Event logs represent a chain of outputs from action runs.

Action outputs vs event logs

Let’s assume you have simple workflow with actions Hello A -> Hello B -> Hello C. Let’s now assume that action C is a HTTP request action that outputs:

{
  "payload": {
    "text": "I'm the letter C."
  }
}

Tracecat refers to this as the “action output” of action C.

The “event log” for action A looks different. It includes the action output from every connected action that ran before it.

{
  "hello_a": {
    "payload": {
      "text": "I'm the letter A."
    }
  },
  "hello_b": {
    "payload": {
      "text": "I'm the letter B."
    }
  },
  "hello_c": {
    "payload": {
      "text": "I'm the letter C."
    }
  }
}

Event logs = contextualization

Why are event logs useful? In any security incident, contextualization is key.

Select data in events

Tracecat uses JSONPath to access data from action outputs. For example, given the following event log from a configured HTTP request action:

{
  // Previous action outputs above...
  "receive_suspicious_login": {
    "payload": {
        "malware_sha256": "78dc6e1d4fbb80814f5c6d7a7da57aaac32a50a97b9963461ff0a19834246d94"
    }
  }
}

to access the malware_sha256 field from the following output from the Receive malware sample action, you can use the following JSONPath:

$.receive.payload.malware_sha256

Need JSONPath help? We got you. Just share your code in the #help channel in Tracecat Discord!

ActionsCase Management