Transformers

Transformers can modify, enrich, or drop events before they are persisted and printed.

Where transformers run

Transformers run inside the dispatcher pipeline for detection events:

transform → persist → (optional filter) → print

Flow events are not transformed today, and profile events are printed directly.

What a transformer can do

A transformer can:

• Update fields on the event (e.g. score, metadata, background).
• Return a new event instance.
• Drop an event by returning nil (the dispatcher will stop processing it).

Failure behavior

If a transformer returns an error or nil, the dispatcher stops processing that event.

Built-in transformer chain: scoring

Jibril includes a scoring transformer chain (scoring) intended to evolve into an event scoring/enrichment stage.

Configuration

Enable the feature and turn on the scoring chain:

features:
  - transformers

feature_options:
  transformers:
    scoring: true

Notes

• Transformers are disabled by default.
• Some transformers may require persisters to be enabled (e.g. to query prior events).