Core actions
Building blocks of Tracecat workflows and action templates.
All core actions are open source and available in Tracecat’s GitHub repository.
This tutorial covers the three most commonly used core actions: core.transform.reshape
, core.http_request
, and core.http_poll
.
To learn about the other core actions, check out the following tutorials:
Core actions are the building blocks of Tracecat workflows and action templates.
All core actions are under the core
namespace.
They are distinct from pre-built integrations in the tools
namespace, which are pre-configured for specific 3rd-party tools.
There are four sub-namespaces under core
:
core
core.transform
core.workflow
core.require
core
actions are the most commonly used actions in Tracecat.
They include:
Name | Display Name | Description |
---|---|---|
core.transform.reshape | Reshape | Reshape and manipulate data. |
core.http_request | HTTP Request | Make a HTTP request. |
core.http_poll | HTTP Polling | Poll a REST API until a condition is met. |
Reshape
Reshape is a simple action that takes a single input value
(e.g. a string, number, or object),
evaluates any expressions and functions, and returns the result.
The following examples show common use-cases and inputs for the Reshape
action.
Use the Reshape
action to:
- Hardcode values
- Rename data fields
- Store data from previous actions or the trigger into a value or object
- Transform data using inline functions
This action is one of the most commonly used and powerful action in Tracecat. Check out the functions cheatsheet for a list of all the available functions.
HTTP Request
The core.http_request
action supports GET
, POST
, PUT
, PATCH
, and DELETE
requests.
- To make a
GET
request with query parameters, specify theparams
field. - To make a
POST
,PUT
, orPATCH
request with:- JSON encoded body, specify the
payload
field. - Form-encoded data, specify the
form_data
field.
- JSON encoded body, specify the
- To make a request with a custom HTTP headers, specify the
headers
field.
Examples
HTTP Polling
Tracecat makes it easy to poll APIs with long-running operations using the core.http_poll
action.
To configure the core.http_poll
action, you’ll need to specify one of the following inputs:
poll_retry_codes
: List of status codes on which the action will retry.poll_condition
: A Python lambda function string that determines whether to retry.
If the operation doesn’t poll on a status code, poll_condition
is required.
It is a Python lambda function string that determines whether to retry based on:
headers
: The HTTP headers of the response.data
: The JSON decoded response body.
For example, to poll on a response body containing "status"
until it equals "complete"
, you can specify the following:
You can further configure the polling behavior via the optional inputs:
poll_interval
: Seconds between polling attempts. Defaults to exponential wait.poll_max_attempts
: Maximum number of polling attempts. Defaults to 10.
Tutorial: URLScan
URLScan uses a two-step process to get a threat intelligence report on a URL:
- Call the
/scan
endpoint to submit the URL for scanning. - Poll the
/result
endpoint repeatedly until the status code changes from404
to200
. - Uses a reshape to extract the maliciousness score and categories from the response body.
Create URLScan secret
Add URLScan API key to Tracecat’s built-in secrets manager.
Select the settings icon in the top right corner of the page and click on Credentials
.
Select the settings icon in the top right corner of the page and click on Credentials
.
Click on the Create secret
button, name the secret urlscan
,
and add the URLScan API key as a key-value pair with key name URLSCAN_API_KEY
.
Call /scan endpoint
Add the core.http_request
action to your workflow.
Rename it to Submit URL
and configure it with the following inputs:
Poll /result endpoint
Add the core.http_poll
action to your workflow.
Rename it to Get result
and configure it with the following inputs:
Get final verdict
Configure the reshape action to extract the maliciousness scores and categories from the response body.
Run workflow
Run the workflow to submit the URL for scanning and get the threat intelligence report.
Under the hood, Get result
calls the /result
endpoint repeatedly until the status code is 200
.