3.3.5.1.Script Test Use Case
scenario test script action rowan is an orchestrator who wants to map static and playbook property data to the script native action inputs so that he can reference this data in the python script and test the inputs to see the results before continuing to build the playbook he also wants to see if there are any discovered outputs in addition to the original outputs first, rowan adds his webhook trigger, so the webhook property data is available downstream in the playbook let's see how he sets up the script native action to see if there are discovered outputs and testing https //docs swimlane com/discovered outputs and testing steps to configure the script native action click the action drop down menu, select script , and enter a title for the action click configure to open the script configuration window this window displays three tabs script , outputs , and test note to ensure proper testing, verify that your script has valid inputs and a valid output structure this avoids errors in the next steps from the script tab, click add property and select string enter the value " hello " for this property tip you can add multiple input types (e g , strings, numbers, objects) to test various scenarios add another property of type object rename the properties as string test and object test1 for easier identification inside the object property, click add property again and select string name this inner string property string 2 in the script pane, enter the script navigate to the test tab this allows you to test the script before finalizing the action if there are any discovered outputs https //docs swimlane com/discovered outputs and testing (outputs automatically generated but not initially visible), click the checkbox next to the discovered outputs to include them for downstream actions important discovered outputs can be added for further use in the playbook review discovered outputs thoroughly to avoid missing important properties advanced script usage rowan also wants to know how to handle complex data or troubleshoot script errors in the process hereβs how he can handle more advanced use cases error handling always validate the input data using conditional statements for example, check if a required field exists before processing it if "required field" in action inputs process data = action inputs\["required field"] else process data = "default value" handle exceptions within the script to ensure smooth playbook execution try result = complex calculation(action inputs) except exception as e result = f"error {str(e)}" script flexibility the script can support complex python logic, including loops, conditionals, and data transformation functions rowan can use these features to build more advanced scripts example loop through an array of objects for item in action inputs get("object test1", \[]) print(item\["string 2"]) example perform a transformation on string data action outputs\["upper case string"] = action inputs\["string test"] upper() conclusion rowan successfully tested his script, verified discovered outputs, and now has the flexibility to handle more complex data manipulation using python scripts by validating the inputs and checking discovered outputs, he can confidently use this script in downstream actions within the playbook
3.3.5.2.Variables Use Case
variables support turbine orchestrators by allowing them to collect data, store it, and use it in downstream actions using the create variables and update variables native actions allows orchestrators to create and/or update variables without writing code, add the variable, and apply properties from the playbook scenario vanessa is an analyst who wants to use the get emails action in turbine to retrieve email data her co worker max has also created a playbook to get email results; however, max had more time and used jsonata in the transform data native action, under the advanced transformation feature, to get the results he wanted vanessa needs a faster, simpler way to get microsoft emails to pass downstream into her playbook using the create variables native action gives vanessa the ability to produce the same outcome, but easier and quicker steps vanessa starts by creating a minutely cron trigger in her playbook next, she visits the swimlane content page to use the microsoft graphapi get emails component for the fastest configuration tip the cron trigger helps automate the process, ensuring that the playbook runs at a set interval from the swimlane content home page, enter microsoft graphapi get emails into the search bar the component opens with an overview vanessa clicks the install button to start the import process the window displays a breakdown of the component's playbooks, connectors, and assets however, vanessa notices that she needs to import three connectors first microsoft graphapi, sos network activity events p1, and jsonata vanessa installs the necessary connectors and then creates the microsoft graph api asset next, she adds the get emails action to her playbook on the inputs tab of the get emails action, vanessa enters her email address in the outputs tab, she promotes the entire object result, allowing her to access all email data downstream in the playbook vanessa now needs to create variables to store specific parts of the email data she adds a new action in the success flow vanessa adds the create variables native action to the success flow and clicks configure she clicks add variable and selects object as the property type she names the object object header and then clicks the + icon to add a playbook property value she selects response headers from the get emails action output, as she wants to pass the header information along for later use vanessa clicks add variable again, selecting json body from the property drawer to store the email content this ensures that she captures both the header and body of the email for future actions vanessa realizes she needs to modify some of the variables to do this, she adds another success flow action, selecting update variables from the list of native actions clicking select variable to update , she chooses object header in the action window, she clicks the + icon and selects the get emails action again, this time choosing the date sub property from the response headers once satisfied, vanessa clicks apply to save the update she then adds a broadcast message action to her playbook, configuring it to send a message to a specific slack channel with the email results error handling vanessa also wants to ensure that if the email retrieval fails, an error message is logged, and her team is notified to do this, she adds an on failure action to her playbook add an on failure flow by clicking the plus icon on the get emails action select the log message action to log the failure details add a send message action to notify the team in slack of the error, including details of the failure for debugging conclusion her work is complete! the playbook executes by retrieving emails and forwarding the response header dates and json body from the retrieved emails to the slack channel she provided quick and easy, vanessa did not have to spend extra time entering complex json expressions to get the data she needed additionally, she ensured her playbook handles errors gracefully by logging and notifying her team in case of failures
3.3.6.Transform Data Use Cases
3.3.6.1.Transform Data Action - Use Cases
the turbine transform data native action can create a myriad of transformations making changes to date and time in a playbook is often used, and this page provides use cases for different actions for transforming date and time using the transform data action jsonata https //docs jsonata org/date time functions is used for these actions get date and time if you configure the first row, click transform again , and select get date/time , there are new configuration options available get date/time configuration transform block options get date/time note when from is set to "current time", the in field is not required and will be hidden scenario after identifying malicious urls, you want to scan your environment for any other iocs that may have been seen 90 days before the first sighting with the transform data action, you can automate this task to get a date/time and subtract 90 days on the first row, select get date/time from the from drop down, select playbook data or current time if using playbook data, select the property containing the date/time in the in field configure the format and timezone as needed click transform again on the then row, select adjust date/time from the by drop down menu, select subtracting enter 90 in the amount field from the unit of measure drop down menu, select days adjust date and time common date and time data transformation methods are supported in playbooks, which can be run against playbook inputs, in scope action output properties, or static values, including to and from iso 8601 unix (seconds) unix (milliseconds) sql custom formatting https //moment github io/luxon/#/parsing?id=table of tokensxpath picture string format https //www w3 org/tr/xpath functions 31/#date picture string transform block options adjust date/time note adjust date/time operates on iso 8601 date/time values or unix epochs the result is always returned in iso 8601 format scenario after identifying malicious urls, you want to scan your environment for any other iocs that may have been seen 90 days before the first sighting with the transform data action, you can automate this task to get a date/time and subtract 90 days on the first row, select get date/time to obtain the initial timestamp click transform again on the then row, select adjust date/time from the by drop down menu, select subtracting enter 90 in the amount field from the unit of measure drop down menu, select days output the date/time adjusted by subtracting 90 days, returned in iso 8601 format set time zone after configuring the first row, click transform again , and select set time zone new fields and options are available on the then row set date/time configuration transform block options set time zone note set time zone adjusts the underlying date/time to reflect the new timezone if you need to add timezone information without changing the actual time, use append time zone instead scenario after identifying malicious urls, you want to scan your environment for any other iocs that may be in a specific time zone on the first row, select get date/time to obtain the initial timestamp click transform again on the then row, select set time zone from the time zone drop down menu, select the desired time zone (e g , america/chicago, utc, europe/london) output the date/time converted to the specified time zone in iso 8601 format convert date and time after configuring the first row, click transform again , and select convert date/time new fields and options are available on the then row convert date/time configuration transform block options convert date/time note convert date/time can convert between various date/time formats the input date/time must be in iso 8601 format or a unix epoch scenario after identifying malicious urls, you want to scan your environment for any other iocs that may have been seen starting on a particular month, date, and year before the first sighting on the first row, select get date/time to obtain the initial timestamp click transform again on the then row, select convert date/time from the to drop down, select custom in the custom format string field, enter the format pattern mm/dd/yyyy (for mm/dd/yyyy format) output the date/time converted to the custom format (e g , "08/26/2025") contains the contains transformation checks if a string contains at least one occurrence of a search term the transformation options are scenario after gathering information from different sources, you want to verify if a particular keyword (e g , "malicious") is present in a text field on the first drop down, select contains in the in field, select the playbook property containing the text in the string field, enter the keyword (e g , "malicious") in the with drop down, select no case sensitivity to perform a case insensitive search contains transformation configuration output returns true if "malicious" is found in the text (regardless of case), false otherwise replace the replace transformation finds occurrences of a search term in a string and replaces each occurrence with another string the transformation options are scenario you need to normalize ip addresses in logs by replacing occurrences of "192 168" with "10 0" on the first drop down, select replace in the in field, select the playbook property containing the text in the find field, enter "192 168" in the replace with field, enter "10 0" in the with drop down, select no case sensitivity to perform a case insensitive replacement replace transformation configuration output all occurrences of "192 168" (case insensitive) are replaced with "10 0" in the input string match the match transformation finds occurrences of a search term in a string and returns an array of all indices where the search term is located the transformation options are scenario to locate specific email addresses from text logs, match the pattern of an email address format on the first row, select match in the in field, select the text field containing the logs in the string field, enter the search term or pattern for exact string matching, enter the string directly (e g , "@example com") in the with drop down, select no case sensitivity to perform a case insensitive search note for regex pattern matching to extract email addresses, use the regex match transformation instead, which supports regular expression patterns match transformation configuration output returns an array of indices where the search term appears in the string (e g , \[25, 67, 142] ) from csv the from csv transformation parses a csv string into an array of objects (if headers are included) or an array of arrays the transformation options are scenario you have a csv string containing user information ("name, email, department") and want to parse it into separate fields on the first drop down, select from csv in the in field, choose the property containing the csv data (or enter the csv string directly) in the with header drop down, select yes if the first line contains column headers, or no if headers are not included from csv transformation configuration example input (with headers) output (with headers = yes) output (with headers = no) additional use cases parsing json strings when working with json data from record triggers, record searches, or http responses, the data often arrives as a string use parse json to convert it to a javascript object before extracting properties scenario extract user information from a json string returned by an api on the first row, select parse json in the in field, select the property containing the json string click transform again on the then row, select extract property provide a jsonata path to extract the desired field (e g , user email or $ data items\[0] name ) filtering arrays use filter or filter by to extract specific items from arrays based on criteria scenario filter an array of users to include only those with a specific status on the first row, select filter by provide the jsonata path to the property to filter on (e g , status ) enter the filter value (e g , "active" ) output an array containing only objects where the specified property matches the filter value combining data use prepend to combine arrays or prepend values to arrays scenario combine two arrays of iocs into a single array on the first row, select prepend provide the first array or value provide the second array or value to prepend output a new array containing the prepended values followed by the original values best practices start with get date/time when working with dates, always start with get date/time in the first row to establish a base timestamp chain transformations use then rows to chain multiple transformations together, building complex transformations from simple operations parse json first when working with json strings, always use parse json as the first transformation before extracting properties test incrementally test each transformation step to ensure accuracy before adding subsequent transformations use appropriate filters choose filter for simple value matching or filter by for filtering objects by property values related documentation for more information on available transformations, see using the transform data native action # for advanced transformation capabilities using jsonata expressions, see advanced transformations #
3.3.6.2.Webhook Discovered Outputs
scenario eli is an orchestrator who wants to test and preview outputs from a webhook event before configuring and saving the rest of his playbook luckily, as an orchestrator, eli knows that testing a webhook event is like testing discovered output and testing https //docs swimlane com/discovered outputs and testing let's watch how he tests his webhook event! eli has already created his playbook and added a webhook trigger after giving the webhook a name and generating the url, he's ready to configure click configure the webhook events, outputs, and map to playbook inputs tabs are available eli checks the output tabs to see the original outputs for the webhook but he wants to test for any additional outputs that might not be being pulled to do this, he needs to test the webhook click test next to the url and view the result pane at the bottom of the window the results display, but eli wants to know which outputs were discovered that were not part of the original event outputs since eli already reviewed and understands what discovered output and testing https //docs swimlane com/discovered outputs and testing are, he is ready to add the discovered outputs click the check mark next to any discovered outputs to add them to the action's outputs conclusion these are now available for eli to apply downstream and as he builds the playbook