Core Actions

All core actions are open source and available in Tracecat’s GitHub repository.

The docs below only cover the core namespace. For information on core.transform and core.workflow, check out the tutorials on Data Transforms and Child Workflows.

Core actions are the building blocks of Tracecat workflows and action templates. All core actions are under the core namespace. They are distinct from pre-built integrations in the tools namespace, which are pre-configured for specific 3rd-party tools.

There are three sub-namespaces under core:

core
core.transform
core.workflow

core actions are the most commonly used actions in Tracecat. They include:

Name	Display Name	Description
`core.http_request`	`HTTP Request`	Make a HTTP request.
`core.http_poll`	`HTTP Polling`	Poll a REST API until a condition is met.
`core.ai_action`	`AI Action`	Prompt a LLM (e.g. OpenAI, self-hosted) to take an action.

HTTP Request

The core.http_request action supports GET, POST, PUT, PATCH, and DELETE requests.

To make a GET request with query parameters, specify the params field.
To make a POST, PUT, or PATCH request with:
- JSON encoded body, specify the payload field.
- Form-encoded data, specify the form_data field.
To make a request with a custom HTTP headers, specify the headers field.

Examples

Polling HTTP Request

Tracecat makes it easy to poll APIs with long-running operations using the core.http_poll action. To configure the core.http_poll action, you’ll need to specify one of the following inputs:

poll_retry_codes: List of status codes on which the action will retry.
poll_condition: A Python lambda function string that determines whether to retry.

If the operation doesn’t poll on a status code, poll_condition is required. It is a Python lambda function string that determines whether to retry based on:

headers: The HTTP headers of the response.
data: The JSON decoded response body.

For example, to poll on a response body containing "status" until it equals "complete", you can specify the following:

poll_condition: "lambda x: x['data']['status'] == 'complete'"

You can further configure the polling behavior via the optional inputs:

poll_interval: Seconds between polling attempts. Defaults to exponential wait.
poll_max_attempts: Maximum number of polling attempts. Defaults to 10.

URLScan uses a two-step process to get a threat intelligence report on a URL:

Call the /scan endpoint to submit the URL for scanning.
Poll the /result endpoint repeatedly until the status code changes from 404 to 200.

Create URLScan secret

Add URLScan API key to Tracecat’s built-in secrets manager.

Select the settings icon in the top right corner of the page and click on Credentials.

Call /scan endpoint

Add the core.http_request action to your workflow. Rename it to Submit URL and configure it with the following inputs:

url: https://urlscan.io/api/v1/scan/
method: POST
headers:
  API-key: ${{ SECRETS.urlscan.URLSCAN_API_KEY }}
payload:
  url: https://crowdstrikebluescreen.com
  visibility: private

Poll /result endpoint

Add the core.http_poll action to your workflow. Rename it to Get result and configure it with the following inputs:

url: https://urlscan.io/api/v1/result/${{ ACTIONS.scan_url.result.data.uuid }}
method: GET
poll_retry_codes: [404]
headers:
  API-key: ${{ SECRETS.urlscan.URLSCAN_API_KEY }}

Run workflow

Run the workflow to submit the URL for scanning and get the threat intelligence report. Under the hood, Get result calls the /result endpoint repeatedly until the status code is 200.

AI Action

Tracecat supports self-hosted LLMs such as llama, mistral, and deepseek. Check out the self-hosted LLM deployment guide to learn how to set it up.

🚧 The AI action is currently under heavy development. Please contact us on Discord for up-to-date information and usage examples.

Get Started

Tutorials

Self Host

Data Manipulation

HTTP Request

Polling HTTP Request

AI Action

Get Started

Tutorials

Self Host

Data Manipulation

​HTTP Request

​Polling HTTP Request

​AI Action

HTTP Request

Polling HTTP Request

AI Action