New integrations:

New steps and improvements:

List Tools: Retrieves a list of the tools available in the Atlassian Rovo MCP Server

Create Session: Initializes a new session with Atlassian Rovo MCP Server

List Activity Events: Get a list of all events in the activity monitor across your SaaS applications, sorted in descending chronological order.

List Affected Entities: Get a list of affected entities for a specific security check.

Upload Custom Integration Data: Send data to a specific source in a custom integration for processing and analysis.

List Security Checks: Get a specific security check by ID or get a list of all security checks.

List Device Inventory: Get a list of all devices across your SaaS applications with their security status and associations.

List All Extensions: Returns the discovery list of all browser extensions, including the extension name, ID, total downloads, permissions, risk reasons, and additional details. Page through results until `hasNext` is false.

List All Devices: Returns the discovery list of all devices, including device ID, name, OS version, and additional details. Page through results until `hasNext` is false.

Update a Tag: Update the name or assets of a tag.

List Policies: Returns a list of all policies, including the policy ID, name, type, and additional details.

Update Alert Status: Updates the status of a specific alert. The response acknowledges the update but does not include the alert body.

Add Assets to Tag: Adds additional assets to an existing tag without replacing existing members. Useful for incrementally expanding tag coverage.

Get a Policy: Returns the full details of a single policy by ID, including the policy condition and metadata.

Delete Asset from Tag: Removes a specific asset from an existing tag. Helpful for narrowing tag coverage or revoking an asset's classification.

List Tags: Returns a list of all tags, including the tag ID, name, type, and additional details. The response does not include each tag's assets

List Tools: Returns the catalog of tools Reco exposes.

Create Session: Opens the MCP handshake with the server before tool calls.

Generic Tool Call: Invokes any tool by name with arguments.

Fetch Azure Asset: Fetches detailed properties for Azure assets (Azure Users, Groups, Apps, etc.) using their Object ID and specific Azure entity type.

Fetch Finding Long Remediation: Retrieves the comprehensive, step-by-step markdown remediation guide for a finding type, including detailed commands, registry edits, or GUI instructions required to secure the path.

Fetch Shortest Path: Queries the BloodHound Enterprise graph to determine if an attack path exists between a specific starting node and ending node.

Fetch Finding Short Remediation: Retrieves the short remediation markdown instructions for a specific finding type. Provides analysts with immediate, high-level steps to break the attack path.

Fetch Available Types: Fetches the master list of all finding types categories monitored by BloodHound Enterprise (e.g., T0MarkSensitive, T0GenericAll).

Fetch Base Asset: Fetches detailed properties for Active Directory base assets (Users, Groups, Computers, etc.) using their unique Object ID.

Fetch Available Zones: Retrieves all BloodHound Enterprise Zones (e.g., Tier Zero). Useful for scoping or filtering findings to specific security boundaries or network segments.

Fetch Self: Pings the BloodHound Enterprise authentication endpoint to return details about the currently authenticated API user/client. Primarily used to validate API credentials and token health.

Download Report: Generates and downloads a report by its definition ID. Response body in api_object is the file content (PDF/CSV/RTF/etc. depending on the report definition's type).

Get Scan Config: Get individual scan configuration details.

Export Analysis Request: Exports vulnerability analysis results as a CSV file. Returns the CSV body in api_object. Use for offline reporting pipelines.

List Scans: Lists scan configurations. Shows scan scope, schedule, policy, target list. Use for scan inventory reports.

List Reports: Lists report definitions. These are the report templates (PDF/CSV/RTF/etc.) configured in Security Center; downloading produces the actual file.

Get URL Rewrite Events: Retrieve paginated click and clickthrough events for URL rewrites. Supports filtering by Unix time range, user email, and event type. Returns events where users clicked on rewritten URLs in email messages.

Get MISP Report: Get report for a submission in MISP format

Create Risk: Create a new custom Risk within a Risk Register.

Get Asset: Get full detail for a single Asset by ID.

Get Risk: Get the full detail of a single Risk.

Get Policy: Get a specific published Policy by ID.

List Tasks: Find Tasks in a workspace matching the provided filters.

Get Device: Get full detail for a single Device by ID.

Get Task: Get details for a specific Task by ID.

List Users: Find Users matching the provided filters.

List Policies: List published Policies matching the provided filters.

Get Event: Get details for an Event by ID.

List Monitoring Test Failures: Find Monitoring Test Failures for a specific Monitoring Test. By default excludes failures that have been manually excluded; pass Include exclusions=true to include them.

Get Vendor: Get the full detail of a single Vendor record.

Enable Account by sAMAccount Name: Enables an account in Microsoft Active Directory by sAMAccount name. This step changes the account status from disabled to enabled, allowing the user to log in.

Disable Account by sAMAccount Name: Disables a user account in Microsoft Active Directory by sAMAccount name.

Remove user from group by sAMAccount Name: Removes the given account from the given group.

Azure cloud: Azure cloud environment to use. Determines which Azure endpoints are used for authentication and API calls.

Timestamp range start: Start timestamp (inclusive) to retrieve data from. Extended ISO-8601 format with mandatory time zone designator. Note: Data is only available for 90 days.

Get Scheduled Report Files: Retrieves the list of generated files for a given scheduled report.

List Scheduled Reports: Lists all scheduled reports configured in the Orca tenant, with optional filtering and pagination.

Get Scheduled Report: Retrieves the details of a single scheduled report by ID.

Create Report Task: Triggers generation of a report. Returns a task ID that can be polled with Get Report Task Status to retrieve the finished report.

Get Report Task Status: Retrieves the status of a report generation task. Use this to poll until a report is ready and pull the download link.

Retrieve Security Score and Metrics: Retrieves the organization's overall security score and metrics from Orca. Optionally returns per-cloud-account scores for dashboard breakdowns.

Get User Selected Compliance Frameworks: Retrieves the list of compliance frameworks active in the Orca tenant, with an indication of which ones the customer has selected. Returns a bounded, dashboard-friendly list.

Unset Crown Jewel Assets: Removes the crown jewel designation from one or more assets, either by explicit asset IDs or via a filter query.

List Audit Log Actions: Retrieves the list of available audit log action types. Useful for filtering audit log queries by action category.

List Open Alerts by Severity: Pre-built Serving Layer query that lists open alerts filtered to one or more severity levels. Useful for triage queues and severity-specific dashboards.

List Alert Remediation Actions: Retrieves the list of available auto-remediation actions for a given alert type.

Set Custom Remediation Text: Creates or updates custom remediation steps for a specific alert type. Custom text overrides Orca's default remediation guidance.

Orca base URL

Timeout: Timeout for request in seconds. By default, timeout is 30 seconds.

Skip SSL verification: If set, request will not verify SSL certificates. Where applicable, it might be better to provide a self-signed certificate using the Custom certificates PEM parameter.

HTTP proxy: Your HTTP proxy URL. If you need to use a SOCKS proxy, set the HTTP proxy environment variable to `socks5://...`.

HTTPS proxy: Your HTTPS proxy URL. If you need to use a SOCKS proxy, set the HTTPS proxy environment variable to `socks5://...`.

Max retries: The maximum number of times a step will be retried. By default (-1), the step will keep retrying for up to 50 seconds.

Retry delay: Initial delay before retry attempts in seconds, exponential backoff calculation will be applied over this value.

Custom certificates PEM: The contents of a .pem file containing a self-signed certificate or certificate chain. Useful when connecting to local servers.

Send to Jira: If true, the comment will also be posted to the Jira ticket linked to this alert.

Orca base URL

Orca base URL

Limit: Maximum number of CVEs to return. Keep under 1000 to avoid Torq's 20 MB output size limit.

HTTPS proxy: Your HTTPS proxy URL. If you need to use a SOCKS proxy, set the HTTPS proxy environment variable to `socks5://...`.

HTTP proxy: Your HTTP proxy URL. If you need to use a SOCKS proxy, set the HTTP proxy environment variable to `socks5://...`.

Custom certificates PEM: The contents of a .pem file containing a self-signed certificate or certificate chain. Useful when connecting to local servers.

Retry delay: Initial delay before retry attempts in seconds, exponential backoff calculation will be applied over this value.

Max retries: The maximum number of times a step will be retried. By default (-1), the step will keep retrying for up to 50 seconds.

Skip SSL verification: If set, request will not verify SSL certificates. Where applicable, it might be better to provide a self-signed certificate using the Custom certificates PEM parameter.

Timeout: Timeout for request in seconds. By default, timeout is 30 seconds.

List Users: Returns all identities (users) discovered across your connected SaaS ecosystem.

Sort order: The direction to sort results.

HTTPS proxy: Your HTTPS proxy URL. If you need to use a SOCKS proxy, set the HTTPS proxy environment variable to `socks5://...`.

Custom certificates PEM: The contents of a .pem file containing a self-signed certificate or certificate chain. Useful when connecting to local servers.

Retry delay: Initial delay before retry attempts in seconds, exponential backoff calculation will be applied over this value.

Max retries: The maximum number of times a step will be retried. By default (-1), the step will keep retrying for up to 50 seconds.

Retry on status: If set, the step will automatically retry the request on the specified status codes. The maximum retry duration is 50 seconds.

Skip SSL verification: If set, request will not verify SSL certificates. Where applicable, it might be better to provide a self-signed certificate using the Custom certificates PEM parameter.

Timeout: Timeout for request in seconds. By default, timeout is 30 seconds.

Run Splunk API Query: Perform a generic Splunk API Query

Assign a group to case: Assigns a group to a case by setting the case's group ID.

Case MITRE ATT&CK: JSON array of tactic ID and technique ID pairs. Provide either a tactic or a technique, or both. If only a technique is provided, the most severe associated tactic is automatically assigned. If only a tactic is provided, no technique is assigned.

Group IDs: Group IDs to filter cases by, separated by commas. Use an empty string to match cases with no group assigned.

Case group ID: The ID of the group to associate the case with.

Object Utils: