Apply a Python lambda function to a value.
Python lambda function as a string (e.g. "lambda x: x.get('name')").
Value to apply the lambda function to.
Examples
Filter, transform, and compact
- ref: normalize_hostname
action: core.transform.apply
args:
value: ${{ TRIGGER.hostname }}
python_lambda: "lambda value: value.strip().lower()"
- ref: keep_open_findings
action: core.transform.filter
args:
items: ${{ TRIGGER.findings }}
python_lambda: "lambda finding: finding.get('status') == 'open'"
- ref: finding_ids
action: core.transform.map
args:
items: ${{ ACTIONS.keep_open_findings.result }}
python_lambda: "lambda finding: finding.get('id')"
- ref: compact_ids
action: core.transform.drop_nulls
args:
items: ${{ ACTIONS.finding_ids.result }}
Filter condition as a Python lambda expression (e.g. "lambda x: x > 2").
Examples
Filter, transform, and compact
- ref: normalize_hostname
action: core.transform.apply
args:
value: ${{ TRIGGER.hostname }}
python_lambda: "lambda value: value.strip().lower()"
- ref: keep_open_findings
action: core.transform.filter
args:
items: ${{ TRIGGER.findings }}
python_lambda: "lambda finding: finding.get('status') == 'open'"
- ref: finding_ids
action: core.transform.map
args:
items: ${{ ACTIONS.keep_open_findings.result }}
python_lambda: "lambda finding: finding.get('id')"
- ref: compact_ids
action: core.transform.drop_nulls
args:
items: ${{ ACTIONS.finding_ids.result }}
Items to map the lambda function to.
Python lambda function as a string (e.g. "lambda x: x.get('name')").
Examples
Filter, transform, and compact
- ref: normalize_hostname
action: core.transform.apply
args:
value: ${{ TRIGGER.hostname }}
python_lambda: "lambda value: value.strip().lower()"
- ref: keep_open_findings
action: core.transform.filter
args:
items: ${{ TRIGGER.findings }}
python_lambda: "lambda finding: finding.get('status') == 'open'"
- ref: finding_ids
action: core.transform.map
args:
items: ${{ ACTIONS.keep_open_findings.result }}
python_lambda: "lambda finding: finding.get('id')"
- ref: compact_ids
action: core.transform.drop_nulls
args:
items: ${{ ACTIONS.finding_ids.result }}
Examples
Filter, transform, and compact
- ref: normalize_hostname
action: core.transform.apply
args:
value: ${{ TRIGGER.hostname }}
python_lambda: "lambda value: value.strip().lower()"
- ref: keep_open_findings
action: core.transform.filter
args:
items: ${{ TRIGGER.findings }}
python_lambda: "lambda finding: finding.get('status') == 'open'"
- ref: finding_ids
action: core.transform.map
args:
items: ${{ ACTIONS.keep_open_findings.result }}
python_lambda: "lambda finding: finding.get('id')"
- ref: compact_ids
action: core.transform.drop_nulls
args:
items: ${{ ACTIONS.finding_ids.result }}
Collection of hashable items to check against.
Python lambda applied to each item before checking membership (e.g. "lambda x: x.get('name')"). Similar to key in the Python sorted function.Default: null.
Examples
Keep or exclude matching items
- ref: keep_known_users
action: core.transform.is_in
args:
items: ${{ TRIGGER.users }}
collection:
- alice@example.com
- bob@example.com
python_lambda: "lambda user: user.get('email')"
- ref: remove_known_users
action: core.transform.not_in
args:
items: ${{ TRIGGER.users }}
collection:
- alice@example.com
- bob@example.com
python_lambda: "lambda user: user.get('email')"
Collection of hashable items to check against.
Python lambda applied to each item before checking membership (e.g. "lambda x: x.get('name')"). Similar to key in the Python sorted function.Default: null.
Examples
Keep or exclude matching items
- ref: keep_known_users
action: core.transform.is_in
args:
items: ${{ TRIGGER.users }}
collection:
- alice@example.com
- bob@example.com
python_lambda: "lambda user: user.get('email')"
- ref: remove_known_users
action: core.transform.not_in
args:
items: ${{ TRIGGER.users }}
collection:
- alice@example.com
- bob@example.com
python_lambda: "lambda user: user.get('email')"
items
object | array[object]
required
JSON object or list of JSON objects to deduplicate.
List of JSONPath keys to deduplicate by. Supports dot notation for nested keys (e.g. ['user.id']).
Time to live for the deduplicated items in seconds. Defaults to 1 hour.Default: 3600.
Whether to persist deduplicated items across calls. If True, deduplicates across calls. If False, deduplicates within the current call only.Default: true.
Examples
Deduplicate by a stable key
- ref: deduplicate_findings
action: core.transform.deduplicate
args:
items: ${{ TRIGGER.findings }}
keys:
- finding_id
persist: true
expire_seconds: 3600
- ref: finding_seen
action: core.transform.is_duplicate
args:
item: ${{ TRIGGER.finding }}
keys:
- finding_id
expire_seconds: 3600
List of JSONPath keys to check.
Time to live for the deduplicated items in seconds. Defaults to 1 hour.Default: 3600.
Examples
Deduplicate by a stable key
- ref: deduplicate_findings
action: core.transform.deduplicate
args:
items: ${{ TRIGGER.findings }}
keys:
- finding_id
persist: true
expire_seconds: 3600
- ref: finding_seen
action: core.transform.is_duplicate
args:
item: ${{ TRIGGER.finding }}
keys:
- finding_id
expire_seconds: 3600
Examples
Flatten and query JSON
- ref: flatten_alert
action: core.transform.flatten_json
args:
json: ${{ TRIGGER.alert }}
- ref: extract_fields
action: core.transform.eval_jsonpaths
args:
json: ${{ TRIGGER.alert }}
jsonpaths:
user: $.actor.email
source_ip: $.network.source.ip
JSON object to eval JSONPath expressions on.
JSONPath expressions to eval.
Examples
Flatten and query JSON
- ref: flatten_alert
action: core.transform.flatten_json
args:
json: ${{ TRIGGER.alert }}
- ref: extract_fields
action: core.transform.eval_jsonpaths
args:
json: ${{ TRIGGER.alert }}
jsonpaths:
user: $.actor.email
source_ip: $.network.source.ip
