Confluence#
Version: 1.0.0 · Category: Ticketing · Plan: Base+
Connect investigation findings directly to Confluence — read runbooks and playbooks, write post-mortems, and search for historical intelligence.
Tools#
get_page — Get page content#
Retrieve the full content of a Confluence page by page ID:
- Page title and metadata
- Body content (storage format or converted to text)
- Version number and last modified time
create_page — Create page#
Create a new Confluence page:
| Parameter | Required | Description |
|---|---|---|
space_key |
✓ | Space key (e.g. SOC, SECREC) |
title |
✓ | Page title |
content |
✓ | Page body (Confluence storage format or plain text) |
parent_id |
— | Parent page ID (for creating sub-pages) |
update_page — Update page#
Update an existing Confluence page content. The version parameter is required for conflict control.
search_content — Search pages#
Use CQL (Confluence Query Language) to search pages and blog posts:
| Parameter | Default | Description |
|---|---|---|
query |
Required | CQL query statement |
limit |
25 | Maximum results |
Common CQL examples:
space = SOC AND title ~ "incident"
text ~ "APT28" AND type = "page"
space = SOC AND label = "runbook" ORDER BY lastmodified DESC
get_space — Space information#
Get information about a Confluence space, including name, type, description, and permissions.
get_child_pages — Child page list#
List all child pages under a parent page. Useful for browsing runbook directories or investigation archives.
Configuration#
| Item | Description |
|---|---|
CONFLUENCE_URL |
Confluence platform URL (e.g. https://yourcompany.atlassian.net/wiki) |
CONFLUENCE_EMAIL |
Account email (Confluence Cloud) |
CONFLUENCE_API_TOKEN |
API token (Cloud) or Personal Access Token (Server) |
Investigation workflow#
1. search_content query:"space=SOC AND label=runbook AND title~'phishing'"
→ Find the phishing incident response runbook
2. get_page page_id:"<runbook page ID>"
→ Read the runbook content during response
3. search_content query:"text~'185.220.101.1'"
→ Check whether this IP has appeared in any historical investigation record
4. create_page space_key:"SOC" title:"Incident 2026-02-15: C2 Traffic Investigation"
parent_id:"<post-mortem directory ID>"
content:"..."
→ Create a post-mortem for this incident
5. update_page page_id:"<draft page ID>" version:1
content:"<updated with final conclusion>"
→ Update the page after conclusion