# Tracecat Docs ## Docs - [AI action](https://docs.tracecat.com/agents/ai-action.md): Use `ai.action` to run a single LLM call in a workflow. - [AI agent](https://docs.tracecat.com/agents/ai-agent.md): Use `ai.agent` and `ai.preset_agent` for tool-calling agent runs in workflows. - [Secrets and variables](https://docs.tracecat.com/agents/secrets-variables.md): Pass secrets and workspace variables to preset agent tool calls securely. - [Basic](https://docs.tracecat.com/authentication/basic.md): Learn how to authenticate into Tracecat with basic auth. - [OIDC](https://docs.tracecat.com/authentication/oidc.md): Learn how to authenticate into Tracecat using OpenID Connect. - [SAML SSO](https://docs.tracecat.com/authentication/saml.md): Learn how to authenticate into Tracecat with SAML SSO. - [Actions](https://docs.tracecat.com/automations/actions.md): Connect actions to build workflows. - [Cases](https://docs.tracecat.com/automations/cases.md): Resolve work items alongside agents and workflows. - [Attachments](https://docs.tracecat.com/automations/core-actions/case-actions/attachments.md) - [Cases](https://docs.tracecat.com/automations/core-actions/case-actions/cases.md) - [Comments](https://docs.tracecat.com/automations/core-actions/case-actions/comments.md) - [Linked rows](https://docs.tracecat.com/automations/core-actions/case-actions/linked-rows.md) - [Metrics](https://docs.tracecat.com/automations/core-actions/case-actions/metrics.md) - [Tasks](https://docs.tracecat.com/automations/core-actions/case-actions/tasks.md) - [Filesystem](https://docs.tracecat.com/automations/core-actions/memory-actions/filesystem.md) - [Tables](https://docs.tracecat.com/automations/core-actions/memory-actions/tables.md) - [Email](https://docs.tracecat.com/automations/core-actions/request-actions/email.md) - [gRPC](https://docs.tracecat.com/automations/core-actions/request-actions/grpc.md) - [HTTP](https://docs.tracecat.com/automations/core-actions/request-actions/http.md) - [SQL](https://docs.tracecat.com/automations/core-actions/request-actions/sql.md) - [SSH](https://docs.tracecat.com/automations/core-actions/request-actions/ssh.md) - [Data transforms](https://docs.tracecat.com/automations/core-actions/transform-actions/data-transforms.md) - [Python script](https://docs.tracecat.com/automations/core-actions/transform-actions/python-script.md) - [Require](https://docs.tracecat.com/automations/core-actions/transform-actions/require.md) - [Reshape](https://docs.tracecat.com/automations/core-actions/transform-actions/reshape.md) - [Run subflow](https://docs.tracecat.com/automations/core-actions/workflow-actions/run-subflow.md) - [Scatter-gather loops](https://docs.tracecat.com/automations/core-actions/workflow-actions/scatter-gather-loops.md) - [While loops](https://docs.tracecat.com/automations/core-actions/workflow-actions/while-loops.md) - [Expressions](https://docs.tracecat.com/automations/core-concepts/expressions.md): Syntax reference for Tracecat expressions. - [Functions](https://docs.tracecat.com/automations/core-concepts/functions.md): In-line utility functions. - [JSONPath](https://docs.tracecat.com/automations/core-concepts/jsonpath.md): Path access reference for Tracecat expressions. - [Secrets](https://docs.tracecat.com/automations/core-concepts/secrets.md): Create and use secrets in workflows and agents. - [Variables](https://docs.tracecat.com/automations/core-concepts/variables.md): Create and use reusable workspace variables in workflows and agents. - [Workflow definition](https://docs.tracecat.com/automations/core-concepts/workflow-definition.md): YAML reference for Tracecat workflow definitions. - [MCP servers](https://docs.tracecat.com/automations/integrations/mcp-integrations.md): Connect remote and stdio MCP servers to Tracecat agents. - [OAuth](https://docs.tracecat.com/automations/integrations/oauth-integrations.md): Connect OAuth providers and use managed OAuth tokens in expressions. - [Prebuilt credentials](https://docs.tracecat.com/automations/integrations/prebuilt-credentials.md): Configure credentials for built-in integrations. - [Tables](https://docs.tracecat.com/automations/tables.md): Store and manage structured data. - [Tracecat MCP](https://docs.tracecat.com/automations/tracecat-mcp.md): Build automations through your own agent harness. - [Case triggers](https://docs.tracecat.com/automations/triggers/case-triggers.md): Start workflows from case events. - [Comment triggers](https://docs.tracecat.com/automations/triggers/comment-triggers.md): Run workflows from case comments and replies. - [Error workflows](https://docs.tracecat.com/automations/triggers/error-workflows.md): Run a workflow when another workflow fails. - [Schedules](https://docs.tracecat.com/automations/triggers/schedules.md): Run workflows on a time-based cadence. - [Task triggers](https://docs.tracecat.com/automations/triggers/task-triggers.md): Run workflows from case tasks. - [Webhooks](https://docs.tracecat.com/automations/triggers/webhooks.md): Trigger workflows from external systems with webhooks. - [Workflows](https://docs.tracecat.com/automations/workflows.md): Build and manage workflows. - [Functions cheatsheet](https://docs.tracecat.com/cheatsheets/functions.md): Quick reference for all Tracecat expression functions and operators. - [JSONPath cheatsheet](https://docs.tracecat.com/cheatsheets/jsonpath.md): Quick reference for JSONPath syntax, filters, and access patterns. - [Custom registry](https://docs.tracecat.com/custom-actions/custom-registry.md): Sync custom Python scripts into Tracecat. - [Local development](https://docs.tracecat.com/custom-actions/local-development.md): Hot reload custom actions in Tracecat. - [Python UDFs](https://docs.tracecat.com/custom-actions/python-udf.md): Build custom Python actions in Tracecat. - [YAML templates](https://docs.tracecat.com/custom-actions/yaml-template.md): Build custom YAML actions in Tracecat. - [Getting started](https://docs.tracecat.com/overview/getting-started.md) - [Welcome to Tracecat](https://docs.tracecat.com/overview/introduction.md) - [Architecture](https://docs.tracecat.com/self-hosting/architecture.md): Services, networking, and authentication for self-hosted Tracecat. - [AWS ECS Fargate](https://docs.tracecat.com/self-hosting/aws-fargate.md): Deploy Tracecat to AWS ECS Fargate using Terraform. - [Docker Compose](https://docs.tracecat.com/self-hosting/docker-compose.md): Deploy Tracecat using Docker Compose. - [Environment variables](https://docs.tracecat.com/self-hosting/environment-variables.md): Reference for all Tracecat environment variables. - [Kubernetes](https://docs.tracecat.com/self-hosting/kubernetes.md): Deploy Tracecat to Kubernetes using the OCI Helm chart. - [Security](https://docs.tracecat.com/self-hosting/security.md): Harden your self-hosted Tracecat deployment. - [AbuseIPDB](https://docs.tracecat.com/tools/abuseipdb.md): Reference for AbuseIPDB actions. - [AlertMedia](https://docs.tracecat.com/tools/alertmedia.md): Reference for AlertMedia actions. - [Amazon S3](https://docs.tracecat.com/tools/amazon_s3.md): Reference for Amazon S3 actions. - [Ansible](https://docs.tracecat.com/tools/ansible.md): Reference for Ansible actions. - [ANY.RUN](https://docs.tracecat.com/tools/anyrun.md): Reference for ANY.RUN actions. - [AWS Boto3](https://docs.tracecat.com/tools/aws_boto3.md): Reference for AWS Boto3 actions. - [Azure Log Analytics](https://docs.tracecat.com/tools/azure_log_analytics.md): Reference for Azure Log Analytics actions. - [MITRE Caldera](https://docs.tracecat.com/tools/caldera.md): Reference for MITRE Caldera actions. - [Confluence](https://docs.tracecat.com/tools/confluence.md): Reference for Confluence actions. - [CrowdSec](https://docs.tracecat.com/tools/crowdsec.md): Reference for CrowdSec actions. - [CrowdStrike](https://docs.tracecat.com/tools/crowdstrike.md): Reference for CrowdStrike actions. - [Datadog](https://docs.tracecat.com/tools/datadog.md): Reference for Datadog actions. - [Elastic Security](https://docs.tracecat.com/tools/elastic_security.md): Reference for Elastic Security actions. - [Elasticsearch](https://docs.tracecat.com/tools/elasticsearch.md): Reference for Elasticsearch actions. - [EmailRep](https://docs.tracecat.com/tools/emailrep.md): Reference for EmailRep actions. - [Exa](https://docs.tracecat.com/tools/exa.md): Reference for Exa actions. - [FalconPy](https://docs.tracecat.com/tools/falconpy.md): Reference for FalconPy actions. - [GitHub MCP](https://docs.tracecat.com/tools/github.md): Reference for GitHub MCP actions. - [Gmail](https://docs.tracecat.com/tools/gmail.md): Reference for Gmail actions. - [Google API](https://docs.tracecat.com/tools/google_api.md): Reference for Google API actions. - [Google Docs](https://docs.tracecat.com/tools/google_docs.md): Reference for Google Docs actions. - [Google Drive](https://docs.tracecat.com/tools/google_drive.md): Reference for Google Drive actions. - [Google Maps](https://docs.tracecat.com/tools/google_maps.md): Reference for Google Maps actions. - [Google SecOps Detection Engine](https://docs.tracecat.com/tools/google_secops_detection.md): Reference for Google SecOps Detection Engine actions. - [Google SecOps SOAR](https://docs.tracecat.com/tools/google_secops_soar.md): Reference for Google SecOps SOAR actions. - [Google Sheets](https://docs.tracecat.com/tools/google_sheets.md): Reference for Google Sheets actions. - [Gophish](https://docs.tracecat.com/tools/gophish.md): Reference for Gophish actions. - [HackerOne](https://docs.tracecat.com/tools/hackerone.md): Reference for HackerOne actions. - [Have I Been Pwned](https://docs.tracecat.com/tools/hibp.md): Reference for Have I Been Pwned actions. - [Hybrid Analysis](https://docs.tracecat.com/tools/hybrid_analysis.md): Reference for Hybrid Analysis actions. - [IPinfo](https://docs.tracecat.com/tools/ipinfo.md): Reference for IPinfo actions. - [Jira MCP](https://docs.tracecat.com/tools/jira.md): Reference for Jira MCP actions. - [LDAP](https://docs.tracecat.com/tools/ldap.md): Reference for LDAP actions. - [LeakCheck](https://docs.tracecat.com/tools/leakcheck.md): Reference for LeakCheck actions. - [Linear MCP](https://docs.tracecat.com/tools/linear.md): Reference for Linear MCP actions. - [Microsoft Defender for Endpoint](https://docs.tracecat.com/tools/microsoft_defender_endpoint.md): Reference for Microsoft Defender for Endpoint actions. - [Microsoft Entra](https://docs.tracecat.com/tools/microsoft_entra.md): Reference for Microsoft Entra actions. - [Microsoft Sentinel](https://docs.tracecat.com/tools/microsoft_sentinel.md): Reference for Microsoft Sentinel actions. - [Microsoft Teams](https://docs.tracecat.com/tools/microsoft_teams.md): Reference for Microsoft Teams actions. - [MinIO](https://docs.tracecat.com/tools/minio.md): Reference for MinIO actions. - [Notion MCP](https://docs.tracecat.com/tools/notion.md): Reference for Notion MCP actions. - [Okta](https://docs.tracecat.com/tools/okta.md): Reference for Okta actions. - [Okta](https://docs.tracecat.com/tools/okta_oar.md): Reference for Okta actions. - [PagerDuty](https://docs.tracecat.com/tools/pagerduty.md): Reference for PagerDuty actions. - [Panther](https://docs.tracecat.com/tools/panther.md): Reference for Panther actions. - [PhishLabs](https://docs.tracecat.com/tools/phishlabs.md): Reference for PhishLabs actions. - [PyMongo](https://docs.tracecat.com/tools/pymongo.md): Reference for PyMongo actions. - [Rootly](https://docs.tracecat.com/tools/rootly.md): Reference for Rootly actions. - [RunReveal MCP](https://docs.tracecat.com/tools/runreveal.md): Reference for RunReveal MCP actions. - [SentinelOne](https://docs.tracecat.com/tools/sentinel_one.md): Reference for SentinelOne actions. - [Sentry MCP](https://docs.tracecat.com/tools/sentry.md): Reference for Sentry MCP actions. - [ServiceNow](https://docs.tracecat.com/tools/servicenow.md): Reference for ServiceNow actions. - [Slack](https://docs.tracecat.com/tools/slack.md): Reference for Slack actions. - [Slack SDK](https://docs.tracecat.com/tools/slack_sdk.md): Reference for Slack SDK actions. - [Splunk](https://docs.tracecat.com/tools/splunk.md): Reference for Splunk actions. - [Sublime](https://docs.tracecat.com/tools/sublime.md): Reference for Sublime actions. - [Tavily](https://docs.tracecat.com/tools/tavily.md): Reference for Tavily actions. - [Tenable Security Center](https://docs.tracecat.com/tools/tenable_sc.md): Reference for Tenable Security Center actions. - [Terraform Cloud](https://docs.tracecat.com/tools/terraform.md): Reference for Terraform Cloud actions. - [Anomali ThreatStream](https://docs.tracecat.com/tools/threatstream.md): Reference for Anomali ThreatStream actions. - [URLhaus](https://docs.tracecat.com/tools/urlhaus.md): Reference for URLhaus actions. - [URLScan](https://docs.tracecat.com/tools/urlscan.md): Reference for URLScan actions. - [VirusTotal](https://docs.tracecat.com/tools/virustotal.md): Reference for VirusTotal actions. - [Wazuh](https://docs.tracecat.com/tools/wazuh.md): Reference for Wazuh actions. - [Wiz MCP](https://docs.tracecat.com/tools/wiz.md): Reference for Wiz MCP actions. - [Zendesk](https://docs.tracecat.com/tools/zendesk.md): Reference for Zendesk actions.