All core actions are open source and available in Tracecat’s GitHub repository.

This tutorial covers the three most commonly used core actions: core.transform.reshape, core.http_request, and core.http_poll.

To learn about the other core actions, check out the following tutorials:

Core actions are the building blocks of Tracecat workflows and action templates. All core actions are under the core namespace. They are distinct from pre-built integrations in the tools namespace, which are pre-configured for specific 3rd-party tools.

There are four sub-namespaces under core:

  • core
  • core.transform
  • core.workflow
  • core.require

core actions are the most commonly used actions in Tracecat. They include:

NameDisplay NameDescription
core.transform.reshapeReshapeReshape and manipulate data.
core.http_requestHTTP RequestMake a HTTP request.
core.http_pollHTTP PollingPoll a REST API until a condition is met.

Reshape

Reshape is a simple action that takes a single input value (e.g. a string, number, or object), evaluates any expressions and functions, and returns the result.

The following examples show common use-cases and inputs for the Reshape action.

# Get one value from a previous action
value: ${{ ACTIONS.get_user.result.data.user.name }}

# Get multiple values from a previous action
value:
  name: ${{ ACTIONS.get_user.result.data.user.name }}
  email: ${{ ACTIONS.get_user.result.data.user.email }}

# Get data from the trigger
value: ${{ TRIGGER.data.user }}

Use the Reshape action to:

  • Hardcode values
  • Rename data fields
  • Store data from previous actions or the trigger into a value or object
  • Transform data using inline functions

This action is one of the most commonly used and powerful action in Tracecat. Check out the functions cheatsheet for a list of all the available functions.

HTTP Request

The core.http_request action supports GET, POST, PUT, PATCH, and DELETE requests.

  • To make a GET request with query parameters, specify the params field.
  • To make a POST, PUT, or PATCH request with:
    • JSON encoded body, specify the payload field.
    • Form-encoded data, specify the form_data field.
  • To make a request with a custom HTTP headers, specify the headers field.

Examples

url: https://api.open-meteo.com/v1/forecast
method: GET
params:
  latitude: 37.773972
  longitude: -122.431297
  current: temperature_2m,precipitation_probability

HTTP Polling

Tracecat makes it easy to poll APIs with long-running operations using the core.http_poll action. To configure the core.http_poll action, you’ll need to specify one of the following inputs:

  • poll_retry_codes: List of status codes on which the action will retry.
  • poll_condition: A Python lambda function string that determines whether to retry.

If the operation doesn’t poll on a status code, poll_condition is required. It is a Python lambda function string that determines whether to retry based on:

  • headers: The HTTP headers of the response.
  • data: The JSON decoded response body.

For example, to poll on a response body containing "status" until it equals "complete", you can specify the following:

poll_condition: "lambda x: x['data']['status'] == 'complete'"

You can further configure the polling behavior via the optional inputs:

  • poll_interval: Seconds between polling attempts. Defaults to exponential wait.
  • poll_max_attempts: Maximum number of polling attempts. Defaults to 10.

Tutorial: URLScan

URLScan uses a two-step process to get a threat intelligence report on a URL:

  1. Call the /scan endpoint to submit the URL for scanning.
  2. Poll the /result endpoint repeatedly until the status code changes from 404 to 200.
  3. Uses a reshape to extract the maliciousness score and categories from the response body.
1

Create URLScan secret

Add URLScan API key to Tracecat’s built-in secrets manager.

Select the settings icon in the top right corner of the page and click on Credentials.

2

Call /scan endpoint

Add the core.http_request action to your workflow. Rename it to Submit URL and configure it with the following inputs:

url: https://urlscan.io/api/v1/scan/
method: POST
headers:
  API-key: ${{ SECRETS.urlscan.URLSCAN_API_KEY }}
payload:
  url: https://crowdstrikebluescreen.com
  visibility: private

3

Poll /result endpoint

Add the core.http_poll action to your workflow. Rename it to Get result and configure it with the following inputs:

url: https://urlscan.io/api/v1/result/${{ ACTIONS.scan_url.result.data.uuid }}
method: GET
poll_retry_codes: [404]
headers:
  API-key: ${{ SECRETS.urlscan.URLSCAN_API_KEY }}

4

Get final verdict

Configure the reshape action to extract the maliciousness scores and categories from the response body.

value:
  verdict: ${{ ACTIONS.lookup_url.result.data.verdicts.urlscan.malicious }}
  score: ${{ ACTIONS.lookup_url.result.data.verdicts.urlscan.score }}

5

Run workflow

Run the workflow to submit the URL for scanning and get the threat intelligence report. Under the hood, Get result calls the /result endpoint repeatedly until the status code is 200.