Actions

Perform operations on your events

Overview

The Actions tab shows all available actions to be assigned and used in your Pipeline. Use the search bar at the top to find a specific action. Hover over an action in the list to see a tooltip, as well as the option to View details.

To add an action to a Pipeline, drag it onto the canvas.

Action Versioning

We are constantly updating and improving Actions, therefore, you may come across old or even discontinued actions.

See the complete version history of each Action here.

If there is an updated version of the Action available, it will show update available in its Definition, above the node when added to a Pipeline, and Details pane.

If you have added an Action to a Pipeline that is now discontinued, it will show as deactivated in the Canvas. You'll soon be able to see all the Actions with updates available in the Actions view.

Actions List

See this table to understand what each Action does, when to use it, and how to get the most value from your Pipelines. Click an Action name to see its article.

Action
Description
Example use case

Maintain state across event streams.

Track rolling count of failed logins by IP.

Use models hosted on Amazon Bedrock to enrich log content.

Enrich logs by extracting insights like key entities.

Mask, hash, or redact sensitive fields.

Obfuscate usernames or IPs in real-time.

Extract text from images or diagrams.

OCR screenshots of phishing sites.

Run custom Python in an isolated container.

NLP on messages, custom alert logic.

Execute ML models via hosted APIs.

Classify log severity with ML.

Drop or allow events based on logic.

Filter out successful health check logs.

Add generated fields (timestamp, random, static...)

Tag events with trace ID and pipeline time.

Apply math, encoding, parsing, or string operations to fields.

Hash IPs, defang URLs, convert timestamps.

Flatten nested JSON to dot-notation keys.

Flatten AWS logs for easy indexing in SIEM.

Iterate array fields and emit per-item events.

Split DNS records into individual log lines.

Redact sensitive data via Google API.

Remove SSNs, emails from customer logs.

Use Google’s LLM to enrich log content.

Summarize error logs for dashboards.

Aggregate by key(s) over a time window.

Count logins per user every minute.

Trigger external HTTP(S) calls inline.

Notify PagerDuty, call enrichment APIs.

Remap or rename JSON fields and structure.

Standardize custom app logs to a shared schema.

Convert arrays into individual events.

Split one event with 5 IPs into 5 separate events.

Apply open-source LLMs to event text.

Translate or tag non-English log data.

Add fields from a reference table.

Add business unit or geolocation to IPs.

Compute values using event fields.

Calculate duration = end_time - start_time.

Compose structured output for downstream tools.

Create Slack-friendly JSON alerts.

Convert events to Open Cybersecurity Schema.

Standardize endpoint data for SIEM ingestion.

Parse text using regex or pattern to extract fields.

Convert syslog strings into structured events.

Use Redis for state lookups or caching.

Limit login attempts per user per hour.

Run any hosted model from Replicate.

Enrich logs using anomaly detection models.

Randomly pass only a portion of events.

Keep 10% of debug logs for cost control.

Match events against threat rule patterns.

Detect C2 activity or abnormal auth behavior.

Emit only first-seen values.

Alert on first-time-seen device IDs or IPs.

Last updated

Was this helpful?