Event Logs
Outputs from action runs
Event logs represent a chain of outputs from action runs.
Action outputs vs event logs
Let’s assume you have simple workflow with actions Hello A
-> Hello B
-> Hello C
.
Let’s now assume that action C is a HTTP request action that outputs:
{
"payload": {
"text": "I'm the letter C."
}
}
Tracecat refers to this as the “action output” of action C.
The “event log” for action A looks different. It includes the action output from every connected action that ran before it.
{
"hello_a": {
"payload": {
"text": "I'm the letter A."
}
},
"hello_b": {
"payload": {
"text": "I'm the letter B."
}
},
"hello_c": {
"payload": {
"text": "I'm the letter C."
}
}
}
Event logs = contextualization
Why are event logs useful? In any security incident, contextualization is key.
Select data in events
Tracecat uses JSONPath to access data from action outputs. For example, given the following event log from a configured HTTP request action:
{
// Previous action outputs above...
"receive_suspicious_login": {
"payload": {
"malware_sha256": "78dc6e1d4fbb80814f5c6d7a7da57aaac32a50a97b9963461ff0a19834246d94"
}
}
}
to access the malware_sha256
field from the following output from the Receive malware sample
action,
you can use the following JSONPath:
$.receive.payload.malware_sha256
Need JSONPath help? We got you.
Just share your code in the #help
channel in Tracecat Discord!