://urlscan.io/docs/result/)
### Secrets
Required secrets:
* `urlscan`: required values `URLSCAN_API_KEY`.
### Input fields
URL to lookup.
Visibility of the scan.
Default: `"private"`.
# VirusTotal
Source: https://docs.tracecat.com/tools/virustotal
Reference for the Tracecat VirusTotal integration: registered actions, required secrets, expected inputs, and example workflow usage.
## List threats
Action ID: `tools.virustotal.list_threats`
List threats from VirusTotal.
Reference: [https://docs.virustotal.com/reference/overview](https://docs.virustotal.com/reference/overview)
### Secrets
Required secrets:
* `virustotal`: required values `VIRUSTOTAL_API_KEY`.
### Input fields
Filter to apply to the list of threats.
Maximum number of threats to return.
Default: `10`.
## Lookup domain
Action ID: `tools.virustotal.lookup_domain`
Get VirusTotal report for a domain.
Reference: [https://docs.virustotal.com/reference/domain-info](https://docs.virustotal.com/reference/domain-info)
### Secrets
Required secrets:
* `virustotal`: required values `VIRUSTOTAL_API_KEY`.
### Input fields
Domain to lookup.
## Lookup file hash
Action ID: `tools.virustotal.lookup_file_hash`
Get VirusTotal report for a file hash.
Reference: [https://docs.virustotal.com/reference/file-info](https://docs.virustotal.com/reference/file-info)
### Secrets
Required secrets:
* `virustotal`: required values `VIRUSTOTAL_API_KEY`.
### Input fields
File hash to lookup.
## Lookup IP address
Action ID: `tools.virustotal.lookup_ip_address`
Get VirusTotal report for an IP address.
Reference: [https://docs.virustotal.com/reference/ip-info](https://docs.virustotal.com/reference/ip-info)
### Secrets
Required secrets:
* `virustotal`: required values `VIRUSTOTAL_API_KEY`.
### Input fields
IP address to lookup.
## Lookup URL
Action ID: `tools.virustotal.lookup_url`
Get VirusTotal report for a URL.
Reference: [https://docs.virustotal.com/reference/url-info](https://docs.virustotal.com/reference/url-info)
### Secrets
Required secrets:
* `virustotal`: required values `VIRUSTOTAL_API_KEY`.
### Input fields
URL to lookup.
# Wazuh
Source: https://docs.tracecat.com/tools/wazuh
Reference for the Tracecat Wazuh integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Run command
Action ID: `tools.wazuh.active_response`
Run an Active Response command on Wazuh agents.
Reference: [https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.active\_response\_controller.run\_command](https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.active_response_controller.run_command)
### Secrets
Required secrets:
* `wazuh_wui`: required values `WAZUH_WUI_USERNAME`, `WAZUH_WUI_PASSWORD`.
### Input fields
List of agent IDs (separated by comma), all agents selected by default if not specified.
Command running in the agent. If this value starts with !, then it refers to a script name instead of a command name.
Change the token base duration
Default: `900`.
URL for the Wazuh WUI API.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
## Update agents
Action ID: `tools.wazuh.update_agents`
Identifies outdated Wazuh agents and updates them.
Reference: [https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent\_controller.put\_upgrade\_agents](https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.put_upgrade_agents)
### Secrets
Required secrets:
* `wazuh_wui`: required values `WAZUH_WUI_USERNAME`, `WAZUH_WUI_PASSWORD`.
### Input fields
Change the token base duration
Default: `900`.
URL for the Wazuh WUI API.
Default: `null`.
If False, disables SSL verification for internal networks.
Default: `true`.
# Wiz MCP
Source: https://docs.tracecat.com/tools/wiz
Reference for the Tracecat Wiz MCP integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Wiz MCP
Action ID: `tools.wiz.mcp`
Use AI to interact with Wiz.
Reference: [https://www.wiz.io/blog/introducing-mcp-server-for-wiz](https://www.wiz.io/blog/introducing-mcp-server-for-wiz)
### Secrets
Required secrets:
* `wiz_mcp_oauth`: OAuth token `WIZ_MCP_USER_TOKEN`.
Optional secrets:
* `anthropic`: optional values `ANTHROPIC_API_KEY`.
* `openai`: optional values `OPENAI_API_KEY`.
* `gemini`: optional values `GEMINI_API_KEY`.
* `amazon_bedrock`: optional values `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_ROLE_ARN`, `AWS_ROLE_SESSION_NAME`, `AWS_SESSION_TOKEN`, `AWS_BEARER_TOKEN_BEDROCK`, `AWS_MODEL_ID`, `AWS_INFERENCE_PROFILE_ID`.
* `custom-model-provider`: optional values `CUSTOM_MODEL_PROVIDER_API_KEY`, `CUSTOM_MODEL_PROVIDER_MODEL_NAME`, `CUSTOM_MODEL_PROVIDER_BASE_URL`.
* `azure_openai`: optional values `AZURE_API_BASE`, `AZURE_API_VERSION`, `AZURE_DEPLOYMENT_NAME`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`.
* `azure_ai`: optional values `AZURE_API_BASE`, `AZURE_API_KEY`, `AZURE_AD_TOKEN`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_API_VERSION`, `AZURE_AI_MODEL_NAME`.
* `litellm`: required values `LITELLM_BASE_URL`.
### Input fields
Instructions for the agent.
User prompt to the agent.
Model to use. Pick from the list of models enabled for this workspace. Provide this field, or both deprecated `model_name` and `model_provider`.
Default: `null`.
Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_provider`.
Default: `null`.
Deprecated. Use `model` instead. If `model` is omitted, set this together with `model_name`.
Default: `null`.
# Zendesk
Source: https://docs.tracecat.com/tools/zendesk
Reference for the Tracecat Zendesk integration: registered actions, required secrets, expected inputs, and example workflow usage.
## Get group users
Action ID: `tools.zendesk.get_group_users`
Retrieve all users in a specific group.
Reference: [https://developer.zendesk.com/api-reference/ticketing/groups/groups/](https://developer.zendesk.com/api-reference/ticketing/groups/groups/)
### Secrets
Required secrets:
* `zendesk`: required values `ZENDESK_EMAIL`, `ZENDESK_API_TOKEN`.
### Input fields
The ID of the group
Your Zendesk subdomain (e.g., 'company' for company.zendesk.com)
Page number for pagination (1-based)
Default: `null`.
Number of users per page (max 100)
Default: `100`.
## Get groups
Action ID: `tools.zendesk.get_groups`
Retrieve all groups from Zendesk.
Reference: [https://developer.zendesk.com/api-reference/ticketing/groups/groups/](https://developer.zendesk.com/api-reference/ticketing/groups/groups/)
### Secrets
Required secrets:
* `zendesk`: required values `ZENDESK_EMAIL`, `ZENDESK_API_TOKEN`.
### Input fields
Your Zendesk subdomain (e.g., 'company' for company.zendesk.com)
Page number for pagination (1-based)
Default: `null`.
Number of groups per page (max 100)
Default: `100`.
## Get ticket
Action ID: `tools.zendesk.get_ticket`
Retrieve a specific ticket by ID from Zendesk.
Reference: [https://developer.zendesk.com/api-reference/ticketing/tickets/tickets/#show-ticket](https://developer.zendesk.com/api-reference/ticketing/tickets/tickets/#show-ticket)
### Secrets
Required secrets:
* `zendesk`: required values `ZENDESK_EMAIL`, `ZENDESK_API_TOKEN`.
### Input fields
Your Zendesk subdomain (e.g., 'company' for company.zendesk.com)
The ID of the ticket to retrieve
## Get ticket attachments
Action ID: `tools.zendesk.get_ticket_attachments`
Retrieve attachments from a specific ticket.
Reference: [https://developer.zendesk.com/api-reference/ticketing/tickets/ticket\_comments/](https://developer.zendesk.com/api-reference/ticketing/tickets/ticket_comments/)
### Secrets
Required secrets:
* `zendesk`: required values `ZENDESK_EMAIL`, `ZENDESK_API_TOKEN`.
### Input fields
Your Zendesk subdomain (e.g., 'company' for company.zendesk.com)
The ID of the ticket
## Get ticket comments
Action ID: `tools.zendesk.get_ticket_comments`
Retrieve all comments for a specific ticket.
Reference: [https://developer.zendesk.com/api-reference/ticketing/tickets/ticket\_comments/](https://developer.zendesk.com/api-reference/ticketing/tickets/ticket_comments/)
### Secrets
Required secrets:
* `zendesk`: required values `ZENDESK_EMAIL`, `ZENDESK_API_TOKEN`.
### Input fields
Your Zendesk subdomain (e.g., 'company' for company.zendesk.com)
The ID of the ticket
Page number for pagination (1-based)
Default: `null`.
Number of comments per page (max 100)
Default: `100`.
## Get Twilio recordings
Action ID: `tools.zendesk.get_twilio_recordings`
Retrieve Twilio call recordings associated with tickets (requires Twilio integration).
Reference: [https://developer.zendesk.com/api-reference/voice/talk-api/recordings/](https://developer.zendesk.com/api-reference/voice/talk-api/recordings/)
### Secrets
Required secrets:
* `zendesk`: required values `ZENDESK_EMAIL`, `ZENDESK_API_TOKEN`.
### Input fields
Call ID
Your Zendesk subdomain (e.g., 'company' for company.zendesk.com)
## Search Zendesk
Action ID: `tools.zendesk.search_tickets`
Search Zendesk using search query syntax.
Reference: [https://developer.zendesk.com/api-reference/ticketing/ticket-management/search/#list-search-results](https://developer.zendesk.com/api-reference/ticketing/ticket-management/search/#list-search-results)
### Secrets
Required secrets:
* `zendesk`: required values `ZENDESK_EMAIL`, `ZENDESK_API_TOKEN`.
### Input fields
Your Zendesk subdomain (e.g., 'company' for company.zendesk.com)
Page number for pagination (1-based)
Default: `null`.
Number of results per page (max 100)
Default: `100`.
Search query using Zendesk search syntax. Default type:ticket -status:solved -status:closed
Default: `"type:ticket -status:solved -status:closed"`.
Field to sort results by (created\_at, updated\_at, priority, status, ticket\_type)
Default: `null`.
Sort order (asc, desc)
Default: `null`.
]