App Manifest Reference
Every Foundry app has a manifest.yml file that declares its metadata, capabilities, and configuration. The manifest is the single source of truth for the app’s structure.
Basic info
Section titled “Basic info”name: my-appdescription: A brief description of the appversion: 1.0.0| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | App name (alphanumeric, hyphens, underscores) |
description | string | Yes | Brief description |
version | string | Yes | Semantic version (Major.Minor.Patch) |
API Integrations
Section titled “API Integrations”api_integrations: - name: external-api base_url: https://api.example.com auth: type: api_key header: X-API-Key operations: - name: list-items method: GET path: /items parameters: - name: limit in: query type: integer response_schema: type: object properties: items: type: arrayAuth (Scopes)
Section titled “Auth (Scopes)”auth: scopes: - hosts:read - custom-storage:writeCollections
Section titled “Collections”collections: - name: threat-cache description: Cached threat intelligence data schema: type: object properties: indicator: type: string x-cs-indexable: true score: type: integer timestamp: type: stringFunctions
Section titled “Functions”functions: - id: "" name: hello description: Returns a greeting based on name input path: functions/hello config: null environment_variables: {} handlers: - name: hello description: Returns a greeting based on name input method: POST api_path: /hello request_schema: request_schema.json response_schema: response_schema.json workflow_integration: id: "" disruptive: false system_action: false tags: - Hello - Functions permissions: [] language: python| Field | Type | Description |
|---|---|---|
name | string | Function name |
language | string | python, go |
path | string | Path to the function directory |
description | string | Human-readable description |
handlers | array | Handler definitions (name, method, api_path, schemas) |
workflow_integration | object | Workflow sharing config (disruptive, system_action, tags) |
Queries
Section titled “Queries”queries: - name: recent-detections description: High-severity detections in the last 24h query: "#event_simpleName=DetectionSummaryEvent | severity>=4" repository: mainRTR Scripts
Section titled “RTR Scripts”rtr_scripts: - name: collect-artifacts platform: windows permission_type: RTR_ACTIVE_RESPONDER description: "Collect forensic artifacts" content_file: rtr/collect-artifacts/script.ps1Workflow Templates
Section titled “Workflow Templates”workflow_templates: - name: auto-enrich description: "Automatically enrich new detections" trigger: type: event event: detection_createdUX (UI Extensions and Pages)
Section titled “UX (UI Extensions and Pages)”ux: extensions: - name: detection-panel socket: dashboard.detection description: "Enrichment panel for detection details" entry_point: ui/extensions/detection-panel/index.html
pages: - name: threat-dashboard title: "Threat Dashboard" description: "Custom threat hunting dashboard" entry_point: ui/pages/threat-dashboard/index.html navigation: label: "Threat Dashboard"