Check out the Actions Registry tutorial for a hands-on guide.

Actions are steps in your workflows. Connect them together to create automations. Outputs from upstream actions can be referenced as inputs for downstream actions.

Success / Error Paths

Action Results

Actions results are referenced using JSONPath syntax.

To retrieve the output from an action, use the following expression syntax:

ACTIONS.<action_reference>.result.<jsonpath-to-field>

The action reference is a sluggified version of the action’s name. You can quickly copy the reference for an action by clicking the

icon next to the action’s name in the node:

Action Types

There are two types of actions:

  • User-Defined Function (UDF): A Python function turned into a referencable action.
  • Action Template: A YAML template of referencable actions (UDFs and other action templates). These can also be cloned and edited to create new actions.

Action Templates

Action templates are YAML configuration-as-code templates similar to GitHub Actions workflows. We recommend using Action Templates over Python UDFs whenever possible.

  • Templates are easier to maintain and update across workflows
  • Templates, unlike UDFs, can be cloned and editted directly in the UI.

For example, the action template for the Search URL with VirusTotal integration is as follows:

type: action
definition:
  title: Search URL with VirusTotal
  description: Get threat intel report for a URL from VirusTotal.
  display_group: VirusTotal
  namespace: integrations.virustotal
  name: search_url
  secrets:
    - name: virustotal
      keys: ["VIRUSTOTAL_API_KEY"]
  expects:
    url:
      type: str
      description: The URL to search
  steps:
    - ref: search_url
      action: core.http_request
      args:
        url: https://www.virustotal.com/api/v3/urls/${{ FN.to_base64(inputs.url) }}
        method: GET
        headers:
          x-apikey: ${{ SECRETS.virustotal.VIRUSTOTAL_API_KEY }}
  returns: ${{ steps.search_url.result }}

We open sourced action templates for every pre-built integration. Check them out in Tracecat’s public repository here.

User-Defined Functions

User-defined functions (UDFs) are Python functions that are automatically converted into no-code actions. Find out how to create your own UDFs in the Custom Integrations tutorial.

Integrations

Tracecat comes with pre-built integrations for many popular security tools. A list of supported tools can be found in the integrations cheatsheet.

Integrations are not automatically updated when you update the Tracecat version. You will need to manually sync the Tracecat registry repository from the Action Registry page.