Transform Data Action - Use Cases

the turbine transform data native action can create a myriad of transformations making changes to date and time in a playbook is often used, and this page provides use cases for different actions for transforming date and time using the transform data action jsonata https //docs jsonata org/date time functions is used for these actions get date and time using get date/time in the then row of a block is generally not advised this is because the then row is designed for subsequent transformations that depend on data obtained in the first row best practice is to use the get date/time in the first row, which provides a foundational timestamp for later transformations if you configure the first row, click transform again, and select get date/time, there are new configuration options available get date/time configuration transform block options get date/time drop down menu information formatted as the format of the date/time options iso 8601 (default), unix (seconds), unix (milliseconds), sql, custom and set time zone, if missing the originating time zone of the playbook property date/time options utc or standard time zone regions scenario after identifying malicious urls, you want to scan your environment for any other iocs that may have been seen 90 days before the first sighting with the transform data action, you can automate this task to get a date/time and subtract 90 days on the then row, select adjust date/time from the by drop down menu, select subtracting enter 90 in the amount field from the unit of measure drop down menu, select days adjust date and time common date and time data transformation methods are supported in playbooks, which can be run against playbook inputs, in scope action output properties, or static values, including to and from iso 8601 unix (seconds) unix (milliseconds) sql custom formatting https //moment github io/luxon/#/parsing?id=table of tokens xpath picture string format https //www w3 org/tr/xpath functions 31/#date picture string transform block options adjust date/time drop down menu or field information by if amount should be added or subtracted options adding and subtracting amount the amount of time that should be added or subtracted options use the up and down arrows to enter a number or manually enter a number unit of measure the unit of measurement of amount options milliseconds, seconds, minutes, hours, days, weeks, months, years scenario after identifying malicious urls, you want to scan your environment for any other iocs that may have been seen 90 days before the first sighting with the transform data action, you can automate this task to get a date/time and subtract 90 days on the then row, select adjust date/time from the by drop down menu, select subtracting enter 90 in the amount field from the unit of measure drop down menu, select days set time zone after configuring the first row, click transform again, and select set time zone new fields and options are available on the then row set date/time configuration transform block options set date/time drop down menu information time zone converts the timestamp to the specified time zone options utc or standard time zone regions scenario after identifying malicious urls, you want to scan your environment for any other iocs that may be in a specific time zone on the then row, select set date/time from the to drop down menu, select the desired time zone convert date and time after configuring the first row, click transform again, and select convert date/time new fields and options are available on the then row convert date/time configuration transform block options convert date/time drop down menu information to the format in which the converted date/time should be returned default = iso 8601 options iso 8601, unix (seconds), unix (milliseconds), sql, and custom scenario after identifying malicious urls, you want to scan your environment for any other iocs that may have been seen starting on a particular month, date, and year before the first sighting on the then row, select convert date/time from to drop down, select custom to enter a custom format for this scenario, enter a date in the mm/dd/yyyy format contains the contains transformation options are drop down menu information in select the playbook property or field containing the text to check for a substring string enter the keyword or substring to search within the text with choose case sensitivity or no case sensitivity the contains transformation returns true if the substring is found and false otherwise scenario after gathering information from different sources, you want to verify if a particular keyword (e g , "malicious") is present in a text field on the first drop down, select contains in the in field, select the playbook property containing the text in the string field, enter the keyword (e g , "malicious") in the with drop down, select no case sensitivity contains transformation configuration find/replace the find/replace transformation options are drop down menu information in select the field where the replacement is needed find enter the substring to locate with choose case sensitivity or no case sensitivity replace with enter the replacement substring the find/replace transformation replaces all instances of the specified substring with the replacement text scenario you need to normalize ip addresses in logs by replacing occurrences of "192 168" with "10 0" on the first drop down, select find/replace in the in field, select the playbook property containing the text in the find field, enter "192 168" in the replace with field, enter "10 0" in the with drop down, select no case sensitivity find/replace transformation configuration match the match transformation options are drop down menu information in select the text field containing the content to search string enter the pattern or specific string you want to match with choose case sensitivity or no case sensitivity the match transformation identifies and extracts content based on the specified regex pattern scenario to locate specific email addresses from text logs, match the pattern of an email address format on the first row, select match in the in field, select the text field containing the logs in the string field, enter the regex for an email address, e g , \\\b\[a za z0 9 %+ ]+@\[a za z0 9 ]+\\\\ \[a z|a z]{2,}\\\b in the with drop down, select no case sensitivity match transformation configuration convert from csv the convert from csv transformation options are drop down menu information in select the playbook property containing the csv data or enter the csv string directly with header select yes if the csv data includes headers; otherwise, select no the convert from csv transformation parses csv data into individual fields or properties scenario you have a csv string containing user information ("name, email, department") and want to parse it into separate fields on the first drop down, select convert from csv in the in field, choose the property containing the csv data in the with header drop down, select no if headers are not included convert from csv transformation configuration