Turbine Solutions Interfaces

overview this section of the turbine user guide describes the interfaces available in turbine solutions interfaces are standard data formats that enable components to work together seamlessly use interfaces to standardize data transformation across security operations and vulnerability management workflows when you apply an interface to a component, it automatically configures the component's input and output data structures this standardization allows you to easily swap components in your playbooks without manual re configuration, as long as they use the same interface this guide covers what interfaces are and how they work how to use interfaces when building components available interfaces for soc and vulnerability management workflows best practices for working with interfaces what are interfaces? an interface defines the data structure that a component expects to receive (inputs) and the data structure it produces (outputs) think of it as a standard template that ensures components can work together seamlessly key concepts component a reusable automation flow that performs a specific task components are used within playbooks to build automation workflows interface a standard data format that components can use when multiple components use the same interface, they can easily be swapped with each other because they all accept and produce data in the same format input schema defines what data your component needs to receive to work properly output schema defines what data your component will produce when it runs example imagine you have multiple threat intelligence enrichment components enrich via virustotal enrich via recorded future enrich via urlhaus if they all use the same "simple observable to enrichment" interface, they all accept the same input format (an observable like an ip address) produce the same output format (enriched observable data) this means you can swap between these components in your playbook without changing any other parts of your workflow note you can still create components without applying an interface, but they will not benefit from standardization and easy swapping benefits of using interfaces interfaces provide powerful benefits that make your automation workflows more flexible and easier to manage easy component swapping components that use the same interface can be swapped in and out of playbooks with a single click no manual re configuration or re mapping of data needed search by functionality you can search for components based on what they do, regardless of which vendor technology they use for example, find all enrichment components that work with observables, even if they use different threat intelligence sources guaranteed compatibility components built with interfaces are guaranteed to work seamlessly with playbooks and other components that use the same interface standardized data flow interfaces ensure that data flows correctly between components, reducing errors and making your playbooks more reliable vendor flexibility you can easily switch between different vendor technologies (such as virustotal, recorded future, or urlhaus) without changing your playbook structure, as long as the components use the same interface how to use interfaces interfaces are available in turbine canvas when building components when you create or edit a component open the component builder in turbine canvas navigate to the "data" tab in the side panel select an interface from the dropdown list of available interfaces the interface automatically configures the component's input and output schemas once an interface is applied, your component will have standardized inputs and outputs that match other components using the same interface, making them easily swappable in playbooks understanding interface schemas each interface defines two key parts input schema specifies what data your component expects to receive output schema specifies what data your component will produce when you apply an interface to a component, these schemas are automatically configured, ensuring your component accepts and produces data in the correct format soc solutions bundle interfaces the soc solutions bundle includes 20 interfaces for security operations center workflows use these interfaces for alert triage, observable enrichment, email processing, and remediation actions alert to none v1 0 2 purpose processes an alert object without producing output use this interface for alert ingestion workflows where you process alerts without transforming them input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema empty object (no output) use cases alert ingestion pipelines alert logging and archival alert forwarding without transformation array of alerts to none v1 0 2 purpose processes an array of alerts without producing output use this interface for bulk alert processing input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema empty object (no output) use cases bulk alert ingestion alert batch processing alert archival workflows array of simple observable to none v1 0 2 purpose processes an array of simple observable objects without producing output input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema empty object (no output) use cases bulk observable ingestion observable logging observable forwarding simple observable to none v1 0 2 purpose processes a simple observable without producing output input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema empty object (no output) use cases observable logging observable ingestion observable forwarding phishing email report to none v1 0 2 purpose processes phishing email report objects without producing output input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema empty object (no output) use cases phishing report ingestion phishing report logging phishing report archival alert triage ingestion to array of alert v1 0 2 purpose converts triage ingestion data into an array of standardized alert objects input schema triage ingestion format (specific structure) output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases bulk alert ingestion alert normalization from multiple sources alert triage workflows simple observable to enrichment v1 0 2 purpose converts a simple observable into an enrichment object that includes threat intelligence data input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases threat intelligence enrichment observable reputation checking security context gathering simple observable to observable v1 0 2 purpose converts a simple observable into a full observable object with enrichment capabilities input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases observable normalization observable enrichment preparation data structure standardization text to array of observables v1 0 2 purpose extracts observables from text content and returns them as an array input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases email body parsing log file analysis text extraction from documents ioc extraction from reports object to alert v1 0 2 purpose converts a generic object into a standardized alert object input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases alert normalization from various sources custom alert format conversion alert standardization error to enrichment v1 0 2 purpose converts error information into an enrichment object for error tracking and analysis input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases error tracking error enrichment error analysis workflows email to email v1 0 2 purpose converts email objects while preserving the email structure used for email processing workflows input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases email processing workflows email transformation email forwarding email analysis turbine attachment to email v1 0 2 purpose converts a turbine attachment object into an email object format input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases attachment to email conversion email reconstruction from attachments email processing workflows file to file v1 0 2 purpose converts file objects while preserving file structure input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases file processing workflows file transformation file forwarding header to header v1 0 2 purpose converts header objects (email or http headers) input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases header processing header transformation header analysis mime part to mime part v1 0 2 purpose converts mime part objects while preserving structure input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases mime part processing email attachment handling content extraction phishing triage email ingestion to array of phishing email report v1 0 2 purpose converts phishing triage email ingestion data into an array of phishing email reports input schema phishing triage ingestion format output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases bulk phishing email processing phishing triage workflows phishing report generation block/unblock observable remediation action purpose performs block or unblock actions on observables (such as ips and domains) in security systems input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases ip address blocking/unblocking domain blocking threat containment workflows security control automation enable/disable user account remediation action purpose enables or disables user accounts in identity management systems input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases account remediation incident response access control automation user account management isolate/rejoin hosts remediation action purpose isolates or rejoins hosts in network security systems input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases host isolation during incidents network containment incident response automation security control workflows vulnerability case management interfaces the vulnerability case management bundle contains 6 interfaces designed for vulnerability management workflows, including vulnerability finding processing, remediation tracking, and ticket management vulnerability finding to vulnerability finding v1 0 0 purpose converts vulnerability finding objects while preserving all vulnerability data used for vulnerability data normalization and processing input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases vulnerability data normalization vulnerability finding processing vulnerability data transformation cross platform vulnerability data exchange enriched vulnerability finding to enriched vulnerability finding v1 0 0 purpose converts enriched vulnerability finding objects with additional threat intelligence and context data input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases enriched vulnerability processing threat intelligence integration vulnerability enrichment workflows array of object to array of vulnerability finding v1 0 0 purpose converts an array of generic objects into an array of standardized vulnerability finding objects input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases bulk vulnerability ingestion vulnerability data normalization multi source vulnerability aggregation asset to tracking id v1 0 0 purpose extracts or generates tracking identifiers from asset objects input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases asset tracking asset identification asset management workflows remediation item to ticket v1 0 0 purpose creates or updates tickets in itsm systems based on remediation item data input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases itsm integration remediation workflow automation ticket creation from vulnerability findings remediation tracking remediation item check v1 0 0 purpose checks the status of remediation items and associated itsm tickets input schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type output schema true 480,480,480,481 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type use cases remediation status monitoring ticket status synchronization remediation workflow tracking itsm integration status checks common data structures observable object observables represent security relevant entities such as ip addresses, domains, and file hashes { "observable type" "ip", "observable value" "192 168 1 1", "observable metadata" {}, "observable primary context" "context", "observable primary permalink" "https // ", "observable primary provider" "provider", "observable primary timestamp" "2024 01 01t00 00 00z", "observable primary verdict" "malicious", "observable enrichments" \[ { "enrichment type" "reputation", "enrichment provider" "provider", "enrichment context" "context", "enrichment permalink" "https // ", "enrichment timestamp" "2024 01 01t00 00 00z", "enrichment verdict" "malicious", "enrichment raw data" " " } ] } alert object alerts represent security events and incidents { "alert uid" "unique id", "alert title" "alert title", "alert description" "description", "alert severity" "high", "alert risk score" 85, "alert categories" \["malware", "phishing"], "alert start timestamp" "2024 01 01t00 00 00z", "alert end timestamp" "2024 01 01t01 00 00z", "alert created timestamp" "2024 01 01t00 00 00z", "alert ingested timestamp" "2024 01 01t00 00 00z", "alert provider" "security tool", "alert organization" "org id", "alert permalink" "https // ", "alert impacted hostnames" \["host1 example com"], "alert impacted ip addresses" \["192 168 1 1"], "alert impacted usernames" \["user1"], "alert rules" \[ { "rule id" "rule 123", "rule name" "rule name", "rule type" "detection", "rule description" "description" } ], "alert mitre attack tactic technique" \[ { "technique" { "uid" "t1189", "name" "drive by compromise" }, "tactics" \[ { "uid" "ta0001", "name" "initial access" } ], "version" "v12" } ], "alert originating files" \[], "observables" \[], "raw alert" {} } email object email objects represent email messages with full metadata { "email message id" "message id", "email from address" "sender\@example com", "email to addresses" \["recipient\@example com"], "email cc addresses" \[], "email bcc addresses" \[], "email reply to addresses" \[], "email subject" "subject", "email body" "body text", "email text body" "plain text body", "email html body" "\<html> \</html>", "email origination timestamp" "2024 01 01t00 00 00z", "email delivery timestamp" "2024 01 01t00 00 00z", "email organization" "org id", "email headers" \[ { "header key" "from", "header value" "sender\@example com" } ], "email mime parts" \[ { "mime type" "text/plain", "file name" "attachment txt", "is attachment" true, "content" { "base64" " ", "turbine attachment" {} } } ], "observables" \[], "raw email" " " } vulnerability finding object vulnerability findings represent discovered security vulnerabilities key fields include vulnerability identification (cve, description) scoring (cvss, epss) exploit information asset information remediation status risk scores see the "vulnerability finding to vulnerability finding" interface for complete schema usage patterns pattern 1 data ingestion pipeline source data → ingestion interface → normalized data → processing interface → output example email → email to email → processed email → extract observables → observable array pattern 2 enrichment workflow observable → simple observable to enrichment → enriched observable → alert creation pattern 3 remediation workflow vulnerability finding → remediation item to ticket → ticket created → remediation item check → status updated pattern 4 bulk processing array of objects → array to array interface → normalized array → individual processing best practices follow these guidelines when working with interfaces use the latest version always use the latest version of interfaces when available check the version field to ensure compatibility include required fields include all required fields in input schemas missing required fields cause transformation failures validate data before transformation validate input data against the interface schema before transformation to catch errors early handle errors implement error handling for transformation failures, especially in automated workflows choose the right interface select interfaces that match your data flow use "to none" interfaces for ingestion and logging use transformation interfaces for data conversion use remediation interfaces for automated actions extract observables from text use "text to array of observables" to extract iocs from unstructured text process bulk data efficiently use array interfaces to process multiple items efficiently validate remediation actions validate action parameters before executing remediation actions to prevent unintended consequences playbook integration how interfaces work in playbooks interfaces define the input and output schemas for playbook transformations when you create a playbook component using a builderintent interface input schema defines what data the playbook expects output schema defines what data the playbook produces validation ensures data matches schemas at runtime type safety provides type information for the ui creating a playbook with an interface example playbook yaml schema playbook/2 name observable enrichment playbook title observable enrichment playbook description enriches observables with threat intelligence \# reference to the interface schema inputschemareferenceid simple observable to enrichment v1 0 2 06fbe actions enrich observable actiontype jsonata inputs expression | { "observable" $ observable, "enrichment" { "enrichment type" "reputation", "enrichment provider" "threat intel", "enrichment verdict" "malicious", "enrichment timestamp" $now(), "enrichment context" "enriched via playbook" } } data observable observable type string observable value string publish enrichment $ enrich observable enrichment connecting multiple interfaces you can chain multiple interfaces together in a playbook actions \# step 1 extract observables from text extract observables actiontype jsonata inputs expression | { "observables" $split($ text value, " ") } data text value string \# step 2 enrich each observable enrich observable actiontype jsonata next create alert inputs expression | { "enrichment" { "enrichment type" "reputation", "enrichment provider" "threat intel", "enrichment verdict" "suspicious" } } data observable object \# step 3 create alert from enriched observable create alert actiontype jsonata inputs expression | { "alert" { "alert title" "threat detected", "alert severity" "high", "observables" \[$ enrich observable observable] } } data enrichment object troubleshooting and common pitfalls common issues and solutions issue 1 schema validation failures symptom transformation fails with validation error causes missing required fields wrong data types invalid enum values extra fields not in schema (if additionalproperties false ) solution validate input data against schema before transformation use schema validation tools check interface documentation for required fields remove or map extra fields example fix // before (fails validation) { "observable" { "type" "ip", // wrong field name "value" "192 168 1 1" // wrong field name } } // after (passes validation) { "observable" { "observable type" "ip", // correct field name "observable value" "192 168 1 1" // correct field name } } issue 2 transformation timeouts symptom transformation fails with timeout error causes external api calls taking too long large data processing network latency insufficient timeout configuration solution increase timeout for slow operations optimize transformation logic use async processing for long operations implement retry logic with exponential backoff issue 3 incorrect interface selection symptom data does not match expected format causes using wrong interface for data type confusing similar interfaces version mismatch solution review interface documentation check input/output schemas verify interface version compatibility test with sample data first example // wrong using "simple observable to enrichment" for array // correct use "array of simple observable to none" or process individually issue 4 remediation action failures symptom remediation actions return error messages causes invalid action parameter system permissions target system unavailable invalid observable format solution validate action parameters before execution check system connectivity verify permissions review error messages for specific issues example // invalid action { "action" "ban" // should be "block" or "unblock" } // valid action { "action" "block" } issue 5 data type mismatches symptom numbers passed as strings, dates in wrong format causes data source provides wrong types missing type conversion schema expects specific format solution convert data types before transformation use transformation functions for type conversion validate data types match schema example // before (may fail) { "alert" { "alert risk score" "85" // string } } // after (correct) { "alert" { "alert risk score" 85 // integer } } frequently asked questions where can i see a list of available interfaces that i can use? currently, the only way to view the list of available interfaces would be through the component builder in turbine canvas you can select a component or create a new one, go to the "data" tab in the side panel, and use the dropdown there to view the list of supported interfaces can i create my own interfaces? no, currently you can only use the available interfaces that swimlane provides custom interface creation is on the roadmap as a future feature enhancement how do i know which interface to use for my component? choose an interface that matches your component's purpose ingestion components use interfaces that end with "to none" (such as "alert to none") enrichment components use interfaces like "simple observable to enrichment" transformation components use interfaces that transform one data type to another (such as "email to email") remediation components use remediation action interfaces (such as "block/unblock observable remediation action") what happens if i do not use an interface? you can still create components without applying an interface however, you will need to manually configure inputs and outputs, and the component will not benefit from standardization or easy swapping with other components that use the same interface can i use multiple interfaces on the same component? no, each component can only have one interface applied to it the interface defines both the input and output schemas for that component references https //json schema org/ https //attack mitre org/