Need help? The #help channel in Tracecat Discord is the place to be!

Actions are individual tasks performed at each step of a workflow. You can find all available Actions in the workspace sidebar.

There are only ten Action types, but they can be configured to perform almost any task. For example, a HTTP request can be configured to send a GET request to an API endpoint. See Quickstart for a worked example.

We refer to an action that has received an input and produced an corresponding output as an “action run”.

Build an Action

1

Add action

Drag and drop an action block onto the workflow canvas. If a canvas action is selected, clicking on a side panel action places and connects the new block.

Drag and drop action

2

Configure action

Select your action onto the canvas to open its configuration panel. Update the action name, description, and inputs here. Press save.

Configure action

Connecting Actions

When you link action blocks together, the output of previous actions are passed on to next actions.

Outputs from previous actions don’t auto-fill inputs for the next action. You need to do this manually. Find out how in the next section.

Using Action Outputs as Inputs

Every action has an output. Outputs are JSON objects stored as Event Logs. You can use the output of one action as the input of another action.

The data within event logs are accessed using JSONPaths.

Check out using JSONPaths with event logs to learn more. Don’t worry if this is new to you! It’s designed to be a simple extension of JSON.

Worked Example

Let’s use the three-step workflow from Connecting Actions as an example.

1

Pass malware sample to webhook

Let’s assume the Webhook action (titled “Receive malware sample”) has the following URL: https://runner.tracecat-engine.com/webhook/<path>/<secret>. This URL will differ for every user and action block.

You can pass data into the webhook using cURL. In the following example, we send the webhook a SHA-256 malware sample:

curl -X POST -H "Content-Type: application/json" \
  -d '{"malware_sha256": "78dc6e1d4fbb80814f5c6d7a7da57aaac32a50a97b9963461ff0a19834246d94"}' \
  https://runner.tracecat-engine.com/webhook/<path>/<secret>

Tracecat receives the data and stores it as an event log, which looks like this:

{
  "receive_malware_sample": {
    "payload": {
      "malware_sha256": "78dc6e1d4fbb80814f5c6d7a7da57aaac32a50a97b9963461ff0a19834246d94"
    }
  }
}

Every event log is a nested JSON that contains the output of every connected action.

The output of different actions are stored under a unique key. Keys are automatically generated from the action title. Keys are always lower snakecase.

For example, an action with the title Receive URL will have the key receive_url.

2

Get malware report

Let’s send the malware sample to MalwareBazaar for a report. Select the HTTP Request action (titled “Get malware report”).

  1. Fill in the action’s url input field with the following: https://mb-api.abuse.ch/api/v1/query=get_info&hash={{ $.receive_malware_sample.payload.malware_sha256 }}
  2. Set the method input field to POST.
  3. Save the action.

Your configuration form should look like this:

{{ $.receive_malware_sample.payload.malware_sha256 }} is the JSONPath query to get the malware sample from the previous action’s output.

Need JSONPath help? We got you. Just share your code in the #help channel in Tracecat Discord!

3

Send malware report to yourself

Select the Send Email action (titled “Send malware report”).

  1. Fill in the action’s receivers input field with your email address.
  2. Set the subject input field to Malware report for {{ $.receive_malware_sample.payload.malware_sha256 }}.
  3. Set the content input field to {{ $.get_malware_report.payload }}.
  4. Save the action.

Your configuration form should look like this:

Check out the MalwareBazaar API to see what the full response looks like.

4

🎉 Congratulations

You just learned how to configure three different action types!

Looking for a more advanced CTF-styled tutorial? Check out our full phishing email investigation walkthrough.

Action Types

Webhook

Perform actions based on external triggers.

HTTP Request

Make HTTP requests to interact with external APIs.

Data Transform

Transform streams of JSON data.

Send Email

Send emails to specified recipients.

If Conditions

Create branching workflows using predefined rules.

AI Actions

Perform AI-powered tasks (e.g. summarize, label, translate).

Open Case

Open and prepopulate a case in the case management system.

How about pre-built Actions?

Work-in-progress: we plan to release pre-built actions end of April 2024.

Actions can be configured to do almost any tasks, but it’s best to use pre-built ones if available. Pre-built actions have pre-configured inputs to perform tasks for commonly used products.

Here are a few examples:

  • URLScan Perform a security scan on a given URL
  • VirusTotal Get detailed report for a malware sample
  • Microsoft Defender Trigger a scan on a specific file
  • EmailRep Retrieve reputation information for a given email address
  • GeoIP Lookup Get the geographical location information for a given IP address.
  • Slack Send a message to a specific channel on Slack

Can’t find a pre-built action for a specific product?

Just let us know in the #feedback channel in Tracecat Discord:

  1. What task you want to achieve
  2. What product you want to integrate

We respond to every suggestion!

WorkflowsEvent Logs