Event Transform

The event transformation action has several modes of operation that either modify the contents of incoming events, or affect behavior of the workflow.

For example, you could:

  • extract all URLs from an email body (with message only mode and REGEX_EXTRACT)

  • emit individual events for all IP addresses from a SIEM alert (with explode mode)

  • ignore processing information already seen recently (with deduplicate mode)


The Event Transformation Action has several modes of operation:

Was this helpful?