Core actions
Building blocks of Tracecat workflows and action templates.
All core actions are open source and available in Tracecat’s GitHub repository.
This tutorial covers the four most commonly used core actions: core.transform.reshape
, core.http_request
, core.http_poll
, and core.script.run_python
.
To learn about the other core actions, check out the following tutorials:
Core actions are the building blocks of Tracecat workflows and action templates.
All core actions are under the core
namespace.
They are distinct from pre-built integrations in the tools
namespace, which are pre-configured for specific 3rd-party tools.
There are five sub-namespaces under core
:
core
core.transform
core.workflow
core.require
core.script
core
actions are the most commonly used actions in Tracecat.
They include:
Name | Display Name | Description |
---|---|---|
core.transform.reshape | Reshape | Reshape and manipulate data. |
core.transform.scatter | Scatter | Split a list of data into individual items. |
core.transform.gather | Gather | Merge scattered data back into a single list. |
core.http_request | HTTP Request | Make a HTTP request. |
core.http_poll | HTTP Polling | Poll a REST API until a condition is met. |
core.script.run_python | Run Python script | Execute custom Python code in a secure sandbox. |
Reshape
Reshape is a simple action that takes a single input value
(e.g. a string, number, or object),
evaluates any expressions and functions, and returns the result.
The following examples show common use-cases and inputs for the Reshape
action.
Use the Reshape
action to:
- Hardcode values
- Rename data fields
- Store data from previous actions or the trigger into a value or object
- Transform data using inline functions
This action is one of the most commonly used and powerful action in Tracecat. Check out the functions cheatsheet for a list of all the available functions.
HTTP Request
Perform an HTTP request to a given URL.
Parameters
url
(HttpUrl, required): The destination of the HTTP request.method
(Literal[“GET”, “POST”, “PUT”, “PATCH”, “DELETE”], required): HTTP request method.headers
(dict[str, str], optional): HTTP request headers.params
(dict[str, Any], optional): URL query parameters.payload
(dict[str, Any] | list[Any], optional): JSON serializable data in request body (POST, PUT, and PATCH).form_data
(dict[str, Any], optional): Form encoded data in request body (POST, PUT, and PATCH).files
(dict[str, str | FileUploadData], optional): Files to upload using multipart/form-data.- The dictionary key is the form field name for the file (e.g.,
"file"
,"attachment1"
). - The value can be:
- A simple base64 encoded string representing the file content. In this case, the
form_field_name
will also be used as the filename in theContent-Disposition
header. - A dictionary (
FileUploadData
) with the following keys:
- A simple base64 encoded string representing the file content. In this case, the
- The dictionary key is the form field name for the file (e.g.,
-
filename
(str): The actual filename to be sent in theContent-Disposition
header (e.g.,"mydocument.pdf"
). If not provided or empty, theform_field_name
will be used.
content_base64
(str, required): The base64 encoded string of the file content.content_type
(str, optional): The MIME type of the file (e.g.,"application/pdf"
,"image/png"
). If not provided,httpx
will attempt to guess it.auth
(dict[str, str], optional): Basic auth credentials withusername
andpassword
keys.timeout
(float, optional, default: 10.0): Timeout in seconds.follow_redirects
(bool, optional, default: False): Follow HTTP redirects.max_redirects
(int, optional, default: 20): Maximum number of redirects.verify_ssl
(bool, optional, default: True): Verify SSL certificates.
File Upload Examples (files
parameter):
-
Simple Base64 Upload (filename defaults to form field name):
-
Upload with Custom Filename and Content Type (using
FileUploadData
dict): -
Multiple File Uploads (mixed simple and detailed):
Returns
HTTPResponse
(dict):
status_code
(int)headers
(dict)data
(str | dict | list | None)
HTTP Polling
Perform an HTTP request to a given URL with polling.
Parameters
- Accepts all parameters from
core.http_request
except for thefiles
parameter.core.http_poll
does not support file uploads. poll_retry_codes
(int | list[int], optional): Status codes on which the action will retry. If not specified,poll_condition
must be provided.poll_interval
(float, optional): Interval in seconds between polling attempts. If not specified, defaults to polling with exponential wait.poll_max_attempts
(int, optional, default: 10): Maximum number of polling attempts. If set to 0, the action will poll indefinitely (until timeout).poll_condition
(str, optional): User defined condition that determines whether to retry. The condition is a Python lambda function string. If not specified,poll_retry_codes
must be provided.
Returns
HTTPResponse
(dict) - same as core.http_request
.
Tutorial: URLScan
URLScan uses a two-step process to get a threat intelligence report on a URL:
- Call the
/scan
endpoint to submit the URL for scanning. - Poll the
/result
endpoint repeatedly until the status code changes from404
to200
. - Uses a reshape to extract the maliciousness score and categories from the response body.
Create URLScan secret
Add URLScan API key to Tracecat’s built-in secrets manager.
Select the settings icon in the top right corner of the page and click on Credentials
.
Select the settings icon in the top right corner of the page and click on Credentials
.
Click on the Create secret
button, name the secret urlscan
,
and add the URLScan API key as a key-value pair with key name URLSCAN_API_KEY
.
Call /scan endpoint
Add the core.http_request
action to your workflow.
Rename it to Submit URL
and configure it with the following inputs:
Poll /result endpoint
Add the core.http_poll
action to your workflow.
Rename it to Get result
and configure it with the following inputs:
Get final verdict
Configure the reshape action to extract the maliciousness scores and categories from the response body.
Run workflow
Run the workflow to submit the URL for scanning and get the threat intelligence report.
Under the hood, Get result
calls the /result
endpoint repeatedly until the status code is 200
.