The event transformation action has several modes of operation that either modify the contents of incoming events, or affect behavior of the workflow.
For example, you could:
extract all URLs from an email body (with message only mode and
REGEX_EXTRACT
)emit individual events for all IP addresses from a SIEM alert (with explode mode)
ignore processing information already seen recently (with deduplicate mode)
For tenants created after Jan 8th 2025 there is a limit of 10 minutes for Event Transform actions.
Features
The Event Transformation Action has several modes of operation:
Common options
rules
: (Optional) Specify the rules to determine if this action executes.must_match
: (Optional) Specify the number of rules that must match for the action to execute.include_metadata
: (Optional) Adds ameta
key to the event with details about the action run. This applies to automatic, deduplicate, explode, extract and message_only modes. Learn more about this option in Action Metadata docs.
Rules
Rules allow you to specify criteria that must be met in order for an event to be emitted. The Tines Event Transformation action can parse the event data from upstream action to meet these criteria. An event is created only when a rule is matched, and the matching rule is included in the meta
object of the event if include_metadata
is turned on. If no rule is matched, a log line is emitted.
In the following example, we are checking if a status from an upstream http request action matches the value.
{
"path": "4d4217f7e94467ee3dec675189566f9a",
"secret": "a409cd0d15a079ee69873aaa5b2e3d04",
"verbs": "get,post",
"must_match": 1,
"rules": [
{
"type": "field==value",
"value": "200",
"path": "<<http_request_action.body>>"
},
]
}