All core actions are open source and available in Tracecat’s GitHub repository.

This tutorial covers the four most commonly used core actions: core.transform.reshape, core.http_request, core.http_poll, and core.script.run_python.

To learn about the other core actions, check out the following tutorials:

Core actions are the building blocks of Tracecat workflows and action templates. All core actions are under the core namespace. They are distinct from pre-built integrations in the tools namespace, which are pre-configured for specific 3rd-party tools.

There are five sub-namespaces under core:

  • core
  • core.transform
  • core.workflow
  • core.require
  • core.script

core actions are the most commonly used actions in Tracecat. They include:

NameDisplay NameDescription
core.transform.reshapeReshapeReshape and manipulate data.
core.transform.scatterScatterSplit a list of data into individual items.
core.transform.gatherGatherMerge scattered data back into a single list.
core.http_requestHTTP RequestMake a HTTP request.
core.http_pollHTTP PollingPoll a REST API until a condition is met.
core.script.run_pythonRun Python scriptExecute custom Python code in a secure sandbox.

Reshape

Reshape is a simple action that takes a single input value (e.g. a string, number, or object), evaluates any expressions and functions, and returns the result.

The following examples show common use-cases and inputs for the Reshape action.

# Get one value from a previous action
value: ${{ ACTIONS.get_user.result.data.user.name }}

# Get multiple values from a previous action
value:
  name: ${{ ACTIONS.get_user.result.data.user.name }}
  email: ${{ ACTIONS.get_user.result.data.user.email }}

# Get data from the trigger
value: ${{ TRIGGER.data.user }}

Use the Reshape action to:

  • Hardcode values
  • Rename data fields
  • Store data from previous actions or the trigger into a value or object
  • Transform data using inline functions

This action is one of the most commonly used and powerful action in Tracecat. Check out the functions cheatsheet for a list of all the available functions.

HTTP Request

Perform an HTTP request to a given URL.

Parameters

  • url (HttpUrl, required): The destination of the HTTP request.
  • method (Literal[“GET”, “POST”, “PUT”, “PATCH”, “DELETE”], required): HTTP request method.
  • headers (dict[str, str], optional): HTTP request headers.
  • params (dict[str, Any], optional): URL query parameters.
  • payload (dict[str, Any] | list[Any], optional): JSON serializable data in request body (POST, PUT, and PATCH).
  • form_data (dict[str, Any], optional): Form encoded data in request body (POST, PUT, and PATCH).
  • files (dict[str, str | FileUploadData], optional): Files to upload using multipart/form-data.
    • The dictionary key is the form field name for the file (e.g., "file", "attachment1").
    • The value can be:
      1. A simple base64 encoded string representing the file content. In this case, the form_field_name will also be used as the filename in the Content-Disposition header.
      2. A dictionary (FileUploadData) with the following keys:
    • filename (str): The actual filename to be sent in the Content-Disposition header (e.g., "mydocument.pdf"). If not provided or empty, the form_field_name will be used.
  • content_base64 (str, required): The base64 encoded string of the file content.
  • content_type (str, optional): The MIME type of the file (e.g., "application/pdf", "image/png"). If not provided, httpx will attempt to guess it.
  • auth (dict[str, str], optional): Basic auth credentials with username and password keys.
  • timeout (float, optional, default: 10.0): Timeout in seconds.
  • follow_redirects (bool, optional, default: False): Follow HTTP redirects.
  • max_redirects (int, optional, default: 20): Maximum number of redirects.
  • verify_ssl (bool, optional, default: True): Verify SSL certificates.

File Upload Examples (files parameter):

  1. Simple Base64 Upload (filename defaults to form field name):

    actions:
  - name: Upload Text File
    provider: core
    action: http_request
    params:
      url: https://httpbin.org/post
      method: POST
      files: {"my_text_file.txt": "{{ FN.to_base64(\"Hello, this is the file content!\") }}"}

  2. Upload with Custom Filename and Content Type (using FileUploadData dict):

    actions:
  - name: Upload PDF Document
    provider: core
    action: http_request
    params:
      url: https://httpbin.org/post
      method: POST
      files: {
        "document_field":
          filename: "Annual Report.pdf"
          content_base64: "{{ FN.to_base64(ACTIONS.file_content.result.data) }}"
          content_type: "application/pdf"
      }

  3. Multiple File Uploads (mixed simple and detailed):

    actions:
  - name: Upload Multiple Attachments
    provider: core
    action: http_request
    params:
      url: https://httpbin.org/post
      method: POST
      form_data: # Can be combined with files
        user_id: "user123"
      files: {
        "main_image.png": "{{ FN.to_base64(ACTIONS.file_content.result.data) }}"
        "additional_notes": # Detailed
          filename: "notes.txt"
          content_base64: "{{ FN.to_base64(\"Some notes here.\") }}"
          content_type: "text/plain"
      }

Returns

HTTPResponse (dict):

  • status_code (int)
  • headers (dict)
  • data (str | dict | list | None)

HTTP Polling

Perform an HTTP request to a given URL with polling.

Parameters

  • Accepts all parameters from core.http_request except for the files parameter. core.http_poll does not support file uploads.
  • poll_retry_codes (int | list[int], optional): Status codes on which the action will retry. If not specified, poll_condition must be provided.
  • poll_interval (float, optional): Interval in seconds between polling attempts. If not specified, defaults to polling with exponential wait.
  • poll_max_attempts (int, optional, default: 10): Maximum number of polling attempts. If set to 0, the action will poll indefinitely (until timeout).
  • poll_condition (str, optional): User defined condition that determines whether to retry. The condition is a Python lambda function string. If not specified, poll_retry_codes must be provided.

Returns

HTTPResponse (dict) - same as core.http_request.

Tutorial: URLScan

URLScan uses a two-step process to get a threat intelligence report on a URL:

  1. Call the /scan endpoint to submit the URL for scanning.
  2. Poll the /result endpoint repeatedly until the status code changes from 404 to 200.
  3. Uses a reshape to extract the maliciousness score and categories from the response body.
1

Create URLScan secret

Add URLScan API key to Tracecat’s built-in secrets manager.

Select the settings icon in the top right corner of the page and click on Credentials.

2

Call /scan endpoint

Add the core.http_request action to your workflow. Rename it to Submit URL and configure it with the following inputs:

url: https://urlscan.io/api/v1/scan/
method: POST
headers:
  API-key: ${{ SECRETS.urlscan.URLSCAN_API_KEY }}
payload:
  url: https://crowdstrikebluescreen.com
  visibility: private

3

Poll /result endpoint

Add the core.http_poll action to your workflow. Rename it to Get result and configure it with the following inputs:

url: https://urlscan.io/api/v1/result/${{ ACTIONS.scan_url.result.data.uuid }}
method: GET
poll_retry_codes: [404]
headers:
  API-key: ${{ SECRETS.urlscan.URLSCAN_API_KEY }}

4

Get final verdict

Configure the reshape action to extract the maliciousness scores and categories from the response body.

value:
  verdict: ${{ ACTIONS.lookup_url.result.data.verdicts.urlscan.malicious }}
  score: ${{ ACTIONS.lookup_url.result.data.verdicts.urlscan.score }}

5

Run workflow

Run the workflow to submit the URL for scanning and get the threat intelligence report. Under the hood, Get result calls the /result endpoint repeatedly until the status code is 200.