Actions

Perform operations on your events

Overview

The Actions tab shows all available actions to be assigned and used in your Pipeline. Use the search bar at the top to find a specific action. Hover over an action in the list to see a tooltip, as well as the option to View details.

To add an action to a Pipeline, drag it onto the canvas.

Onum supports action versioning, so be aware that the configuration may be showing either the Latest version if you are adding a new action, or current version if you are editing an existing action.

Action Versioning

We are constantly updating and improving Actions, therefore, you may come across old or even discontinued actions.

See the complete version history of each Action here.

If there is an updated version of the Action available, it will show update available in its Definition, above the node when added to a Pipeline, and Details pane.

If you have added an Action to a Pipeline that is now discontinued, it will show as deactivated in the Canvas. You'll soon be able to see all the Actions with updates available in the Actions view.

Actions List

See this table to understand what each Action does, when to use it, and how to get the most value from your Pipelines. Click an Action name to see its article.

Action

Description

Example use case

Accumulator

Maintain state across event streams.

Track rolling count of failed logins by IP.

Amazon GenAI

Use models hosted on Amazon Bedrock to enrich log content.

Enrich logs by extracting insights like key entities.

Anonymizer

Mask, hash, or redact sensitive fields.

Obfuscate usernames or IPs in real-time.

BLIP-2

Extract text from images or diagrams.

OCR screenshots of phishing sites.

Bring Your Own Code

Run custom Python in an isolated container.

NLP on messages, custom alert logic.

Cog

Execute ML models via hosted APIs.

Classify log severity with ML.

Conditional

Drop or allow events based on logic.

Filter out successful health check logs.

Field Generator

Add generated fields (timestamp, random, static...)

Tag events with trace ID and pipeline time.

Field Transformation

Apply math, encoding, parsing, or string operations to fields.

Hash IPs, defang URLs, convert timestamps.

Flat JSON

Flatten nested JSON to dot-notation keys.

Flatten AWS logs for easy indexing in SIEM.

For Each

Iterate array fields and emit per-item events.

Split DNS records into individual log lines.

Google DLP

Redact sensitive data via Google API.

Remove SSNs, emails from customer logs.

Google GenAI

Use Google’s LLM to enrich log content.

Summarize error logs for dashboards.

Group By

Aggregate by key(s) over a time window.

Count logins per user every minute.

HTTP Request

Trigger external HTTP(S) calls inline.

Notify PagerDuty, call enrichment APIs.

JSON Transformation

Remap or rename JSON fields and structure.

Standardize custom app logs to a shared schema.

JSON Unroll

Convert arrays into individual events.

Split one event with 5 IPs into 5 separate events.

Llama

Apply open-source LLMs to event text.

Translate or tag non-English log data.

Lookup

Add fields from a reference table.

Add business unit or geolocation to IPs.

Math Expression

Compute values using event fields.

Calculate duration = end_time - start_time.

Message Builder

Compose structured output for downstream tools.

Create Slack-friendly JSON alerts.

OCSF

Convert events to Open Cybersecurity Schema.

Standardize endpoint data for SIEM ingestion.

Parser

Parse text using regex or pattern to extract fields.

Convert syslog strings into structured events.

Redis

Use Redis for state lookups or caching.

Limit login attempts per user per hour.

Replicate

Run any hosted model from Replicate.

Enrich logs using anomaly detection models.

Sampling

Randomly pass only a portion of events.

Keep 10% of debug logs for cost control.

Sigma Rules

Match events against threat rule patterns.

Detect C2 activity or abnormal auth behavior.

Unique

Emit only first-seen values.

Alert on first-time-seen device IDs or IPs.

PreviousListeners NextAdvanced

Last updated 6 days ago

Was this helpful?